ab4fd5fea15061692f90701564843afb89b0c7a9cbaa4c4d6fd6b13fe953645f

Analysis

max time kernel
117s
max time network
134s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 09:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe
Size

45KB
MD5

fc6ced955507cc557d6f51e230249f35
SHA1

eb0bbe7e985a8a3d0e7163eea07266bfcbf28e08
SHA256

ab4fd5fea15061692f90701564843afb89b0c7a9cbaa4c4d6fd6b13fe953645f
SHA512

ecc6a9eadcda1c285156af72240492fa66f9ab91bcd604519b14b5cb1a01793195d41bcb9a4ae8e267cf7e4c791b362b02de745768de720355f11d945ec7f90a
SSDEEP

768:Bf3MrANb/2E1LM03FaTFwfSdvjsdnDTiunxlrA5AZlmD/e7Y86E/:Bf3lxuuMwFaBwfSe9TxnxdUu/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E10F6AF1-FEF6-11EE-9AB8-560090747152} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419766552"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe
Token: 33	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2500	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2500	iexplore.exe
2500	iexplore.exe
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2212	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	28
PID 2272 wrote to memory of 2212	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	28
PID 2272 wrote to memory of 2212	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	28
PID 2272 wrote to memory of 2212	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	28
PID 2212 wrote to memory of 2500	2212	cmd.exe	30
PID 2212 wrote to memory of 2500	2212	cmd.exe	30
PID 2212 wrote to memory of 2500	2212	cmd.exe	30
PID 2212 wrote to memory of 2500	2212	cmd.exe	30
PID 2500 wrote to memory of 2608	2500	iexplore.exe	31
PID 2500 wrote to memory of 2608	2500	iexplore.exe	31
PID 2500 wrote to memory of 2608	2500	iexplore.exe	31
PID 2500 wrote to memory of 2608	2500	iexplore.exe	31
PID 2272 wrote to memory of 2500	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2500	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2660	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2660	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2660	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2660	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2544	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	33
PID 2272 wrote to memory of 2544	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	33
PID 2272 wrote to memory of 2544	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	33
PID 2272 wrote to memory of 2544	2272	fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc6ced955507cc557d6f51e230249f35_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start iexplore -embedding
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\gos1130.bat"
  2⤵
  PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\fc6ced955507cc557d6f51e230249f35_JaffaCakes118.bat"
  2⤵
  - Deletes itself
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67e5adc72b50c559a016e6e37e20ba0e

SHA1
b66ffb7c43c0dcf202fbd87bfc955fb8bb6317bf

SHA256
303cf7db5b845696203f0ddbc52e50ec63d4abec7c95300f4040049a566425cb

SHA512
584dd08a88a8507f524aa789aa2d5d21e263fa2accdc9dd9e07c7f84722025b431f87322371b66cc5b00b801bf62cc53a7ce08d5fcdd7ded9fa8cd36e6078316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c3c34f1b9e3b3d2081f5ff1441367f21

SHA1
d21e5403b846328598c4e2726b0b547fcb6e4c3b

SHA256
833d427a591d2cc916b7435bd96c3e39e83764db090ef0b1e72d61a5d87e7c90

SHA512
c88c3cdd851689ae981c20f4e4578eb7018a8ac8d1512157868014f963f5fb573fbfbc2ba44c5664cf560f134c6df87c8d52e0798737194e74baffc4546d5bf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4b5ced207060d34154c20313227e55e

SHA1
a1a441442e0a766a34543c3dde17be31e4da31a0

SHA256
767e3c80d15cd0fb287fd403cf9490f3b54b807048f01ff4a6ac34e82f7c6784

SHA512
0b07da058d2ac33e1460b63ccf86c48f19b2b79555a58eb4c4e6b21a255b2fe0e299e0d19612e3b9634714ec30903d285ed5aa923e329b8bf2f788a275921c00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c8da7178a87b8c5c562cad910a1f77cd

SHA1
6c785db5bd9d88054ea74208baf2302550d6afdd

SHA256
d3083b0b57653c4bad7f6d517e1b0efd386afedc6ef4a311d189f5d7353828e4

SHA512
b268ca730ce6f288e892dbd887cb9650011ae42fbcfbec9bb60d0a2da0859c3c7d57459421b883a9e2dd666aad589524ef0a62c60e314cf31f05d91ae10ea335

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f51e1f3587f28bf197e7ca103c68332

SHA1
b21353189b6d0c9ac17311585a16dd997dc010a9

SHA256
466e7c3f0ade398c613ee1e435cfc98753f7a82fc18f0c80f1fb5f6c6b5e2084

SHA512
663fedec766fdf0b5eccc5d53d38aa4cb259067163921d333363065d789360d6c28d7b59e3e25486fcdc5ea2cb65f1dc44fee514ec0e53800d7a7ba94de5f683

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
343a2b0baf5d6603ecdefbbbba7fa66d

SHA1
dfa1ccd931522acde48806521b48062bd602ecf7

SHA256
9338a97d6eabaf515253eaea6aa97208a47a5ee8b7cbf5056a99a974b9ebae57

SHA512
c05da02965a78b54e1e04c3f757f09b1d566bed34469530052fe4e5ee414b66118b509460722e59b0dac3c03569a9139698639273d3bf00b29e0e04e22183c30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95441ccfffd4bc5ff21cf40e8df49ed0

SHA1
1c1bbcd8be6c739727abfc88806c0cf112002f6e

SHA256
6e5bcba20ebd5d89e19d448ecf3d049d5f006b5587aabfd6b4e8beca2a29dd76

SHA512
59748ea78e4b93200f229099b3a359d5673e70976c673cd8b1c8357dadfdbce978ec61a1c76d8a9660ddc1566b116e976da98a63eb5ad9c0aaa525eb5d457ee5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a52c34bfd5fde79dc5c6bf7a7f346612

SHA1
0368cdc07e6e11e2579cdb13f586d0b588bf2b49

SHA256
1a65b8d9936449bd5b973750ef7ac9f58997ab0a9ef9e28d9d7b1be9946a1c06

SHA512
3c3e2bed0b99deff7d4466a4e0f10bedb6bd597613f13cf419d1758c83b43b475cb5be7f6b6c6b8e72e1cbba2e7d78e6eefb4d6fc3ca8e1a483fcd828b181e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab13B2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1483.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc6ced955507cc557d6f51e230249f35_JaffaCakes118.bat

Filesize
307B

MD5
0cea31769556e5c1923ab4f64f3f1a5c

SHA1
d9428d6da9e765fa5dc8317c0f66e079592825bf

SHA256
881d83a964c473f16f6e49b16ec811f2f2512e97b302047901883d058e557baa

SHA512
84fd7a3c033f48873e004db61f4662860a4550fb114526e6a20e9ce1ac793f30bae808e2f0eb10f4adf3a3ef49149ff567c4029501ca64e34356f5cbfb2ce7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gos1130.bat

Filesize
190B

MD5
9b6ca4f9565907988aa627066ad852f6

SHA1
45ffa5ad3583fdb1399ef6643e3e8f2926b2e0a0

SHA256
60d323fbb327ea91f35fa643016f05dfe00be655e4e10def73bbc9f81c4c7ebb

SHA512
48f8c3738ba8147a550b3a0a30327c79c7d636c65733e0bd9c98797c60d50129dce7b8b420c7466f5549817e99d5e0a0c9348102618cbbf7196980b50ace08df

Download Submit
\Users\Admin\AppData\Local\Temp\gos1130.tmp

Filesize
26KB

MD5
048bc00a882bfcef52d32402ee08d028

SHA1
55eb4f17d179f728feeaea6905b477bfd1775fc4

SHA256
4842a5a6dd649a9eae6477efd45465b270a0ead943edf3ab081443cf76287e4b

SHA512
7df4df155c965601b142259b491955e60c92fd1dbba069b3916a768717233cc1fff1c2689fad18b1ae556065b14e9671b7e91fe75373d665c6b566a06fc37b26

Download Submit
memory/2272-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2272-37-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2272-38-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2272-39-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/2272-6-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/2272-5-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2272-1-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download