Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 06:05
Static task
static1
Behavioral task
behavioral1
Sample
69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
69fab0fe3c28cef0ac3be3e1554fe980
-
SHA1
809621f7651be4b115d1c89ef42a5001293223f1
-
SHA256
b3024ac81e9cf25e75fa15da666924bff11445895f7f1b46c4a2c21f2a9908ae
-
SHA512
431e540bc59287ab6b784c3beae913650bbc43774f75919c2ee281ccb46d1f37587926997010d74ef0f7a40ce3f3a2b1492f4b7c9fb23765056db1da1291cbfb
-
SSDEEP
12288:msM+aTA3c+FK1vrlVYBVignBtZnfVq4cz1i5pP9kPQr:dV4W8hqBYgnBLfVqx1WjkG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
IEXPLORE.EXEIEXPLORE.EXE69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1385899937" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108311" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108311" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7DAC16BA-18CA-11EF-B9F7-E27D0092C90A} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1385899937" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" 69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1438870055" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422606221" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2D7E873A-D581-4F9D-A091-BCA8579E7902}\DisplayName = "Search" 69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2D7E873A-D581-4F9D-A091-BCA8579E7902}\URL = "http://search.searchws.com/s?source=%7Bparam%7D-bb9&uid=32e57b21-553e-4f27-8ce1-57a9bb1ee269&uc=20180423&ap=appfocus84&i_id=weather__1.30&query={searchTerms}" 69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ 69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2D7E873A-D581-4F9D-A091-BCA8579E7902} 69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108311" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{2D7E873A-D581-4F9D-A091-BCA8579E7902}" 69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2D7E873A-D581-4F9D-A091-BCA8579E7902}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" 69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.searchws.com/?source=%7Bparam%7D-bb9&uid=32e57b21-553e-4f27-8ce1-57a9bb1ee269&uc=20180423&ap=appfocus84&i_id=weather__1.30" 69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
IEXPLORE.EXEpid process 636 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
IEXPLORE.EXEIEXPLORE.EXEpid process 636 IEXPLORE.EXE 636 IEXPLORE.EXE 408 IEXPLORE.EXE 408 IEXPLORE.EXE 408 IEXPLORE.EXE 408 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exeIEXPLORE.EXEdescription pid process target process PID 2420 wrote to memory of 636 2420 69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe IEXPLORE.EXE PID 2420 wrote to memory of 636 2420 69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe IEXPLORE.EXE PID 636 wrote to memory of 408 636 IEXPLORE.EXE IEXPLORE.EXE PID 636 wrote to memory of 408 636 IEXPLORE.EXE IEXPLORE.EXE PID 636 wrote to memory of 408 636 IEXPLORE.EXE IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\69fab0fe3c28cef0ac3be3e1554fe980_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -noframemerging2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:636 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4176 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD501409a92b179c99711ea8c28d307d0c4
SHA1a9cc2b0c5727e2af14819f3908c4693f8e891392
SHA2563034962a4c308ef5e66a2de7faf1ed2439b7e59086a8c07ad59ce3669b8ee01c
SHA5128e86173a54d253f3e05443c603222b9018d63a3fb8e3a26b2b5602c083c07b117d5c53ede08056b6aa4503380562444c6704de32b2cce76f146478616b7278c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD54f10c2e221200c64424fb46bb72ef69a
SHA1ea66caf80cb06d0495292ad45e262fb1ae2a385d
SHA256811f6e75ee83a355f2c3d13ed2884822ac1370f741397ecfb72e7d845c1cff3c
SHA51284924d6e1654c885d71ff9940f249f302220c0df0ff40016236c5ee1237de4bdd98b607873af2328a7747b1121fc5baa611b1a97288182fc2e0c9ffd440ad5fa