Analysis Overview
SHA256
7e38a18c08c3ca9fd53a45f0396a3769cc39dd550af2def720d55b52233921d9
Threat Level: Likely malicious
The file e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Adds policy Run key to start application
Checks computer location settings
Deletes itself
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:26
Reported
2024-04-07 18:28
Platform
win7-20240221-en
Max time kernel
140s
Max time network
134s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\dlnajjbdfa = "C:\\Windows\\system\\llwzjy081026.exe" | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\mvjaj32dla.dll | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| File created | C:\Windows\system\llwzjy081026.exe | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\llwzjy081026.exe | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\mvjaj32dla.dll | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{589962A1-F50C-11EE-8303-EAAAC4CFEF2E} = "0" | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418676255" | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\program files\internet explorer\iexplore.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\program files\internet explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\program files\internet explorer\iexplore.exe | N/A |
| N/A | N/A | C:\program files\internet explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe"
C:\program files\internet explorer\iexplore.exe
"C:\program files\internet explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\dfDelmlljy.bat" "
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\ProgramData\jjjydf16.ini
| MD5 | 903b6403838c0fdc606a66e17afb8cd4 |
| SHA1 | d507c081bcee124eac8f25446ef906331145ec5b |
| SHA256 | c72d1c7aeb87bcee59253c656474c98177c42108459519d66bcb7d921e268e74 |
| SHA512 | e9e07d0655c87256566a42ab545df03edffb8e1412ec0daa0ff4765d3b1c2cae50073fa676c477a8e4e95a4bf0a94bf70d38e49ca77ad496d53a64149936b19f |
C:\dfDelmlljy.bat
| MD5 | da3da2e76e0bc32a18501f04eb9c93a9 |
| SHA1 | 09deb42627d4af2fc8d337f3908670ddd2045795 |
| SHA256 | ae28610bc049a01e4b8a783a946326973070b9e846bac0faacc91be8c68281be |
| SHA512 | b34a5b5f28a2113df40ac24eaa6fda645dc940085845cbed583b73c0271edb4358f2681ba9ec282c97eea08e87aea20c7ec65a7921e8a66c4b64654dd74d7621 |
C:\Users\Admin\AppData\Local\Temp\Cab560F.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar5710.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 197eade68eabd663b0dcbae40c29d200 |
| SHA1 | 74e20ae8150e6b71ad0416ac0196bdc8be0d232c |
| SHA256 | f3b6e22602b6fa95a7f21b534fb6942788f2c02ca777d2b996fa2d1f07ae8193 |
| SHA512 | 83b04fe053d165f605bc001a9684b78998ac914acf94b92e534e14ebefe3c1a5925347584a110d524c55ac1566e54acc63d40edccefaad652533f27f07966e30 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 79307dbac51f9f8270bf0ebb65163e09 |
| SHA1 | 26050cf94c2664472c6a4eb367529dc9dbac0957 |
| SHA256 | f39f6849d0b3d513cb51e855b98c74ab672f0fdb61eac35f90b554e30e37fe2f |
| SHA512 | dceca2dce36046be1045e88bdae6f82d55b4684eea0e3486a9b48c46950eaa41f6fc9da9eb335f84980f72f847ae35cad398a47d477c3ce9f2495e2bcbc43f6b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c42e97d7b5aad072304d4f77ecfeab8 |
| SHA1 | 25b7c960e94e398db3397fe93cca3a4ddb89532f |
| SHA256 | 8c75d47efdf3ace4e6f8ef514bbae6fc1a5bb7de4265701247e1c7cc4eb42715 |
| SHA512 | 8e702f49fbbeb34e93729e88a446fe7da13a52000dcd3a1673bace3933a12bad87b3053b2e966e52a28ea71a273bb2e25c05322cfff1f8b631dfa033c10d3c0b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac0d8aceea926756350a7a20d3a12024 |
| SHA1 | d64f928a114837cae446f9f18995acf386d9b3d0 |
| SHA256 | 4008b820f93e036c1ea47333874b2a677e9f989317fab389dc584c5eec21c2bb |
| SHA512 | a0e3bbf1216a88142564ce455d154c4d821f1625d2566f734eaaadf0ee42a4c8cc9dc9610b96bb51f25d261e4dd4367df5f25024b8db5fefa2f492c5d8d179d4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b24fae74edcd7c1dd5da9e3f49864265 |
| SHA1 | a12ea070bf209f135eb1a43f5b9da5d6a8efa746 |
| SHA256 | 606b48c6cc813bc85b5ae06981a1823312b8ca67e7607b445ad70bf30d2bb525 |
| SHA512 | 1690eb6192e0b0f391fb34c90af04c2ceb60c9dd2fe7b367474ae8c720cf717339c70ba2fbe27e029198c12f1f3335a762349dbbd4847d9be01fa51eae455dca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59c22d2aef1c1e20be25898fbeb9f3a5 |
| SHA1 | 51d4c7ca8b4b2ddf83965733c5061d1df23bb89b |
| SHA256 | 7655eb3a6b2f2a3d59f7ea7b55b947a0e418d6510b374bb02518b54fcadd489e |
| SHA512 | 07cf61699044f61ef858a464adf1f5b201505776f2ffec255c4dd60ae45841595e459a89fc6b5111277385c847b796b684a75bdcbd7cca02a3c6002923fc9e0d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 41a599001421509c7ebbafde77bba9d7 |
| SHA1 | 8708c803073e2e4049cbdfbc4ac8125349b77cdd |
| SHA256 | 2c72c64590cd9a0ab485abde1b9a79cc062f594e6202108f3ee7615c9a6d647b |
| SHA512 | 745744c8433fabc20543374805aec5c17f3bfe31d10497f4662cd0c9fd02d4b8f863f5d498804e93870794ab5945c310f6279985aa3869af638a3c57fd666660 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35ad2c1b49b284faf20b0b89ce783fb1 |
| SHA1 | 4f49a6afbfea99c3984e86f601ac32422330ac1e |
| SHA256 | 9a638e5624e6ab24c9c1d7efeb6b17b167a81354c1720fbb361e98ba31da687c |
| SHA512 | c79c934c2cc82c05b09c7241782886d4ca3253c4cee85f3a6a3a997888eaececa9f9f14a332722c9ba43cb0edb28d5719aa0704f5559424b24547584c7da9983 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e67574d93bace92a6b07bb052a17a652 |
| SHA1 | 791b05bbd15455e48b49e382735a33617620b8f5 |
| SHA256 | 766aa95f6b63a8014c71931eb4692ecc89afc1b024d25701518e588694122e3d |
| SHA512 | f1436b04bf58fef51d14337c7e49fdb8dcb8423fd06fa5bb2d2143faf34eef82519fdd960f79da551cb033590fcd7e1468e80d5e53db3ef717257b5e115c79f4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3508f98ec4903f70284fdef7ab6217f1 |
| SHA1 | 0d451af39d4f87c53175ddc69953209fae30560e |
| SHA256 | b0e0316466b55e71cdfc7a5c432f5498144216ac22d70a20101951a206cc86ed |
| SHA512 | da10c86be2c8a9fada25583eacf3bd448a00f11ac11ca18fe443831ab7e2a82e490140245d1b98f25be5b1674ef3ad65b63d3693f8dbd154236d3b45e4fb62a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 81fdfceaaa5e644102bcb2ca290325a8 |
| SHA1 | 990b2ef5be5a10d973b0e69d06e0b0c2b5e41539 |
| SHA256 | fcb8f941097a2ccd66778a62536118d8ebf647ffe80163ba28e0663c4d28e048 |
| SHA512 | e54e0f3e0e5fb3b390684a8e0fc4784cdd0b804b28a68b23c7c5fe05a32f72b749ddeacae280a31e656b5d1d4059238f606dc6ada05909ea3c07f80bd95f4edf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 83fc15d1b1261dda4885411404f8c7bb |
| SHA1 | 837f294de584b3e218f7976c0e5f23a2b4bd1c28 |
| SHA256 | 5ae30a88c9d83a776f1900b835189229eda647e03928dacc1502a3a8370bd34b |
| SHA512 | 0546729095cebca75370fe6b481c6ce6042282ad6f95589e1fb6acfc80b371f80617a62de084a29f36c63f5b641226f21badfcddeec55ec6692daa439e9e47e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 50d88f2b047f9913b978ba2e0405fb02 |
| SHA1 | 0d2ad7557219f2114040c2f09d1c9074951981fc |
| SHA256 | f8666a49aab4e8647a38f2e44c8f272e8bd1150496161950d7f7f2711e08293e |
| SHA512 | 28190e4a32d5baaec4072d31604fc7183613627e38d5b77f437cc15a21f2423886f28ca1dbfb76ba62feaea1624beea6174e43c27b37a81cd1790e5a8a72fdfc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a9dc1cd92e2f230a351573bbe8a0fc23 |
| SHA1 | 3be99786aca7a81ce69eed8dd361992eeca90e41 |
| SHA256 | a6a00d40a49b38a9ec8d7093a08be1741ec30f3f41a5b9c89ccbd2cbb8f208c6 |
| SHA512 | 78682abfd5d99d6cbb58923262996676d673804a470854a15a27522e80c56cbdb028d2859e4cd0b535a7aac67a7cfc688d766d8d6658438ce41a7f6e8792d4b6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c50b209dc7219eabbd1945b98ef3ffc |
| SHA1 | bca076efab2e9703c22c1a8d9b44dfcf7bb44b8f |
| SHA256 | 184c4dd6c77e4d68825426c18d915b222886fddd5d2ee0a050905bf5b587e9cb |
| SHA512 | 82df9ddf041193fff0558ecf97c16297c111c4fcb8af71a9ca7bb6c639beb9fa57ea2dfe422d86c5020b1b8ff1b9924a5d65efc8515c209a0f487e09a127cb57 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ccaac9486b5c3259bc05e3434de1c77f |
| SHA1 | f368312da1d5ecda8a798dd4a041b58ee157615e |
| SHA256 | b22aec98d194b6f29d5a06d384e341af677521f919f9778b4cfdfd5bbb271f91 |
| SHA512 | 1933adec57f3032032b763242c0ca643a5f6e2f76c2ed0527e8d53004665008322bf849ed6fee47882f70774b7010703315cbb7e5d5d8719a856a78f44c69f3d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e07c7ccd944269a3c30f799cc467463f |
| SHA1 | 4baf7e43bdb9c6ea953ac04163896ad42215e019 |
| SHA256 | 1c78a6c25e08e74b5d9324e169bb71ea3e41790b1802c23e608c68fc34108d69 |
| SHA512 | 2180b3d0694e60a504e1f47104f0d3150a1c1eae12255e03b458cc226fb1a7a2e83590f3e408599df461ef9e559360cf33391f376c266ed131766f583e9762a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6f1dd9b30c0b5bf0965f54e4a6b6fec |
| SHA1 | b8642756006cab212d419aef6682a82aa4be27e2 |
| SHA256 | 73a943f44d9241e038f47f9d36a863e0529d068fc075d41e0be16a6cf1216fa8 |
| SHA512 | 8a71c05431087f5a44e3a6378d5d1bce71e83d1ad5d88747c7fb8672a7395beb5fd05880ebac740a2512b6247e33c3529a0e19b947ab73913dacae381748fced |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:26
Reported
2024-04-07 18:28
Platform
win10v2004-20231215-en
Max time kernel
90s
Max time network
148s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\dlnajjbdfa = "C:\\Windows\\system\\llwzjy081026.exe" | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\llwzjy081026.exe | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\llwzjy081026.exe | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\mvjaj32dla.dll | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| File created | C:\Windows\system\mvjaj32dla.dll | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099161" | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099161" | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "803487218" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "800830897" | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099161" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419279366" | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5B522A8C-F50C-11EE-BD28-4EA1437444E8} = "0" | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\program files\internet explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\program files\internet explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "800830897" | C:\program files\internet explorer\iexplore.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\program files\internet explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\program files\internet explorer\iexplore.exe | N/A |
| N/A | N/A | C:\program files\internet explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5933364d16c249fda7c5d6be4b75e5a_JaffaCakes118.exe"
C:\program files\internet explorer\iexplore.exe
"C:\program files\internet explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1292 CREDAT:17410 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\dfDelmlljy.bat" "
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\dfDelmlljy.bat
| MD5 | da3da2e76e0bc32a18501f04eb9c93a9 |
| SHA1 | 09deb42627d4af2fc8d337f3908670ddd2045795 |
| SHA256 | ae28610bc049a01e4b8a783a946326973070b9e846bac0faacc91be8c68281be |
| SHA512 | b34a5b5f28a2113df40ac24eaa6fda645dc940085845cbed583b73c0271edb4358f2681ba9ec282c97eea08e87aea20c7ec65a7921e8a66c4b64654dd74d7621 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 8f3eb06776d4e1dfe1e742cb70e22357 |
| SHA1 | 5ab03e56d3cfe9951e9598dd72ff258065253672 |
| SHA256 | bdb9f9d35fdac68cfe4a2f615e01d10dc89baec837fe7515b70a6cfedb27d87b |
| SHA512 | 450c5dccfbe02ac221b9b05b7f1af43ad9c83701120f8134dca66c03c9e20e38fedd76a0e62a47943044ebb00de338fa001ab662481c12ed61902b9f838c6a27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 68753a31d010e26bd1008308cbd2d10d |
| SHA1 | d7f5b974a68943988ad7879cdb949dd0b2d13e57 |
| SHA256 | 860fd87d5e7b92609dd976cc0723dfe735c46823124ef7cd5b3de1b8655f37e4 |
| SHA512 | f8116773a5f2c4cb3ffab868f5fda9844583034eda54bc15e984af507a053207387c085ec4fe3091c2a039a1fb6b6a1304056c4786c265f2de992a4530b5350f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UG0DPB4T\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |