Overview

overview

7

Static

static

7

JaffaCakes...01.exe

windows7-x64

7

JaffaCakes...01.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe

  • Size

    78KB

  • MD5

    8aafd50aac3e9730d337421060bbd201

  • SHA1

    aaab5812392d7e620736211d47c02ca0793a3e3f

  • SHA256

    268fc2013b2620acbfa8a726b3b78ff584bf7b067e7bbe15ccc85e671a6745e9

  • SHA512

    83c1bf5cacc7059bb2b7ad44d041e1cf1e3afeda6487a5c4a967229780fc54573fed17dc1ff413ed86f372d31c59a76696aa79df3ec78749b0405676ec9d80cd

  • SSDEEP

    1536:26mrbxxuzuCTChMLJUK3bRPr1mb0KdeWbdTTo:2vbLQ5kgUGbRDsmGdTTo

Score
7/10
adwarediscoverystealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 46 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8aafd50aac3e9730d337421060bbd201.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\ZJS\CJS.vbe" 0
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3588
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Windows\CHO\VIFXSXFHEV.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3736
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c regedit.exe /s C:\Windows\reg.reg
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Windows\reg.reg
        3⤵
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:1960
    • C:\Windows\F\smss.exe
      C:\Windows\F\smss.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1648
    • C:\Windows\F\smss.exe
      C:\Windows\F\smss.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\CHO\VIFXSXFHEV.dll
    Filesize

    3.2MB

    MD5

    d0ec02e209177721338a56ae287dd4fa

    SHA1

    e530343fd2686bd1556b4f91a566d9e2cb9beb28

    SHA256

    dbb9afefe97ea701c7438b96c484fcab79fb0c74774b2dfeabd5b4077d6974df

    SHA512

    d098dc406c6d5a299de344bff1a29782353a9a4f264cb2c005084f709f7413d4c39234216beec8a7528fbe55dac4b57e02d928c09e7f7f57d190fb0bf59d3d52

    Download Submit

  • C:\Windows\F\smss.exe
    Filesize

    7.8MB

    MD5

    aff51071ca47e3610e398345d92dc0d6

    SHA1

    3ff3eff1c495930611d27383aa573a6eb551a0cb

    SHA256

    17535669337f7ce33c8bf4fa7bba206e03ec81c5f96efe275c72ce2c7dcb99d6

    SHA512

    ce5f5403228f0d863497a65195ccc18b009c4630b1fa23e011c5702747a51b357da1e286384ecfd89e4e86318d168bc001b06000d36e7b8bd48d8402d53f0c02

    Download Submit

  • C:\Windows\Survival_0.txt
    Filesize

    3B

    MD5

    a5ea0ad9260b1550a14cc58d2c39b03d

    SHA1

    f0aedf295071ed34ab8c6a7692223d22b6a19841

    SHA256

    f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

    SHA512

    7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

    Download Submit

  • C:\Windows\ZJS\CJS.vbe
    Filesize

    1.4MB

    MD5

    d5def5a3bf2c5852124a7ad61c1bb570

    SHA1

    f116aef31e3f71b50c92165fd3c8d67db14c840c

    SHA256

    20f75b6128f0b69cb17e90535881c7312f1c86646e11543aeb8683ee02dfda0f

    SHA512

    f94eeed41ad1ce2e9abc688962e9a2c0226669cc1d2827f2ad28002f57b9911de4dbefae1a458a00662369cb5f9445841988b303fc2efc994169df59de02bf20

    Download Submit

  • C:\Windows\reg.reg
    Filesize

    185B

    MD5

    d786c602ee4d1c98f13347b1421563da

    SHA1

    31726c39ffe4da9ebaf71cd1033ed88909006697

    SHA256

    62b603de263f2f1a0cde4c17ede80e935aff6ef0df2f03d90aee896f497ff616

    SHA512

    61a218d9bf1d6dd3e137fa048a5b343ebffd82eef93cff7852f9e47dc05d3cf50fb04834e97329135244af6e1975d7b6df57d9797a99bf210813f7ff7c2acb4e

    Download Submit

  • C:\Windows\userid.txt
    Filesize

    5B

    MD5

    3719bc4d13977453b5d8c9d8f1e7462a

    SHA1

    c24505bcdb2b09980198730cd4791acad1796dcc

    SHA256

    197a4e2a0db3b79c8240827c9ea2ed1476c8a5ad7e22c02c832ba3a0a8bff9a1

    SHA512

    9bebfe9c377389f34afd15c2f4e2b027edfec3ec4883f0df09c8a0e4d22dbb9692eb8b4264c89165bc336c458e5488a7cd743bd5f99ae5d4b71a8b3c2805f1a5

    Download Submit

  • memory/4256-0-0x0000000000400000-0x000000000058F000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4256-57-0x0000000000400000-0x000000000058F000-memory.dmp

    Filesize

    1.6MB

    Download