27c21a4efb452790ac569f5a4b8145c6cc0166d0347d6955a6360e3c6becea30

Analysis

max time kernel
95s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe
Size

227KB
MD5

e8b7d90e4d041096a4ec76b8763bb038
SHA1

0f1d35a04631d377c05edcd6bd03d772a03ef8cd
SHA256

27c21a4efb452790ac569f5a4b8145c6cc0166d0347d6955a6360e3c6becea30
SHA512

9694da097ed4023b477045f59a2c2936c2d282d794ee409c3e35f73031c240795b3d9870c73021464291116e53534bd9446a1e3bbdd7a5c0f20c61a92d8691f6
SSDEEP

3072:8kKkooPVoTbsCjyoFlQsQhs6ScQDNkw50i4bYHuzMaHDcB0utBHfMrzrIEcSB:VKkvVTCEhssQDWwcEHwMceFd+r

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 384 set thread context of 2920	384	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	88

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099406"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3743280003"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419384888"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099406"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099406"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099406"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3744998162"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0AAD36F0-F602-11EE-AE4D-5A176B010E55} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3743280003"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3744998162"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2920	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe
2920	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe
2920	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe
Token: SeDebugPrivilege	4636	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2220	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
4636	IEXPLORE.EXE
4636	IEXPLORE.EXE
4636	IEXPLORE.EXE
4636	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 2920	384	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	88
PID 384 wrote to memory of 2920	384	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	88
PID 384 wrote to memory of 2920	384	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	88
PID 384 wrote to memory of 2920	384	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	88
PID 384 wrote to memory of 2920	384	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	88
PID 384 wrote to memory of 2920	384	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	88
PID 384 wrote to memory of 2920	384	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	88
PID 384 wrote to memory of 2920	384	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	88
PID 384 wrote to memory of 2920	384	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	88
PID 2920 wrote to memory of 1008	2920	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	96
PID 2920 wrote to memory of 1008	2920	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	96
PID 2920 wrote to memory of 1008	2920	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	96
PID 1008 wrote to memory of 2220	1008	iexplore.exe	97
PID 1008 wrote to memory of 2220	1008	iexplore.exe	97
PID 2220 wrote to memory of 4636	2220	IEXPLORE.EXE	98
PID 2220 wrote to memory of 4636	2220	IEXPLORE.EXE	98
PID 2220 wrote to memory of 4636	2220	IEXPLORE.EXE	98
PID 2920 wrote to memory of 4636	2920	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	98
PID 2920 wrote to memory of 4636	2920	e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe	98

C:\Users\Admin\AppData\Local\Temp\e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e8b7d90e4d041096a4ec76b8763bb038_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
39dd625b01652b616f218d3ddd2cf208

SHA1
d743d761bbfcb8cfc9b197bf3e903154f0255113

SHA256
885889906cf0a34f41de313074d706b129d988dc1d8b944dbdcf4e1d4e460b77

SHA512
b9f61ef3bbf3f7324ac0852c1c49a7a1c576b9168238eb16a15023916cbf1370d49787e8d05e58dbcc6ee8b23427f12a50d203de0ab3226eb6e1a80ee9637f80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
4efc8f7d16b098b13b4976d2c67ce568

SHA1
c481db0b3057af88e92bf05a570d9159d2ae768e

SHA256
2b55774a82554f719c68299cb036a2a502a8ccff456457549b6fb20f83114b96

SHA512
0b0d99e0c0fb2895a6b21b7bd881a1f92334edbe6ec31437c76df61226827454c606dc21b88e5166fe2d31a487735588d04299172e98ea606d1a7a8132406ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF06B.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GP57WU1M\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/2920-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2920-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2920-3-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2920-5-0x0000000000540000-0x000000000058E000-memory.dmp

Filesize
312KB

Download
memory/2920-6-0x0000000000540000-0x000000000058E000-memory.dmp

Filesize
312KB

Download
memory/2920-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2920-23-0x0000000000540000-0x000000000058E000-memory.dmp

Filesize
312KB

Download