130fa1c54405ffd54f83ccb8e95a67a4a190a784802a80635d09e8a338eab77a

Analysis

max time kernel
144s
max time network
134s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 11:40 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e760d9b22a18d4d1a60bca43adeb7b67_JaffaCakes118.exe
Size

586KB
MD5

e760d9b22a18d4d1a60bca43adeb7b67
SHA1

5a92dc9012402adaeb858583bd1ce535e5a424a7
SHA256

130fa1c54405ffd54f83ccb8e95a67a4a190a784802a80635d09e8a338eab77a
SHA512

f8fc1eed46df8484149e74089f48d1b47bfb9ebdef489756960cf0a1c518d4f3c2cb60aa9d5fc4b5d1e074f4b94a56fe03bfada2fa53cb7756fa4e405609079b
SSDEEP

12288:JRCPOgBpF5PKvWqh09pEkF3Z4mxxVoLZGx5Yejd:/CNSThEQmXVoFw5Y8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2616	Internat Explorer.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Internat Explorer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Internat Explorer.exe	e760d9b22a18d4d1a60bca43adeb7b67_JaffaCakes118.exe
File opened for modification	C:\Windows\Internat Explorer.exe	e760d9b22a18d4d1a60bca43adeb7b67_JaffaCakes118.exe

Modifies data under HKEY_USERS 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Internat Explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Internat Explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A9EBCCD2-F12B-41E6-8854-C5ABD48924FD}	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Internat Explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A9EBCCD2-F12B-41E6-8854-C5ABD48924FD}\WpadNetworkName = "Network 3"	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A9EBCCD2-F12B-41E6-8854-C5ABD48924FD}\aa-72-07-a6-f3-75	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Internat Explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Internat Explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A9EBCCD2-F12B-41E6-8854-C5ABD48924FD}\WpadDecisionReason = "1"	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-72-07-a6-f3-75	Internat Explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\System	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	Internat Explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A9EBCCD2-F12B-41E6-8854-C5ABD48924FD}\WpadDecision = "0"	Internat Explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-72-07-a6-f3-75\WpadDecisionTime = c08fab9aa989da01	Internat Explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	Internat Explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Internat Explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	Internat Explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Internat Explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-72-07-a6-f3-75\WpadDecision = "0"	Internat Explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Internat Explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Internat Explorer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A9EBCCD2-F12B-41E6-8854-C5ABD48924FD}\WpadDecisionTime = c08fab9aa989da01	Internat Explorer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-72-07-a6-f3-75\WpadDecisionReason = "1"	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	Internat Explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties	Internat Explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2616	Internat Explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2684	2616	Internat Explorer.exe	29
PID 2616 wrote to memory of 2684	2616	Internat Explorer.exe	29
PID 2616 wrote to memory of 2684	2616	Internat Explorer.exe	29
PID 2616 wrote to memory of 2684	2616	Internat Explorer.exe	29

C:\Users\Admin\AppData\Local\Temp\e760d9b22a18d4d1a60bca43adeb7b67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e760d9b22a18d4d1a60bca43adeb7b67_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
PID:1980

C:\Windows\Internat Explorer.exe
"C:\Windows\Internat Explorer.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2684

Network

DNS

www.eebuy.com.cn

Internat Explorer.exe

Remote address:

8.8.8.8:53

Request

www.eebuy.com.cn

IN A

Response

www.eebuy.com.cn

IN A

38.12.159.101
GET

http://www.eebuy.com.cn/gezi1.23.txt

Internat Explorer.exe

Remote address:

38.12.159.101:80

Request

GET /gezi1.23.txt HTTP/1.1
User-Agent: RAV1.23
Host: www.eebuy.com.cn
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Transfer-Encoding: chunked
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 08 Apr 2024 11:40:40 GMT
GET

http://www.eebuy.com.cn/gezi1.23.txt

Internat Explorer.exe

Remote address:

38.12.159.101:80

Request

GET /gezi1.23.txt HTTP/1.1
User-Agent: RAV1.23
Host: www.eebuy.com.cn
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Transfer-Encoding: chunked
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 08 Apr 2024 11:41:09 GMT
GET

http://www.eebuy.com.cn/gezi1.23.txt

Internat Explorer.exe

Remote address:

38.12.159.101:80

Request

GET /gezi1.23.txt HTTP/1.1
User-Agent: RAV1.23
Host: www.eebuy.com.cn
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Transfer-Encoding: chunked
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 08 Apr 2024 11:41:40 GMT
GET

http://www.eebuy.com.cn/gezi1.23.txt

Internat Explorer.exe

Remote address:

38.12.159.101:80

Request

GET /gezi1.23.txt HTTP/1.1
User-Agent: RAV1.23
Host: www.eebuy.com.cn
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Transfer-Encoding: chunked
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 08 Apr 2024 11:42:10 GMT
GET

http://www.eebuy.com.cn/gezi1.23.txt

Internat Explorer.exe

Remote address:

38.12.159.101:80

Request

GET /gezi1.23.txt HTTP/1.1
User-Agent: RAV1.23
Host: www.eebuy.com.cn
Cache-Control: no-cache

Response

HTTP/1.1 404 Not Found

Transfer-Encoding: chunked
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 08 Apr 2024 11:42:41 GMT

38.12.159.101:80

http://www.eebuy.com.cn/gezi1.23.txt

http

Internat Explorer.exe

1.0kB
887 B
12
6

HTTP Request

GET http://www.eebuy.com.cn/gezi1.23.txt

HTTP Response

404

HTTP Request

GET http://www.eebuy.com.cn/gezi1.23.txt

HTTP Response

404

HTTP Request

GET http://www.eebuy.com.cn/gezi1.23.txt

HTTP Response

404

HTTP Request

GET http://www.eebuy.com.cn/gezi1.23.txt

HTTP Response

404

HTTP Request

GET http://www.eebuy.com.cn/gezi1.23.txt

HTTP Response

404

8.8.8.8:53

www.eebuy.com.cn

dns

Internat Explorer.exe

62 B
78 B
1
1

DNS Request

www.eebuy.com.cn

DNS Response

38.12.159.101

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Internat Explorer.exe

Filesize
586KB

MD5
e760d9b22a18d4d1a60bca43adeb7b67

SHA1
5a92dc9012402adaeb858583bd1ce535e5a424a7

SHA256
130fa1c54405ffd54f83ccb8e95a67a4a190a784802a80635d09e8a338eab77a

SHA512
f8fc1eed46df8484149e74089f48d1b47bfb9ebdef489756960cf0a1c518d4f3c2cb60aa9d5fc4b5d1e074f4b94a56fe03bfada2fa53cb7756fa4e405609079b

Download Submit
memory/1980-0-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/1980-1-0x0000000001CF0000-0x0000000001D44000-memory.dmp

Filesize
336KB

Download
memory/1980-3-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1980-4-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/1980-5-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1980-2-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1980-6-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/1980-10-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/1980-9-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/1980-8-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/1980-7-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/1980-11-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-14-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-15-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-16-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-17-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-18-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-19-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-20-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-21-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-22-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-23-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-24-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-25-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-26-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-27-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-28-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-29-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-30-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-31-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-32-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-33-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-34-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-35-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-37-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-38-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-39-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-40-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-41-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-42-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-43-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-45-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/1980-46-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/1980-47-0x0000000001CF0000-0x0000000001D44000-memory.dmp

Filesize
336KB

Download
memory/1980-48-0x00000000032D0000-0x00000000033D0000-memory.dmp

Filesize
1024KB

Download
memory/2616-49-0x0000000000330000-0x0000000000384000-memory.dmp

Filesize
336KB

Download
memory/2616-50-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-51-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-52-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-53-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-54-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-55-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-56-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-57-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-58-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-59-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-60-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-61-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-62-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-63-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-64-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-65-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-66-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-67-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-68-0x00000000031B0000-0x00000000032B0000-memory.dmp

Filesize
1024KB

Download
memory/2616-116-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.