40b8c88a2bd6a10bb20d43efcc1d9e9c7a2ae7aa16bb72bc5a89a71076ba46ff

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
Size

1000KB
MD5

e980c31b58b67d1974c265d452b41b1d
SHA1

79e3481a92d8d7262fd525fa35673b84454a0471
SHA256

40b8c88a2bd6a10bb20d43efcc1d9e9c7a2ae7aa16bb72bc5a89a71076ba46ff
SHA512

8588e6b33c53267a76468dcb21dc2e8fef2a1afdcb44a30c2d45c2c9a9d53ed1e303330161c2d5743f5a172aca1186cc8cd7dee62dd0b4d1e3bd7bec4b15c789
SSDEEP

24576:LwIjc//////YhXrZb+qbz81Fkkv5fx/ClxRJ8r627CzO6kdlVE:8Sc//////YhXrt+qFiDwFU7CpklVE

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1504	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2580	ScrBlaze.scr
1948	ScrBlaze.scr

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\ScreenBlazeUpgrader.bat	ScrBlaze.scr
File created	C:\Windows\ScreenBlaze.exe	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
File created	C:\Windows\ScreenBlazeUpgrader.bat	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
File created	C:\Windows\ScrBlaze.scr	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
File opened for modification	C:\Windows\ScrBlaze.scr	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
File created	C:\Windows\ScreenBlaze.exe	ScrBlaze.scr
File created	C:\Windows\ScreenBlazeUpgrader.bat	ScrBlaze.scr
File opened for modification	C:\Windows\ScreenBlaze.exe	ScrBlaze.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\ScrBlaze.scr"	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	ScrBlaze.scr
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ScrBlaze.scr

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
320	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
320	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
2580	ScrBlaze.scr
2580	ScrBlaze.scr
1948	ScrBlaze.scr
1948	ScrBlaze.scr

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
320	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
320	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
2580	ScrBlaze.scr
2580	ScrBlaze.scr
1948	ScrBlaze.scr
1948	ScrBlaze.scr

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 1504	320	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	28
PID 320 wrote to memory of 1504	320	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	28
PID 320 wrote to memory of 1504	320	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	28
PID 320 wrote to memory of 1504	320	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	28
PID 320 wrote to memory of 2580	320	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	31
PID 320 wrote to memory of 2580	320	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	31
PID 320 wrote to memory of 2580	320	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	31
PID 320 wrote to memory of 2580	320	e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe	31
PID 2580 wrote to memory of 2548	2580	ScrBlaze.scr	32
PID 2580 wrote to memory of 2548	2580	ScrBlaze.scr	32
PID 2580 wrote to memory of 2548	2580	ScrBlaze.scr	32
PID 2580 wrote to memory of 2548	2580	ScrBlaze.scr	32

C:\Users\Admin\AppData\Local\Temp\e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e980c31b58b67d1974c265d452b41b1d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\ScreenBlazeUpgrader.bat
  2⤵
  - Deletes itself
  PID:1504
- C:\Windows\ScrBlaze.scr
  "C:\Windows\ScrBlaze.scr" /S
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\ScreenBlazeUpgrader.bat
    3⤵
    PID:2548

C:\Windows\ScrBlaze.scr
C:\Windows\ScrBlaze.scr /s
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
fc5408c48a55314c72e200b74330cac4

SHA1
7e8889ec3189a40e6078088927bf3612753fa628

SHA256
7ea2a016d97635b1367455af2250cbf9e9c34d293829d11fc21ce905347590c4

SHA512
481753ef755c188012919ea728ea0395f22b6ce83f2f9a11675be6072f154db141b2382dc62ad7c3c95e36596529176a66f40e3d118cf0e33ea8e6f716ae1d77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
727b3abea1e4dbe9f3bd2b9bf8af5ffa

SHA1
ad2de51474a2aad6a7cb988e9e9de0ce219f047a

SHA256
5a5cb2a8de094a286a808dec7fd59ffb6b4c0e53a1b5287871a6b43288fd2f2f

SHA512
8a20ff16396bc00d3b14d052b4d781f4c182d53f1ab3da600008176fa33d9b738e56c6f8ef41a78fa5705ab28fc2367a75b1db6826b2439bb7e46924414136a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f3ddb1049f0f486a9410ff5135d7ce0

SHA1
cbf26cfa253a5f0cfed57c64603c7560766ab995

SHA256
1800899e3735ef24ff08b3220161439b449821243c0501120f1afa13b719aecd

SHA512
2bffc2814dbcf06c82fdc89ebcd5a387fec93a8bd2913012555a098e4c94b425177ebc15ca45c13e7dcb394db6520ff63c68b663848bc73806f1c0392a89d428

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
936e72a7b999efbbbcc0811e0894b4c5

SHA1
8eb0a933ede8efa6bb1a4027ff91485843061bec

SHA256
b8c1c28dee0a338bb86255e1acbc4a0aeeb0adebd7e29475a5c89df71544edf9

SHA512
93be5162743f83a57f16667d1371f3545071aa83512068beee558ea037a1ec51c4d5d601f0059cdb8d9d3c05b22d8786d51a5d79fa9349b09e938b4aafc8cdda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3SGP9G0V\domain_profile[1].htm

Filesize
6KB

MD5
9c4467d1772352e4a1e991fec781e930

SHA1
dfafcc3dd22d831e69f65dc87491d1fd7cce6619

SHA256
76d9f393b3a93601997ece3c5604296cf2b79943b03b4d3ec3af2f91bc95236b

SHA512
57a1a427780ef4f4583a5c0d9e2b1b18d8562c6847b770999e71b88d8787e839d6578e7f678bf1a2f35b1b8af8045723281c8526f66d6731b201eca0be1a13d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3SGP9G0V\scrblaze_06[1].gif

Filesize
941B

MD5
564c91f113d0fbde4bcbd051806267c4

SHA1
fe5f321982741e3d322d57f1f6324b47c9e9b9f6

SHA256
bbe0351ce04159de29ea684ca739e01e9cde7f3ad9c87dcad2f7b5612b5baa1c

SHA512
c5946ad6064e25309837a414a2487a5c1a3ae1cd7a193945fcd25bcb21b327821dcf1cb07078518a97a07c8623a31dc3f665fd43d40315ca3970e2b92b59aebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6KMOG19\home[1].htm

Filesize
12KB

MD5
2159694bafab231cb4124ad3f1c6dea9

SHA1
1865e64c61cd3935b2200034276d53f70c58702f

SHA256
acff36ff6e6fd2cf4fe603a846a1d33af813d04863d0000fce720b7525535f45

SHA512
a6ef47833d9695b546e049092e664ba21ad5d5fa5e9d72eb2af5402dd4cb1164358301e4ec3d109a6e8e4db8b0dd38a50263ff9e7fec82240330b93f138819b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J6KMOG19\scrblaze_07[1].gif

Filesize
1KB

MD5
069e81b554f05e898c337755a7556716

SHA1
fa5cc6dc93a146ed21ea370826cfbf263dfb33a1

SHA256
4f7e3ee95a131f07a298c2e25a8b609a0665b9b1ffc64696136aa950dc055d9f

SHA512
7908bb06847cb04c890944acb6c47924e6065b55036435be2d0ee55337c0603386b83ae1ba07a8991e85f58ab75462525674a99b0ff75e9998b20fe98a7b6550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K224YIDM\scrblaze_01[1].gif

Filesize
21KB

MD5
81669519d2e40ab6dd12aa170b8e4cea

SHA1
05c8db44b479bcada4f8460cbdd89981f5c0ebac

SHA256
68efd9776e403d2b92150d7266dcc81fa8650ab163575bc42824c851309efa16

SHA512
df09843f1ff7348b5547ecce9cf47646b07075179e4270c4083dc6f76442ffd5e988f5010142a48e1d7978d22f8e292237481b5f5c6aa753272287f1603dd372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K224YIDM\scrblaze_02[1].gif

Filesize
2KB

MD5
b2e7475054308d4d2890b1429468fbe2

SHA1
8774e63707cfe5d6fca15cfa06f0d4fb8ddcddeb

SHA256
a72f06f1c39cda4f92d507e346da8334675f1da5e7cdb8b587d02bd0aadddd09

SHA512
9484e3626b4ac7a9062de5b777544fa52669630b718d86496d451ee8bb80766674d0885abf4a2e341c87dd0d64bcda9c92e337605d061bd1e83441f76e9291e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LF4IFORF\scrblaze_04[1].gif

Filesize
2KB

MD5
1ce415a470e142bf4ab70d9f9e7d0a77

SHA1
521d895938b6c79554de671b543a1b00440bd268

SHA256
d973be5262d97e2ef40db8522beead2642483e04b46cb0c9122fba6c966b27ed

SHA512
6bf9612b9fe42253811a2ee8293eb7faa33eb60f5b538e4892da9d5bcfc0b924518e935dc689e4fb6b801e5795296c5141a527e0260958622f4cdea661f7b25e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LF4IFORF\scrblaze_05[1].gif

Filesize
531B

MD5
c99d0cf85fae690ba18ef4043ec1fb50

SHA1
a2cd0b943fcb5bd4cac3db4a7216ce1abbc75f11

SHA256
94361033a75af7a44e92ec411fa681a8fbfcffadb9630cec670721db5f94c5bb

SHA512
4131eacc42bd6a43ecc2fee1295debf1f9e178bd08d46b2cc9d38349a02bb2b58c668333969e0649538d34c158c0368be9a60bc63a98624232340e7ef4029513

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3EA6.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7N0239W4.txt

Filesize
74B

MD5
8ee9ebf3917fa3e89e7ddde908f8af68

SHA1
f9ec9df9c7199d8f7e3e4831acf90dc0a9913214

SHA256
0f1b384d2e96be6ffe8086dd7cd9a35523571ab8e41f3251986af7c05d64fa2f

SHA512
c0daae50b0fb381b48d01df4ade92ad6768e07dc792995eb6e9c27ecf10a8d6c527816aa20567207e75e1d65e3f94127a789d53c13c064af29ec797fa6f1842b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C5X5W1LF.txt

Filesize
78B

MD5
f1844afb1ea22e54947c68aeddd583d9

SHA1
6fb2ff4a3c0acd707f5acb1ec8b08d3bff3c9162

SHA256
de03de28bfa1a890a3c6878af036797a1943edd2524c64fa6397557e6d1c788d

SHA512
8c9e9cca78a7e68eb9c52e1dfa20861689d25bcff9fbbd6a29d9ae63fa4021ecfd980808af2279753fbdd2609eb6e07ea3dfd31bb346704e4bf670b6c59ccc03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QUBD2KPZ.txt

Filesize
187B

MD5
561f09ec2c9d0dc1333ae3c81a4d4ff0

SHA1
0da872b056aa2e1f2c6df17253f08d405b6d0575

SHA256
0634450d9cdab0ee3121ddb3ab4969874221649b29c0ebd5d64056797910c3a3

SHA512
35187f8564fd645be3f13f3a1113f80cbe9141f3489462b28235692e705a1c65059d6f38581459b15c3bf9ab88a329f55ba187b3247ff81c7430f77977d5e37b

Download Submit
C:\Windows\ScrBlaze.scr

Filesize
1000KB

MD5
e980c31b58b67d1974c265d452b41b1d

SHA1
79e3481a92d8d7262fd525fa35673b84454a0471

SHA256
40b8c88a2bd6a10bb20d43efcc1d9e9c7a2ae7aa16bb72bc5a89a71076ba46ff

SHA512
8588e6b33c53267a76468dcb21dc2e8fef2a1afdcb44a30c2d45c2c9a9d53ed1e303330161c2d5743f5a172aca1186cc8cd7dee62dd0b4d1e3bd7bec4b15c789

Download Submit
C:\Windows\ScreenBlaze.exe

Filesize
2KB

MD5
07af5abade337a391ab41f0d570a259a

SHA1
4ea8c764848b79ee5d72770ce15f295c8ae4ac22

SHA256
d8f13b157bfb0bf948d07f171c336250723f86f874aab4a2056eb94c65d95e14

SHA512
b7c07d5d774e55ab09a4cf1527adb0696f132d76b5daf20df0f2b6faecc47ee6c399aacf45f499463f967424f8bad6e6c082bf1cc6391f7abb01f948fe0aeff9

Download Submit
C:\Windows\ScreenBlazeUpgrader.bat

Filesize
495B

MD5
34de790f23b844eeb353591c54f7fcfb

SHA1
1fba489a1df0caed474f0bf983b5551129335993

SHA256
b76c214f45511c48192e2303a3c86e0a393103dfd21b46d8514d432bc020f825

SHA512
01dd1108509ba287dabf90530c85b5ffb3bbf80fbbe0e97385b2270acc1c06828f5c8e752b017dc92d4bd784bd1659077f562682883417637019a3a5ea8686f9

Download Submit
C:\Windows\ScreenBlazeUpgrader.bat

Filesize
251B

MD5
1b6947de66aa77bb45467cbf8a954d57

SHA1
150df7d37acda9be67f356366ebe5c86f4e2e736

SHA256
8cb979326e5abd04737cee99e2e116567d9da9ef45b5b2008cb47ed3bc1f5e91

SHA512
4af58804e62e7b97c7ee5fada4cbdf40d7c88b3696c2f15f1d50cee33fb34543f6425eb9e52cfbb2720f6798ca5dae2ed11f2427e6ece03c59fdf3d336dbbd70

Download Submit
memory/320-23-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/320-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1948-94-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1948-140-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/1948-142-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2580-81-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2580-80-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2580-88-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2580-84-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2580-83-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2580-82-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2580-92-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2580-89-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2580-79-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2580-78-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2580-22-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2580-139-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2580-90-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2580-141-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2580-91-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download