36ec9121089e95e782cb52f3639fba2be48e9bd40eb2aa2f84cb8c578054cee6

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04ba894c62fa49ade657fb8af7104073_JaffaCakes118.exe
Size

2.2MB
MD5

04ba894c62fa49ade657fb8af7104073
SHA1

db9db061bbb185737dad9fff0a879256bbaf393d
SHA256

36ec9121089e95e782cb52f3639fba2be48e9bd40eb2aa2f84cb8c578054cee6
SHA512

794ab29ad156c0b8b440e7339de121673d7c849b6b75227f107ea557ea99962b6dbbe509ab48b8723b9734ba56f80bbbcf0c6df4b5eb52a22f0225c86da4c816
SSDEEP

24576:h1OYdaOTqU2Uzf5iilCfBJyIWSbDBXEZc78KU88SHJhr/zcg:h1OsdqBI5iilCfhXvPJhrrT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2488	6Q9N9zDXtfusGhp.exe
1984	6Q9N9zDXtfusGhp.exe

Loads dropped DLL 4 IoCs

pid	Process
2008	04ba894c62fa49ade657fb8af7104073_JaffaCakes118.exe
2488	6Q9N9zDXtfusGhp.exe
2488	6Q9N9zDXtfusGhp.exe
1984	6Q9N9zDXtfusGhp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\VQHWFK.tmp\\6Q9N9zDXtfusGhp.exe\" target \".\\\" bits downExt"	6Q9N9zDXtfusGhp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit	6Q9N9zDXtfusGhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command\ = "Notepad.exe"	6Q9N9zDXtfusGhp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\__aHTML	6Q9N9zDXtfusGhp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\__aHTML\shell\Edit\ddeexec	6Q9N9zDXtfusGhp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\__aHTML\shell	6Q9N9zDXtfusGhp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\__aHTML\shell\Edit\command	6Q9N9zDXtfusGhp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.aHTML\OpenWithProgids	6Q9N9zDXtfusGhp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\SystemFileAssociations\.aHTML	6Q9N9zDXtfusGhp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\SystemFileAssociations\.aHTML\shell	6Q9N9zDXtfusGhp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\ddeexec	6Q9N9zDXtfusGhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.aHTML\OpenWithProgids\__aHTML	6Q9N9zDXtfusGhp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\SystemFileAssociations	6Q9N9zDXtfusGhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\__aHTML\shell\Edit\command\ = "Notepad.exe"	6Q9N9zDXtfusGhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\__aHTML\shell\Edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\VQHWFK.tmp\\6Q9N9zDXtfusGhp.exe\" target \".\\\" bits downExt"	6Q9N9zDXtfusGhp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.aHTML	6Q9N9zDXtfusGhp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.aHTML\ = "__aHTML"	6Q9N9zDXtfusGhp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\SystemFileAssociations\.aHTML\shell\Edit\command	6Q9N9zDXtfusGhp.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\__aHTML\shell\Edit	6Q9N9zDXtfusGhp.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1984	6Q9N9zDXtfusGhp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	6Q9N9zDXtfusGhp.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2488	2008	04ba894c62fa49ade657fb8af7104073_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2488	2008	04ba894c62fa49ade657fb8af7104073_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2488	2008	04ba894c62fa49ade657fb8af7104073_JaffaCakes118.exe	28
PID 2008 wrote to memory of 2488	2008	04ba894c62fa49ade657fb8af7104073_JaffaCakes118.exe	28
PID 2488 wrote to memory of 1984	2488	6Q9N9zDXtfusGhp.exe	29
PID 2488 wrote to memory of 1984	2488	6Q9N9zDXtfusGhp.exe	29
PID 2488 wrote to memory of 1984	2488	6Q9N9zDXtfusGhp.exe	29
PID 2488 wrote to memory of 1984	2488	6Q9N9zDXtfusGhp.exe	29
PID 1984 wrote to memory of 2756	1984	6Q9N9zDXtfusGhp.exe	30
PID 1984 wrote to memory of 2756	1984	6Q9N9zDXtfusGhp.exe	30
PID 1984 wrote to memory of 2756	1984	6Q9N9zDXtfusGhp.exe	30
PID 1984 wrote to memory of 2756	1984	6Q9N9zDXtfusGhp.exe	30
PID 1984 wrote to memory of 2756	1984	6Q9N9zDXtfusGhp.exe	30
PID 1984 wrote to memory of 2756	1984	6Q9N9zDXtfusGhp.exe	30
PID 1984 wrote to memory of 2756	1984	6Q9N9zDXtfusGhp.exe	30

C:\Users\Admin\AppData\Local\Temp\04ba894c62fa49ade657fb8af7104073_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04ba894c62fa49ade657fb8af7104073_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\6Q9N9zDXtfusGhp.exe
  .\6Q9N9zDXtfusGhp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\VQHWFK.tmp\6Q9N9zDXtfusGhp.exe
    "C:\Users\Admin\AppData\Local\Temp\VQHWFK.tmp\6Q9N9zDXtfusGhp.exe" target ".\" bits downExt
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /u /s ".\\sNwqei0ixMfxZf.x64.dll"
      4⤵
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\6Q9N9zDXtfusGhp.dat

Filesize
14KB

MD5
eae08870e3ed410602bfc1a96fba19c8

SHA1
8ca0727764df88f0db20ecb4836caa0bf39ed321

SHA256
d5472bffe7339ecc089de59a83840bd84508a9f41abdfb16601d37ad915ed7a3

SHA512
3082f66b786f3e200587f6eb1494fad28f040a6029d22be38f4f2cf03b36bb4896646663b5d67f7c651204a3c18b2c2a17aaa2f233597e1e18eec021a4ced27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\6Q9N9zDXtfusGhp.exe

Filesize
218KB

MD5
9f6c52eec607111136cd222b02bf0530

SHA1
57f3815d0942e3b0a9bef621a7b4971f55fc74d7

SHA256
7314c47aa633946386d6d3cd7ac292974b5d457e14b053fa0ebc218d555c34f4

SHA512
6760f5f8b580f50e95a92d6baa096f8fee378047bc5833430503869db22e369ebbedad43c864ef1058a477cf4d1034c88f1f464cde467ccc904192718951ce54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\ggnhjdbbdndmiobdhbfgngncnojhngek\background.html

Filesize
139B

MD5
530e9ab1cfcfab3a616133b34d15d15f

SHA1
200f92361ed2ca7da8cedbd5d551ac6cad9a02ae

SHA256
d803bb57f99116397c1fd290f4793c45752d097056b5feb8520e67134aadfd68

SHA512
e346e6da43272493d840b98250c7f96407fe7c0546963c3521a34f6a12c74829e94facc90050855a4df4a93cbf785fc7dcb52e898ef2ccbe8e35bc3ce3cc6ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\ggnhjdbbdndmiobdhbfgngncnojhngek\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\ggnhjdbbdndmiobdhbfgngncnojhngek\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\ggnhjdbbdndmiobdhbfgngncnojhngek\manifest.json

Filesize
502B

MD5
8c0bc586dfb5cb6dfc038ed7aae2924d

SHA1
66f51aa16d26b3418fb9f2dfb204dce69bf7aaff

SHA256
0d974daeaa2bfba76a3a2054b1b9e1f8377c7b44af312cfc56ab0106d72d4a11

SHA512
ca2984c4d77fee5d4288d71488419a6966f26360c9177c88ae4168afcb09cea2d8bc5714226e2c285eee685ca95c57922523f58641b3a15aca9e81648c9e1510

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\ggnhjdbbdndmiobdhbfgngncnojhngek\pJ.js

Filesize
6KB

MD5
c0f83205fe7f97f914cd098cdaf0d0b4

SHA1
daf2d75c7af357a88e5f6dbdf06f9014178829c1

SHA256
3505f2632d6b286a66f72917e41555453848fb5fc1389c15cd6c37b57aaaed00

SHA512
25ae7e44b12d19ac5466f0923bc97eee23e92862cbee137d6420f6882aec965d3162ae980bcb2d52c1a44c21760ad42440b7303b30b5b86b91575b38dea6517c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\[email protected]\chrome.manifest

Filesize
35B

MD5
501484f42112600b12ee9951dce0f9c9

SHA1
dc18bb60bf23802feae4118dfc63c155f21757ca

SHA256
ff5d0a60c95e4a3e76d3c44eeeb523831937d5dd01b080a8bce46d30ce5dea42

SHA512
dbc06fd0277344d87e465076a70d42bf5516a79c36f106e4743939c1b5c67d5922736d05abfc40ea5ba7632fdc0a55899c3238a3f9df106b688cbf39926f14b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
273774b4dbbdaeed47e821b9b3b622a8

SHA1
8941a3d6f162da73f52a47fa7f24f3818651d652

SHA256
14f8ece704569c49d6b05f1178047f8bc174d4951e3401d285a81384b32a65a6

SHA512
2ae111cde3851105457bc1b58217b8c1cf648b794760c89227fb08f93841e827f80e58b7f4339da792a4c011360113362be31d840de7de8ffb09a0384ff7c539

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\[email protected]\install.rdf

Filesize
594B

MD5
4484428464a8ae11635a161f9c62b648

SHA1
4375356371dd1646228e388fb59139185ecb1427

SHA256
f038b7cbc62ac1e9315f371dbeedde3196ca9571bc39216f1db9639d3a57accf

SHA512
a841f12fa1a55813ae2097cff4fc85108822145ac2f69d1102cb3f5691876b4b2de9503438e90593f207b379de106faf61757a48314329532b9038e90b2e6483

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\sNwqei0ixMfxZf.dll

Filesize
863KB

MD5
283013c68dd25e2d49e6ec377dbf2c10

SHA1
2a3887c5c8ad1f709c6784bf33e1e27728908d10

SHA256
a934a8791687ef0aa895dfe552db2d81eb080e6077260f5f3dc013bab05ff180

SHA512
1432df9fa397cbdab47ccb2cac109798730521750719088e1b18c8687e2a54c2bf94ec14122780f3be8b8c73b15d8fc80954051f637160ae11bb6486c502e54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\sNwqei0ixMfxZf.tlb

Filesize
5KB

MD5
1ca45b386c7b01e1bd45ef4e291d3f70

SHA1
dcabb955bc45b182231459d7e64cba59592c907e

SHA256
495c35bf29cd1c6e4a736db79e87203b6fd0c1345343dab958e5d9a4b087754c

SHA512
87dc04954e21af239f1cd8a300d7ea34c0de9580598080df8e2e75d347ad0232770b37d648db772f5d854a553f395a1fe9c010071ee76024f64ed819371fe752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS312E.tmp\sNwqei0ixMfxZf.x64.dll

Filesize
945KB

MD5
f2a29e14713a4420455115cd439e9736

SHA1
12290f3f0009461051f884ef17f95e66c8aedcdb

SHA256
7fb7b30a16cbf65684f1dc8d5560b5e211d80e20431250eff1d1391ee8075d0b

SHA512
1a64a897ed6dfa5de6ad3695e1d43d9dd063fa6623bfe151bcfc29fe12b4fc6af51129717b495e2340e3002886478a58923823b31c9f4ceece09efd0b725ad9c

Download Submit