90ca76a7986edef28c7d78dc46d7610370b1cb5824eadd2439353290fad6d02e

Analysis

max time kernel
149s
max time network
168s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe
Size

30KB
MD5

f74d1031511b6aa62d1639132c8ccbc2
SHA1

c1a57f94a5b77ce3019a84d6ce37af26e254b6a9
SHA256

90ca76a7986edef28c7d78dc46d7610370b1cb5824eadd2439353290fad6d02e
SHA512

0e023343524c4be05ad591356ea42ec05e18ee009a66977233c6cb0ef6d1cf0cd2db02f2dc1a12a18ac93c557ad26ff249d7d8d3b94767e7c539d6f6c29b909c
SSDEEP

768:1qa4/tG4fexLDlpCtxs7qvUPq97q2mUtoOnRTfSU:zsexLvCtxnvdq7UtoOnRTa

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1752	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winadr32.dll	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winadr32.dll	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419577717"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39E46B31-FD3F-11EE-9183-CEEE273A2359} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1976	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1976	iexplore.exe
1976	iexplore.exe
2392	IEXPLORE.EXE
2392	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2860	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2860	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2860	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2860	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	28
PID 2860 wrote to memory of 1976	2860	cmd.exe	30
PID 2860 wrote to memory of 1976	2860	cmd.exe	30
PID 2860 wrote to memory of 1976	2860	cmd.exe	30
PID 2860 wrote to memory of 1976	2860	cmd.exe	30
PID 1976 wrote to memory of 2392	1976	iexplore.exe	31
PID 1976 wrote to memory of 2392	1976	iexplore.exe	31
PID 1976 wrote to memory of 2392	1976	iexplore.exe	31
PID 1976 wrote to memory of 2392	1976	iexplore.exe	31
PID 2244 wrote to memory of 1976	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	30
PID 2244 wrote to memory of 1976	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	30
PID 2244 wrote to memory of 1976	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	30
PID 2244 wrote to memory of 1976	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	30
PID 2244 wrote to memory of 1976	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	30
PID 2244 wrote to memory of 1976	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	30
PID 2244 wrote to memory of 268	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	34
PID 2244 wrote to memory of 268	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	34
PID 2244 wrote to memory of 268	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	34
PID 2244 wrote to memory of 268	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	34
PID 2244 wrote to memory of 1752	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	35
PID 2244 wrote to memory of 1752	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	35
PID 2244 wrote to memory of 1752	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	35
PID 2244 wrote to memory of 1752	2244	f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start iexplore -embedding
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\gosD643.bat"
  2⤵
  PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.bat"
  2⤵
  - Deletes itself
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38adf2ab9d1b83db4e55fe5c3bd251b0

SHA1
f4eac7992dbc22d0ae59daf1f6228902633e2473

SHA256
556acd321b9a700bfd9ba07ec6aeb7532e2def70d402a9f5f82658b99d78e3e4

SHA512
258247dd177397d9b9a9bfe5010334bde5a077299b3b762b5b34f587d781c9d092f6d3f8b1bea9b84041ef6d602d1fc3f4a6ab80d8cc3acc0d01b5b6d11cd096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f63341e6ee1f7f280d8c69b80ad2eded

SHA1
cc3268e25e958390f09008fc6a8943b35280485c

SHA256
a936ef3dc9b056da5bcd6d4c22b7a004493fdac0f516a2fb448c72435a29ba13

SHA512
d9a5a165e3396b1a44a9e67c31680987f7c229672fc4f395426a3e51840e49ef31c2f4ca1d9ac64391d20debfef043f7a67a5818675be7ec2e777af3193bd852

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74c35fbb5061f8249d48e6fb40e91f52

SHA1
f71cb412606a0503f01cf1849f5d42427a1a92b9

SHA256
6a2b414be873104fb4acf4b8bd24a75c2ac069080da4f960f8b51c61bf5999b8

SHA512
87aca8c1e958be374539391f5e9cf47962b9bf39495b5cf133cdfc3b6b14c16054009ab01bb7fa57bdbc2c11a933a19eeac63e0232b410a12610f6580f7d4d73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c54943e64813fd76e91a23cdd589600

SHA1
b01ab37ec42433fd5ebb48ffbdc9192b276a68ff

SHA256
61b06696fdb72d4b1f533bd34c687858559a841be2d266c53498fe199865bcdc

SHA512
fe3e0c299ce4126d40d60ba186e0c7833e747f340b4234dd4627e5b0621d6571a1a87e2d607edfda430ec85bf7e57e06d9f3d2c710dd4e79ea009825ecf0adc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0fae0431a9cfeac93dfa7c917169ff35

SHA1
cadfe37db9eac45e1cd6572f580f40175d88f7d6

SHA256
5aee6a6cadac86850dd1832097f509d3f12422d3443e2ddb3828d30d287195fe

SHA512
9434a7de0739815a03c3c0ceccad6ad1e98d1d1e5764fe7e677d79396b6456559ae6807750c6f3e8873042c0baed735ac2d33d25ccb9ca30bdb64d919f901301

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1772e796666a456d6c6f12dae4e12802

SHA1
ea1e6d65103257958abdde1f80d9a4d6837b814b

SHA256
0f9df15ac0402be54a914c0e61f42bef4fd7908c278fc259ed6be800fea98cdc

SHA512
91563b565305f9bcb83ac68c36cc5ff9f693ad925d9998243ec7fc411a7115d6f88219c5a00336bee95d9ce6316a4fc6e4558de973c35d6d3835f307020b5c22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1dbc7d1319d7f3ab836a4a069ee4b6f3

SHA1
58e04791a27e93905de8511cce4475cfa1d450d1

SHA256
7204da9c56f90624c3417e14d017ac9ab515f944ff5afc6ffd97fea645fc29bc

SHA512
ae7ec47b1fb42ea6ec6c68d9ad87370786265ffa7168651f1513feb5452c44c25844bd44db99a684be9a5f85ceb134dc6f42b6167eb426d29a15892e93b1e436

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e2842135e10d4902e40ecf0edc46eb79

SHA1
f8d975303af13ff3c125c56572727cde9dd5c5a5

SHA256
e9eead0744836adca392649670591234ad1ef104a8a34f93dafdd4ffe0857c9a

SHA512
2517c592e07d10fc1dfb8230a36e86415429019c155e45f5a3f804ea06c843fb12f9fcf5da608498a14c022f3eaedf2d497da5ad2c1cf090bc6f0bc6dd4fa2a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9af9780c3d1511458b78c574deadcb7c

SHA1
0e887bc083e414531849df8fdcc4ff347d00a7cf

SHA256
a707d63287cadaaffa1df6c586e6e46ff997cbd9163715bcc54b566bce9d65e7

SHA512
c71a1358a601fd50c9395ed4f41484ac2a10ef2e9df855f0b5463724f1c1ab6b9fa0c99da644f56284af61660ae9112334a8eb1f54d785688a32a7ff6c18ed62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0cab3a7ce70e008ec388d5c95c45590b

SHA1
e9e28fd3fb0250fc58865ea44594f81faabf11ed

SHA256
25bd97ff16b550c6aec5fca2c3f2343c855df8e233fd08a1b1e35e3c4d0e5e66

SHA512
a67115b14cc0630d6da85329ede9d33a047bbdac6143f27d41a522ab8a6eb1af28c59752b7c49877b7f5d6363921dd99105fc9d2cbb9b39baa26178f62683e8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93204cde7306de9e435733c0bfba1d66

SHA1
9886c6e87a48dee9ceabd1ad88bb55b21bb4d980

SHA256
0e58e320270e985e88bc2edfe5cbd12826f62714470d08f6844fd891dadc45ee

SHA512
6b4c5563a30eb29ebb8c153096308da29bdd15c29d36a726192005570a130ea71a6bc00965dcd7ef947ea0a5496ce5cd3d4736a0b8eddeeefd9fae9849a2e096

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD9FC.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDB99.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f74d1031511b6aa62d1639132c8ccbc2_JaffaCakes118.bat

Filesize
307B

MD5
6bc91bf707f40cbbf39950e426a03e22

SHA1
127e1e974524a78445220e9e0cc7c013f44ffbcd

SHA256
bcba26450d133aa9c613fdab6b1efc8237ee7a07dbfcd2251a6fd28eb61a98e2

SHA512
afb69ce0d1f1cd8e4b62e15c21d6003003f9be86ea9aa7c58d57464433de8b5b12ba0eb046bb15266051d3fe972502f6862ea0ee1bb60d864071a106825cc649

Download Submit
C:\Users\Admin\AppData\Local\Temp\gosD643.bat

Filesize
190B

MD5
8464e1135b92bc64ae71f41be0754318

SHA1
7de12520134eef96ca72cf41f2a6ed513bf52de2

SHA256
ffc3dfce205c31eb73d1e5b3c5afe257ce53a3603b05dc199efef30c07d93cb3

SHA512
75d94a4fb1815e72eabb218b7000d8031b0a8e3a3bd6818d1281b8f3339963544d6675fe38c7fcc347d35b897d5d9049bc2c0e7e3ffc717e0a4412010c5239f0

Download Submit
\Users\Admin\AppData\Local\Temp\gosD643.tmp

Filesize
21KB

MD5
4fbb0caa9d2d58fcba705997b9f4b101

SHA1
4f49d8ef409b5ba8de43c78a95eb0deae70a840d

SHA256
f7058cca7a2ba7f06dc22ee74c8f6c772838f0965acf5f5c83f7bba413033a22

SHA512
a307f71ea960b003a14d89701d49f66c209a0af6f3d76f588467c8b46ec79c0345ff115958ebde4e2842e07a170b4b9321e1ec8147bedde121fcbb73d8507ed5

Download Submit
memory/2244-1-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/2244-40-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2244-42-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/2244-41-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2244-9-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/2244-5-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2244-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download