Malware Analysis Report

2025-03-14 23:43

Sample ID 240407-w2srlabc66
Target e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118
SHA256 2795fe0cd337d04014c0174166a3528a955439fe3fbd8d054637f8e6e73fb2ff
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2795fe0cd337d04014c0174166a3528a955439fe3fbd8d054637f8e6e73fb2ff

Threat Level: Shows suspicious behavior

The file e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Deletes itself

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:25

Reported

2024-04-07 18:28

Platform

win7-20240221-en

Max time kernel

120s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winrir32.rom,nsORun" C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\winrir32.rom C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\winrir32.rom C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{35EC7E41-F50C-11EE-8B8C-DE62917EBCA6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418676197" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2220 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2220 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2220 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2788 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2788 wrote to memory of 2664 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1620 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1620 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1620 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1620 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1620 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c start iexplore -embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\twe401C.bat"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.bat"

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\twe401C.tmp

MD5 4173c8c06f92cfef803809d8688361a7
SHA1 a31fbe9f55bce6b8f1ce640fc97572b434ef42f5
SHA256 0852005c9d2ed4c0619dee7ac05613e9a5e3b5e6b236db239e11e80ce04232fa
SHA512 f811946953d58b87e84bbb08c2a53cc33935795c4ae0b24ddbd97764c4e2dd3704eaf75a61cdb03bd7c22497da8b7d1c6f5aefd68add93bae0058a7dacbdb125

C:\Users\Admin\AppData\Local\Temp\twe401C.bat

MD5 1621b3bee84869c4e0fddf9d9fcb27df
SHA1 6e13145d000519e3fbe0d92c252afc337fd5b61e
SHA256 29eb44b186621ade454838953add0e6c4ff5956095d0b6b973a7ad59c3bfb13b
SHA512 2ee07ae6460da7233c24cc757b9618b4718a5d0145558cec8b9cd0744d8eb8e769a0904ca7be69992dcc5c5cfb30957f4aeabeea5183a06ad3825991287d53ec

C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.bat

MD5 22b4da4bb3ec91eefaec419350d18b7f
SHA1 d777414397a18f00d875d5556314d56ca305aeb2
SHA256 0d6c4cd95c947a0e6ab7107b30844498df39e739fcfc082782446e9aabd532e0
SHA512 428e16ecb74182282022c41e1c3169eafd75a74d84d82eff1357442625301e4fb74b0a6fc618696aba1e4a294f8be7ca7b58b3d12725c9614ab6e9df9e7be83a

C:\Users\Admin\AppData\Local\Temp\Cab4349.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar4498.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 303dc73d0355707a64f0a890514acb6c
SHA1 8037e61de26f321412333df323376ba44c2a2ddd
SHA256 3c2ebc797df5f950331024a05d2f677585ac51da7495465e628125845a76c3d5
SHA512 81d43649bffa94d28d488dfef59e0a818d0fda144b7d1777e8784a2014fd479f1f1025981389bb8905408c754e0c54b40dec1c3994f702100a13386578281f9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34b2e5de0846d1b172cb0be19a103be8
SHA1 3c7a2e415e5c4325b1239d31f4cef442b05ab7ff
SHA256 d2d805d31033501b5213f2b2404edb619fb16d229076796dfac34958324fb602
SHA512 2da28aad3cf0f6a2cc4b1225775e52630abef9efa3bf6cedcb81104bb751f030893ddb919cf83ae802cc7977173a6ff88c2a7e8e8dcd3355785d884104c76506

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37257f48192594e986ef6de1fc8c4a6a
SHA1 ac8e9ec71e6bc389718706d3441855658b73b0bd
SHA256 fde427828a7a6fd91b373d83596bd7c86862552dd9f6dafccf4dcacbfe1f6856
SHA512 5c8e61ea700bc05f0b3cdf372d7869006d8ef73923228f2690ab198c4baf48bdb784b2230663b62bc2ae749dafe98180522b5e2bf5d1c75a2273bf4ea20e2f61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df4e29ee5befb52d67b74641a964f169
SHA1 00ea74f87efce28d5672f54f183e74a2d19a5e13
SHA256 a03f4381f7b7c3d93a63db703404306c2922f9f15cc2a3af7d4f9ede40871959
SHA512 21d86edeba8406dd1dbd2630bb1cd38242e581e02edbf1b510376ee0203fcca7908065f10796d468db1b852371ca070754e6d11116d361703cbd4d8ff03b6d2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1aee54a05d7fc83e87cc7a2076563f89
SHA1 86b95df78c1ade73ad5a9c750938435cd264bb28
SHA256 ce9f7bf0443f84dd25dc24267aef8c23974051a4fb067eb572583d85ba15ef2f
SHA512 e10b9e970caa8c5b6eb37ab7b208efe121f509fa5382ae8056a564a0a91d0071131b27d1dca49b314ef768b8a44c6bcbbfd945ca254ac860616f093db8074f76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c71668cccb4e12d72bfbefb56ae58137
SHA1 4f8ab36de1c468d92d1b29a4107531d289c20632
SHA256 bf4659206e5aeb7ef986a843883f7790b966a1c16457c8758ec1bfcb80258bed
SHA512 cb1b7adb339a028a690008e7d95bdbbbf06df47eeae5c2a14bc824888e8fda67006fcefaa183d816a327ed375b48a640e664097fa063ea44a9735cb2a99b8d8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f3f4d9a7bf39aaaddfe4703ffa72db5
SHA1 030cee8c1566c6c58aa09778dc16543320a25698
SHA256 8b7024afc35efbed11c040aa27f6869ae0907b1d9151ec648fe739c0b0dae229
SHA512 5cec63bd6b3ac1fa386b36f22c2cc192314fa5b6e8299ac466a6ca7145ed738b84e7be4b2bfd7411110ba36c78a17537d8b9aef06f4e4e87440048dee35d0ac1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eaddb06e0e04354aae35cb04f76decdc
SHA1 a2be337a5abcebffc949443b33720e36275d4c55
SHA256 5ef8c2a607a63702ded7400c4ca10280eee6f3ac153a524552f679125c6872d7
SHA512 daa0675e7d1b80754a4bb59d1286644610dc158385d3c9e3615a2de4bcf584f4b7e51e2528090d303d59178531cc42e4ec1336d69b4f7f78bbb90081aade7510

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad0610f7e74ebcee06e1dbf6b9f683a0
SHA1 b404560194e4c91b2c08b5354b54e655c0f4b766
SHA256 ffd8d1cf622fa023747d0d92ab3d706a61ff582f6add325436e93b133767e0b9
SHA512 6c290be961427e05ea7a45e76c0ebd8e5c833f36a57f0c27a57fb5f7ab793c627c1414bc7a1d909e7c2a88d079a43e1ea24938ad5b1a46eb8e619904310e6791

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4017bde972a8b7771cc423e4ef2a5ad9
SHA1 02bfa194d6dfbba49a9b873e53c42dc5d0bc4cea
SHA256 b3b6c5dcaf5d1b7ccb6ac44e8ad7254200a5079d09ddcb7023ad021d0eceabde
SHA512 0b92a13dd5581dd5b77e25740a30b6607a7dae2e2f5c0ac603f78de633791a1d660b1844dfa9e845a81b26ffdae42091769491cca8da1a30fe66f46a51e11d14

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:25

Reported

2024-04-07 18:28

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winwca32.rom,nsORun" C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\winwca32.rom C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\winwca32.rom C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "418019572" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419279328" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4428AC36-F50C-11EE-B09F-7A73248FA209} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "417548191" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099161" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099161" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "422859870" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099161" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "422859870" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099161" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4600 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2476 wrote to memory of 1796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2476 wrote to memory of 1796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2476 wrote to memory of 1796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2364 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2364 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2364 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2364 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2364 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c start iexplore -embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2476 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tweB7D6.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\tweB7D6.tmp

MD5 4173c8c06f92cfef803809d8688361a7
SHA1 a31fbe9f55bce6b8f1ce640fc97572b434ef42f5
SHA256 0852005c9d2ed4c0619dee7ac05613e9a5e3b5e6b236db239e11e80ce04232fa
SHA512 f811946953d58b87e84bbb08c2a53cc33935795c4ae0b24ddbd97764c4e2dd3704eaf75a61cdb03bd7c22497da8b7d1c6f5aefd68add93bae0058a7dacbdb125

C:\Users\Admin\AppData\Local\Temp\tweB7D6.bat

MD5 341a77e33cc4e715de34ed6739ff763b
SHA1 06ed24daeb7f24819e891410ccde5ceff674dd55
SHA256 b9893a8573517994aa9f7a00878e331e925cfad1b2bff491da0377cc88e3fae2
SHA512 8d26fc897d97b0292928875f12aa47334d7377a2b439e398cdfd8b02e72b4965dc706cc1a2158659b36c4ea750a3586c836cf59cc8836d86ca928d9209ddddd7

C:\Users\Admin\AppData\Local\Temp\e592d49574997f539f7c2a625cb5f8f4_JaffaCakes118.bat

MD5 22b4da4bb3ec91eefaec419350d18b7f
SHA1 d777414397a18f00d875d5556314d56ca305aeb2
SHA256 0d6c4cd95c947a0e6ab7107b30844498df39e739fcfc082782446e9aabd532e0
SHA512 428e16ecb74182282022c41e1c3169eafd75a74d84d82eff1357442625301e4fb74b0a6fc618696aba1e4a294f8be7ca7b58b3d12725c9614ab6e9df9e7be83a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 8f3eb06776d4e1dfe1e742cb70e22357
SHA1 5ab03e56d3cfe9951e9598dd72ff258065253672
SHA256 bdb9f9d35fdac68cfe4a2f615e01d10dc89baec837fe7515b70a6cfedb27d87b
SHA512 450c5dccfbe02ac221b9b05b7f1af43ad9c83701120f8134dca66c03c9e20e38fedd76a0e62a47943044ebb00de338fa001ab662481c12ed61902b9f838c6a27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 9cceaad7535d15023bee0d2a45841a63
SHA1 630381682cead6e0b8723f0d37588cb796515b7a
SHA256 a123fa730e875bd81630fdafcb9a956d438693a2c8de66f0da2f95adb735c685
SHA512 e26aa714d119c32f6c8f1465e0e7f1238a35f471d6946484fabe40ff8181b76f76ba638cbf703a563e5ac5d9b8f0275f97982acd9655c4aebe9bec16200abf53

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver45BE.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LIM5ZEZB\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee