Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
7b3da13c54f4547886e7d2f6d9f872f5
-
SHA1
429c02c764568d8a41a39f4fb1f2c408f7695c94
-
SHA256
cd59596c31ef8ad0b85b734306bde1a1fbfcc96d0f26f9d8d78bf89050a3bbe9
-
SHA512
3dbe776b8068ac3723c5b417d3794308d64e45a95fc1f976e3236ef98988cbc69fa20133ce21cb7ee207a7df407c3ec42e70d4bb2a249fee002481b4b220d819
-
SSDEEP
12288:nsM+aTA3c+FK1vrlVYBVignBtZnfVq4cz1i5pP9kPQS:sV4W8hqBYgnBLfVqx1Wjk/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ 7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86584203-C5FD-4C23-8155-BE6C5D4BEB33} 7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86584203-C5FD-4C23-8155-BE6C5D4BEB33}\DisplayName = "Search" 7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109278" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{86584203-C5FD-4C23-8155-BE6C5D4BEB33}" 7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109278" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" 7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86584203-C5FD-4C23-8155-BE6C5D4BEB33}\URL = "http://search.heasycouponsaccess.com/s?source=_v1&uid=4da72b99-4190-46aa-9d3a-3a7df5cd8728&uc=20180118&ap=appfocus368&i_id=coupons__1.30&query={searchTerms}" 7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423624759" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2550029109" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86584203-C5FD-4C23-8155-BE6C5D4BEB33}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" 7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C37F5825-1C91-11EF-B826-FEEB313629C0} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109278" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2550029109" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2552684550" IEXPLORE.EXE -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.heasycouponsaccess.com/?source=_v1&uid=4da72b99-4190-46aa-9d3a-3a7df5cd8728&uc=20180118&ap=appfocus368&i_id=coupons__1.30" 7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1356 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1356 IEXPLORE.EXE 1356 IEXPLORE.EXE 2868 IEXPLORE.EXE 2868 IEXPLORE.EXE 2868 IEXPLORE.EXE 2868 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3412 wrote to memory of 1356 3412 7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe 82 PID 3412 wrote to memory of 1356 3412 7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe 82 PID 1356 wrote to memory of 2868 1356 IEXPLORE.EXE 84 PID 1356 wrote to memory of 2868 1356 IEXPLORE.EXE 84 PID 1356 wrote to memory of 2868 1356 IEXPLORE.EXE 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -noframemerging2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1356 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2868
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD539f991f6e6aecffbe2db5dcecf1f226f
SHA1b512ccfff1d83f102d75aa8f78df0c7051bd2df0
SHA2566911a1c252519f8cb3db2a3eead8863ae288e14c699866b2bc580cfc0f3f42a7
SHA5123d7954ad14d8361a0f9a5939c0b0290bb42fa32ac2da1a809d3985195347898f4f0b1d0c1e33d87a6d14d61c48fe3258d7820a0bece6723b0f6e18eb60307e71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5340a7d6d61faa4dc707be05545516196
SHA1ce1ebeee8666d61d125671391d2c306e87eb0f12
SHA25642eb993ff1bfa0fbde2e8b08a087cb190ec32b66bce6d0a33a02c14aeab45ae5
SHA5121518e9983574a496eeb3bbdf6fc340b1b6698a7f846d2ebdc516a0d8100e7e3a5305df17fad8e99030a43c9da9cc27970fdc71a79ac33a8bb9575ab554cdd0cd
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee