Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/03/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
2e5b64eab6f3ea2711a18b9372ba8ed0_JaffaCakes118.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2e5b64eab6f3ea2711a18b9372ba8ed0_JaffaCakes118.html
Resource
win10v2004-20240226-en
General
-
Target
2e5b64eab6f3ea2711a18b9372ba8ed0_JaffaCakes118.html
-
Size
229KB
-
MD5
2e5b64eab6f3ea2711a18b9372ba8ed0
-
SHA1
5cab88df69e5a1ccdc0e2350898b985f83028d48
-
SHA256
e2a220bfe7e4205322153fba59d83623cf637092aed6a7ff051fb2f255095004
-
SHA512
97b8508fa2ece4f6d33b97b4bafe86cb3569fd3192844a4adb201eefe2d48a1becab4f8f66ca0fa9d4a195d3875ee2584c4a637ce64fff4834e645c5b3afa60b
-
SSDEEP
3072:Sfzc3cYB4GrhB9CyHxX7Be7iAvtLPbAwuBNKifXTJW:Syz9VxLY7iAVLTBQJlW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 896 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2940 IEXPLORE.EXE 2940 IEXPLORE.EXE -
resource yara_rule behavioral1/files/0x00060000000194eb-502.dat upx behavioral1/memory/896-511-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/896-513-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/896-517-0x0000000000400000-0x000000000045B000-memory.dmp upx -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417913017" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4B8919E1-EE1B-11EE-A450-7EEA931DE775} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 896 svchost.exe 896 svchost.exe 896 svchost.exe 896 svchost.exe 896 svchost.exe 896 svchost.exe 896 svchost.exe 896 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 896 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2900 iexplore.exe 2900 iexplore.exe 2900 iexplore.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2900 iexplore.exe 2900 iexplore.exe 2940 IEXPLORE.EXE 2940 IEXPLORE.EXE 2940 IEXPLORE.EXE 2940 IEXPLORE.EXE 2900 iexplore.exe 2900 iexplore.exe 2900 iexplore.exe 2900 iexplore.exe 2628 IEXPLORE.EXE 2628 IEXPLORE.EXE 2652 IEXPLORE.EXE 2652 IEXPLORE.EXE 2652 IEXPLORE.EXE 2652 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2900 wrote to memory of 2940 2900 iexplore.exe 28 PID 2900 wrote to memory of 2940 2900 iexplore.exe 28 PID 2900 wrote to memory of 2940 2900 iexplore.exe 28 PID 2900 wrote to memory of 2940 2900 iexplore.exe 28 PID 2940 wrote to memory of 896 2940 IEXPLORE.EXE 32 PID 2940 wrote to memory of 896 2940 IEXPLORE.EXE 32 PID 2940 wrote to memory of 896 2940 IEXPLORE.EXE 32 PID 2940 wrote to memory of 896 2940 IEXPLORE.EXE 32 PID 896 wrote to memory of 1576 896 svchost.exe 33 PID 896 wrote to memory of 1576 896 svchost.exe 33 PID 896 wrote to memory of 1576 896 svchost.exe 33 PID 896 wrote to memory of 1576 896 svchost.exe 33 PID 896 wrote to memory of 2148 896 svchost.exe 34 PID 896 wrote to memory of 2148 896 svchost.exe 34 PID 896 wrote to memory of 2148 896 svchost.exe 34 PID 896 wrote to memory of 2148 896 svchost.exe 34 PID 2900 wrote to memory of 2628 2900 iexplore.exe 35 PID 2900 wrote to memory of 2628 2900 iexplore.exe 35 PID 2900 wrote to memory of 2628 2900 iexplore.exe 35 PID 2900 wrote to memory of 2628 2900 iexplore.exe 35 PID 2900 wrote to memory of 2652 2900 iexplore.exe 36 PID 2900 wrote to memory of 2652 2900 iexplore.exe 36 PID 2900 wrote to memory of 2652 2900 iexplore.exe 36 PID 2900 wrote to memory of 2652 2900 iexplore.exe 36
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2e5b64eab6f3ea2711a18b9372ba8ed0_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1576
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2148
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:406540 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:668678 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55c7fbeaa97e9ea5b36eb19e7d0c87d38
SHA1145f0c5098dc6e5e57ffb70caad3d70b30406313
SHA256e463a6c5a49c205600bdb2359bd8c8fada2bea8e07e85b0340e58af49bc8a91c
SHA512928e0f13d789c2e20bad0f84651d2e09e48404e6b618e59824589d8ac539f641565e962039be0ef4b6ab1e118f8d7903c8a351e9202ab48ee1d6e667bc225697
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5473a482cda40be8b027b81985183788c
SHA1685914703ebb157c84b777f387a74a18f1c3d897
SHA256ef54c48f6aeec111c8869eb8a9ab1188201fb24987c0d577867d2ebe16d5bab2
SHA512e65ebc2edd8754152e79e068c910d18881b7b1a55ddaa30c83ae19fe375f30098068faa33f89b5503675f68e6dbd7bc756b38529ee8d487d32d9c58e270e9037
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56bf3dd54e825c12431cf05852844b433
SHA170daeb3820ebde75d1d5c486e1dba6c79cb168f1
SHA25630734aa7a9e3282f5ecb62f6dba3f147b1d5ce68c38d5fe0f8109c1d05e7a3ab
SHA512f0db162a68b7809a1052e8908bdcd11f1e2c0943e4d0fd9c47285e823d1691a898be808303ffb9a2024c2beb8828a6820f97090a7b695ca71e9a419eede22ad2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5068040c4b36471aebef81d4fb5c3a16f
SHA1e0466e1c9689094168b1d4b09288d7a1f8729cf3
SHA2567688c4143b4508331d10d2703438bc7c6c5798822e8b5c0758db998dc8f0bb4d
SHA51254b53dfb7efd275001d1fdb07ce3fa6e405acf9666171f5ced9e6e3fb96d835033a5877588a921e2dc4e29a2f57697bf8ad7ef71be3a9a522d750f0049ec6f91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52776d82d62d3731ed4042d05ee8b4642
SHA1a663499a80953b60218c3a8d6807a9479742b1e7
SHA25642fc6b24588cd361e71f9a1e391f4cce54f51bdc46b3d0702fad6427d6444939
SHA51201d4b31b94dc0fea8cc2ba3c1430acbca456c69fce5e18e34058769e86d95385a3bfdca0e1091322174ec9cad1c88e8b25b296e7637bd6cd5e8ceaed7fd6bec3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD543f28ae456e460404d01594b47170948
SHA1958ee5cb32e1c5fd2bdaafa868186dac68209eb3
SHA256b12ef3bf67655e8c849ee37aa0a4f9b15000bed6715462c4895d1b2e5aef836b
SHA5128c96af6c3856dab7b7acf4620312029d4ab8fd7b96e236c508c5ecd433ce137bed94dc4e3dc6940f00f38640a1bf53c3d605e822a083d0b80708faa5fc77a481
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a24be4c4199ddf5420c3e5405717ac6a
SHA1ecdbc22ec586a8eabe5ab2a74b9b584aea158324
SHA256e431d4b0981ceb533ac6b54340a5fb9a89625b90584abcd8d21c0be002671d1e
SHA51245c8e02960951210c78189e51deccb1d396c4bf6e497723c8fa86c4f23d3c119ac3de0a77695d1b2209eadd7114085adb6e9f51bffb314820cec16acc4460cc1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ade2d00bd5708d3bdfcec7107df29a0f
SHA12382e92ead712e1c6dfb85fe744053c4328e6837
SHA256f923bfe36d77514288a3d7bf09dab7c99cb7a547654d8762fc5957b2fdcf2ce9
SHA5124bbdd4f1f4823e80d004dc1b495b632384973df4302711b5478fcc244e52e67fdd6f9164986d49b4ba5519416677b44be701323bb0cff0b32224ac9879fa13b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a120d06ecf5bb24dfc6ffdb7254eb2cf
SHA10ba9b7b4b5dcdd6d6d9465b9288a2ff57d48dbc9
SHA256b371dc94a25cdd3bf0f97e2badd0749c2c3e3858795e74272c68455966f62f8b
SHA512447232e8dc444a8d7add1a7077ff7c6a4e354d2b1b31c4ede1f5fde1797719d112432980f69c35e5e7cfa297b16f21aa9fbafa6a6b4ca32016f65072b2a586db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55748542eb3810e0ed90f03d8ca9c6e17
SHA1d3d5db0a07665f31014cbca2fd3f507990d0442e
SHA25696757d64af195df794ee6e3c79e0fa08394115d9d39939d506464f66f3477c02
SHA512b25838779143f1d59c82acffb7e95c6ff95d9f7c17d52b791029b15282b6e98d41aca85302441febc4caad07d2329327223844eeaa876d881430b87649fe8e3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD528ce2bbc51d356c6cbc64ff8c75aa370
SHA100c01f1a92018f58065ce641c02432cb04515123
SHA2565bf95c086c96f0d23d3bbc9e09440edcae7182d7217dd9f53d4bc6f26da49f3f
SHA512367bf80946c6dd270145d4aa274ff3e4dddf97169ef8803729e0a92f31f2b6efd575b89da1db4f0972c7909eb6012f529efc8d670eb10d839068ef69785bcfc4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bf86db8a23ec0faf64f04e9c7ec8e401
SHA1a3702ce795ce3da154d62ed6e381103450ecbf4a
SHA256925a99f16b5cf5c5a48e8652992aa3357131ee3cec374b6fd86dedc3408fea61
SHA51236ffb1dcbbd951079719b7eeafaea7b7a2b883690ab70a811c1823c99c849c3b40cb69a1542fb4f26809d94666af0a5ff1ff00a6633a98650f4d1e116675ba0f
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
105KB
MD5dfb5daabb95dcfad1a5faf9ab1437076
SHA14a199569a9b52911bee7fb19ab80570cc5ff9ed1
SHA25654282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0
SHA5125d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8