Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2025, 16:59
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250314-en
Behavioral task
behavioral4
Sample
$PROGRAMFILES/$0/Uninstall.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
cmtowgosvx.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral6
Sample
imex.bat
Resource
win10v2004-20250313-en
General
-
Target
JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe
-
Size
158KB
-
MD5
9a5e537d9eea6f0e26eedc68fa240ec4
-
SHA1
892cc8474e42eaf3094d11e8f302ed7cdb5162ad
-
SHA256
d11d6f31d9a4924d3343cbea0d4a6bdb6d75ba51b5da7bd26e08faa43fa9fce1
-
SHA512
2edc80de6b3cb310c8bdacb2f7b484ea40df8f0c0d5b747da2cab7aee0fc7a5647eb702c02cc257dc6a8f908f06c84ad81161dd594abf5dc375b043a39192856
-
SSDEEP
3072:kRnLy8MWmJoOqteZmhVa32ippS3XrGY0OSSuP6mX7vv/ohiLlu9JR8:kp7OqvV+2ippSHrG7jt6CH/ohD6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1092 cmtowgosvx.exe -
Loads dropped DLL 3 IoCs
pid Process 5292 JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe 5292 JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe 5292 JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\MediaAccumulativeCodec\install.ico JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe File created C:\Program Files (x86)\MediaAccumulativeCodec\cmtowgosvx.exe JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe File created C:\Program Files (x86)\MediaAccumulativeCodec\imex.bat JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe File created C:\Program Files (x86)\MediaAccumulativeCodec\MediaAccumulativeCodec.ocx JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmtowgosvx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5292 wrote to memory of 5804 5292 JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe 95 PID 5292 wrote to memory of 5804 5292 JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe 95 PID 5292 wrote to memory of 5804 5292 JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe 95 PID 5804 wrote to memory of 1092 5804 cmd.exe 97 PID 5804 wrote to memory of 1092 5804 cmd.exe 97 PID 5804 wrote to memory of 1092 5804 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9a5e537d9eea6f0e26eedc68fa240ec4.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c imex.bat /s2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5804 -
C:\Users\Admin\AppData\Local\Temp\cmtowgosvx.exeC:\Users\Admin\AppData\Local\Temp\cmtowgosvx.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1092
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD5a629b217630fbf5212b8fb8dbc387a81
SHA1b65e9b0e2d2de421d112e2ef7a56b720f3d4caab
SHA25601b736b2f0dd653d7103e68e7d9c1dbb34778ac0a71754c24f9f6094fc4d5558
SHA51228a53d8ea9c31627e474f77d71d4561136f11e8de233012f6557a6ed80dae4b0aabbf1a7d5fd9ac93b44c62aec1b0cd1e759d668b7d8f5f88f8e12ee13acf0a6
-
Filesize
100B
MD5662f48a1d7bbabb99de8b51e2465c9b8
SHA1fe31c2868143478f539fba398de93dfe93d2e82a
SHA25628f86e44da62a09ce91f8adec29263a667a50a2520a9134c09f669a6c2ef84c2
SHA512a1b2b8ea9dc6f0a262f81cc80f52b2d2066ae9443c89759c8c1792020d933974e887ba343d861fd214170cd3227290c5da8ccad873e899ee5ca209b997fdbaff
-
Filesize
14KB
MD5a5b84d250794433db5a2d26f34699dd9
SHA1bc06abccf6a4783973ec11b6766b43b4a265820c
SHA25696f3357a024c549d7cb9e6447b1a56a2a8029b4f12e6e597428e68620761c5e0
SHA512121d67f85a24096799ed913dccb64ef65d9479f98a6d88c2a0e05f05a65f460d557c5fdfe2c42a0a61b9cbaedd9b7031978111a2713250a89848ab4f3bb4ce84
-
Filesize
10KB
MD57d85b1f619a3023cc693a88f040826d2
SHA109f5d32f8143e7e0d9270430708db1b9fc8871a8
SHA256dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18
SHA5125465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85