Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2025, 06:22

General

  • Target

    JaffaCakes118_6f3a1bb3557ceeb742aa2eb9f2ff50cf.exe

  • Size

    386KB

  • MD5

    6f3a1bb3557ceeb742aa2eb9f2ff50cf

  • SHA1

    a8364da56da9b5c6419328fec3f374d2bae90afd

  • SHA256

    a8d57ed8359931e4d1c3dc91dba2988ba5ad33003a53af5a115ef943495611f8

  • SHA512

    2f0b7d21f11ea1c17c743f151773ec08ebe14342e7ebedc03fb5eb4e2cc7f273478c6ca258eb11a0b87f7e78ee3b4a97ada3fef641e0be598db7459874154db1

  • SSDEEP

    6144:HqA+u7ZvtKT/9VRBVoSzHRkEMvJJqCh10G4ZKF+FFLsUdF+Nx46fz/LNPkARHM9:H/7Z29BuE2Tf4DAUdFwfz/R/M9

Malware Config

Signatures

  • Drops file in Drivers directory 64 IoCs
  • Manipulates Digital Signatures 4 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 64 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Modifies termsrv.dll 1 TTPs 1 IoCs

    Commonly used to allow simultaneous RDP sessions.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f3a1bb3557ceeb742aa2eb9f2ff50cf.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f3a1bb3557ceeb742aa2eb9f2ff50cf.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\~240629437.tmp.exe
      C:\Users\Admin\AppData\Local\Temp\~240629437.tmp.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3524
    • C:\Users\Admin\AppData\Local\Temp\~240629437.tmp\JaffaCakes118_6f3a1bb3557ceeb742aa2eb9f2ff50cf.exe
      C:\Users\Admin\AppData\Local\Temp\~240629437.tmp\JaffaCakes118_6f3a1bb3557ceeb742aa2eb9f2ff50cf.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Users\Admin\AppData\Local\Temp\~240629437.tmp\JaffaCakes118_6f3a1bb3557ceeb742aa2eb9f2ff50cf.tmp
        /par="JaffaCakes118_6f3a1bb3557ceeb742aa2eb9f2ff50cf.exe"
        3⤵
        • Drops file in Drivers directory
        • Manipulates Digital Signatures
        • Boot or Logon Autostart Execution: Print Processors
        • Drops startup file
        • Executes dropped EXE
        • Indicator Removal: Clear Windows Event Logs
        • Drops desktop.ini file(s)
        • Drops file in System32 directory
        • Modifies termsrv.dll
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

    Filesize

    279KB

    MD5

    7efcf0111eb7a22aec8410d6a427b328

    SHA1

    d6828e7c4fb2789da55899e69c6197eaf4017b88

    SHA256

    7a83319f41c626818556e406b5b664aa4c102cb851269e9becbe3041bde4368a

    SHA512

    c1526e7bfe3c9f5d9ea9ab0f18d555e01f107ec56123ab83b8677ac24da57e206fb02a0148d2ae08ceba6ec4c10f42a46b0093e2324c0d723f09ec1fd4f43d97

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

    Filesize

    1.7MB

    MD5

    c606bd7c9c733dd27f74157c34e51742

    SHA1

    aab92689723449fbc3e123fb614dd536a74b74d4

    SHA256

    606390649012b31b5d83630f1186562e4b1ce4023d8870d8c29eb62e7e0769e0

    SHA512

    5f8fabe3d9753413d1aedcc76b9568c50dd25a5a6aeacd1ce88aecc28c0ba96dac80177679d380708213a0997946e49383bdaca7114c8c9526a24ed999194e38

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll

    Filesize

    613KB

    MD5

    c1b066f9e3e2f3a6785161a8c7e0346a

    SHA1

    8b3b943e79c40bc81fdac1e038a276d034bbe812

    SHA256

    99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

    SHA512

    36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll

    Filesize

    83KB

    MD5

    1453290db80241683288f33e6dd5e80e

    SHA1

    29fb9af50458df43ef40bfc8f0f516d0c0a106fd

    SHA256

    2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

    SHA512

    4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

  • C:\Users\Admin\AppData\Local\Temp\~240629437.tmp.exe

    Filesize

    11KB

    MD5

    08232702cba0391d0ff4efec9961ba5a

    SHA1

    a93205772634d2a694312539ed03da1a9c1ef67f

    SHA256

    4ba4fbdb03ae978017fd045c5914474100ba64cc8bf78f7330f12e8700a2f7a2

    SHA512

    705ab1a08532d23913f83575ca32ad32f3f287ffcd20bfb60591d06f8615d16b272a382d9eb698674b7e5485b0585469a7637ca9ba770846785fc0c5669379af

  • C:\Users\Admin\AppData\Local\Temp\~240629437.tmp\JaffaCakes118_6f3a1bb3557ceeb742aa2eb9f2ff50cf.exe

    Filesize

    373KB

    MD5

    21f5e1443bf900fd32c1c98f9bd2b018

    SHA1

    8a16a9b5e3260d0f5ef5a28095ee4d22ac3b4b68

    SHA256

    42f97865b52bd4e2f220c0afde349d260820193f6d6ac69f4e6bf5f02c1d151d

    SHA512

    a2a5147254d8dee86ccb92e74d644cbc4f8c3df0e2dac09a6595c320ad293aa739eea4316a7ff989515007c5a90470d6b96d9f72b7c410a94c7a2ed203e72230

  • C:\Users\Admin\AppData\Local\Temp\~240629437.tmp\JaffaCakes118_6f3a1bb3557ceeb742aa2eb9f2ff50cf.log

    Filesize

    4KB

    MD5

    50da11769e89583cea9204d3ce81d758

    SHA1

    52e2698d456f80eba1eee1e08a60b1c3204d3105

    SHA256

    46069175ea8a4019290cbee900798eb5f6d452208b08ca006abf0054efb23610

    SHA512

    bf0549701b732ea44d862c905202e3b5e323178932558a0e79ce33eaa79a35eb1cb4eb0959d61fc1dd66520acbc93faa6865d2d9758549808ed2519abe1ac38c

  • C:\Users\Admin\AppData\Local\Temp\~240629437.tmp\JaffaCakes118_6f3a1bb3557ceeb742aa2eb9f2ff50cf.tmp

    Filesize

    609KB

    MD5

    f1f3732b78644e991abc3b92e7479655

    SHA1

    c814aa151228aba0f17222d84b39035bc9ec0ab3

    SHA256

    82d81088d513b9748c502905eafbbc311d01c5be6b7d223aaa274005f7aea98b

    SHA512

    7672083bcf3854bd53dafdcc409fc34a6c29e11c29c0c280a889a61e5600715dd71a286ae6d9e4964a7a254c127d87567b9bb91b757b022716c57203b002d0dd

  • memory/1204-11-0x0000000000400000-0x000000000054D000-memory.dmp

    Filesize

    1.3MB

  • memory/1204-0-0x0000000000400000-0x000000000054D000-memory.dmp

    Filesize

    1.3MB

  • memory/2280-28-0x0000000000400000-0x000000000054D000-memory.dmp

    Filesize

    1.3MB

  • memory/2280-13-0x0000000000400000-0x000000000054D000-memory.dmp

    Filesize

    1.3MB

  • memory/3524-4-0x0000000013140000-0x0000000013149000-memory.dmp

    Filesize

    36KB

  • memory/3524-7-0x0000000013140000-0x0000000013149000-memory.dmp

    Filesize

    36KB