Analysis
-
max time kernel
136s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 07:10
Static task
static1
Behavioral task
behavioral1
Sample
89b4848e2dd001a183a1e420be5dea57_JaffaCakes118.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
89b4848e2dd001a183a1e420be5dea57_JaffaCakes118.html
Resource
win10v2004-20240508-en
General
-
Target
89b4848e2dd001a183a1e420be5dea57_JaffaCakes118.html
-
Size
157KB
-
MD5
89b4848e2dd001a183a1e420be5dea57
-
SHA1
8bbdaac5eca4aef42d83cc810947e429df09c54c
-
SHA256
93079f3d1ead4fd102c63ebb22eadf0947b361839cefcf7f8d8641917c2c3646
-
SHA512
b1b13ef4f51ef8c08f09d2d7b9dac63929daaf7c46cb68612a1d68e19246907a05de905f13f39bcaebabaa90240343857e00964cb5a643de34586bab1af670f5
-
SSDEEP
1536:i/RTIWchwDhsamyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrk:iRAShsamyfkMY+BES09JXAnyrZalI+YQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exeDesktopLayer.exepid Process 388 svchost.exe 2116 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
Processes:
IEXPLORE.EXEsvchost.exepid Process 1268 IEXPLORE.EXE 388 svchost.exe -
Processes:
resource yara_rule behavioral1/files/0x0035000000016d11-476.dat upx behavioral1/memory/388-480-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/388-482-0x00000000001C0000-0x00000000001CF000-memory.dmp upx behavioral1/memory/388-483-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2116-490-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2116-494-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2116-493-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
Processes:
svchost.exedescription ioc Process File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxBCAB.tmp svchost.exe -
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15D73051-1FE6-11EF-B35F-5267BFD3BAD1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423387723" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
DesktopLayer.exepid Process 2116 DesktopLayer.exe 2116 DesktopLayer.exe 2116 DesktopLayer.exe 2116 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid Process 2180 iexplore.exe 2180 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid Process 2180 iexplore.exe 2180 iexplore.exe 1268 IEXPLORE.EXE 1268 IEXPLORE.EXE 1268 IEXPLORE.EXE 1268 IEXPLORE.EXE 2180 iexplore.exe 2180 iexplore.exe 2912 IEXPLORE.EXE 2912 IEXPLORE.EXE 2912 IEXPLORE.EXE 2912 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exedescription pid Process procid_target PID 2180 wrote to memory of 1268 2180 iexplore.exe 28 PID 2180 wrote to memory of 1268 2180 iexplore.exe 28 PID 2180 wrote to memory of 1268 2180 iexplore.exe 28 PID 2180 wrote to memory of 1268 2180 iexplore.exe 28 PID 1268 wrote to memory of 388 1268 IEXPLORE.EXE 34 PID 1268 wrote to memory of 388 1268 IEXPLORE.EXE 34 PID 1268 wrote to memory of 388 1268 IEXPLORE.EXE 34 PID 1268 wrote to memory of 388 1268 IEXPLORE.EXE 34 PID 388 wrote to memory of 2116 388 svchost.exe 35 PID 388 wrote to memory of 2116 388 svchost.exe 35 PID 388 wrote to memory of 2116 388 svchost.exe 35 PID 388 wrote to memory of 2116 388 svchost.exe 35 PID 2116 wrote to memory of 1580 2116 DesktopLayer.exe 36 PID 2116 wrote to memory of 1580 2116 DesktopLayer.exe 36 PID 2116 wrote to memory of 1580 2116 DesktopLayer.exe 36 PID 2116 wrote to memory of 1580 2116 DesktopLayer.exe 36 PID 2180 wrote to memory of 2912 2180 iexplore.exe 37 PID 2180 wrote to memory of 2912 2180 iexplore.exe 37 PID 2180 wrote to memory of 2912 2180 iexplore.exe 37 PID 2180 wrote to memory of 2912 2180 iexplore.exe 37
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\89b4848e2dd001a183a1e420be5dea57_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2180 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1580
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2180 CREDAT:603146 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52f74777b66683abec1656352eb1f6a61
SHA1c4149d127413843dc2efdd286782fff673c64130
SHA256bdb20255b2697efea3e9eef7c890caeaff6c078beefa588be6deee3d787b490a
SHA512a73d9c1dbcf6e20593f3484a8abc8dddcfb71686dfa969f5520b501a571f991ad9249fbaa9594a6900c4c92a2d4d3a9f3041c8f1d83cbfcf47f58127ef59fba5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cc0e019d692fe78a8656c38a252dc181
SHA1e7714baafaa450590392b902783ebb07b913592d
SHA256aef9d42438f674e013ba26b0d277c754265fa460b516b4dfb757bed0686cd560
SHA5128405633617ba7de98d51c3d6f59370866ba5d6d888c073b6cd8860eafa01c61986ba3644d39881c0507ca99b872c752e16744ad3df7fe35f7c3c4468ed4f9c22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b92110b3e5be70659e54a98985baa504
SHA12ac6e1e2abdb91c7360a497354829f32fbd9d406
SHA2567b76d5545e0ee6e96f23b8aec3ec370e9725b2bb8a65915817f6d0f0f44d1316
SHA51235282ac571a48fdbd024ddccb53ece8c7f7a5178f7188c5fd2f5944fcbc1eb03e8447de1dfc8c26bf322f604f5731e172eb86063a98835cbae7a1cfa24209ada
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fb5b3741e000d0104aa855dc1ad3c4e9
SHA13209123304db89a03aa018d358e18fa384746249
SHA2560f79078d58af40666454606910b899663bab5815c6abf17f43921de7bef8c70b
SHA51213e98e7bcd67e087292b753d7ca5809e3fc1db6e3885aa5579494b8550c201f9d2d4dd903d176696ac44a007b8ee4de3f5178f7537c5e2a716117b00254ceaba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55f617caf7fbbf344372070ad180b22fc
SHA102995438cd1647b0c7cc059be335e00c88df3884
SHA256638f9cc08fb71ccefb7401a39e061cf8dcce50d894de72581b5b122970b8bb0f
SHA512b27a62390880efb6e7747c77c6bab31498671fdf266ff51f55a496886e6168c4b21269fadd3b49045d5e2e96175ede42c389657d396715dcb0e4a63358c42468
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD594dc3445a01598ec336c1193ed03307b
SHA15f7b1cc512126912555bee03cbf4685bfd27da4f
SHA25659217432a00000a32fe177313eea9492b35a224ca891dd3e830efef80cfc0032
SHA5127c1fad8f9186f84871267112a7e1617e9e389d629af4af51e6b0b6f348d3339aa487f5bebdc4f18306f1a757ab247bdef4453a6a1277cfbbea0cf34d84ce62cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ba41a2f7dacc4a337b669e4f0b20e3ba
SHA1791f831e7dc4539a348b71f33b2805b3cb7d53b4
SHA256c7868c6ac1390766ece95d668f62ed5caec4ac130d46e18b98513236e64decd3
SHA512da011a3c8f494dcd1875d9907a48c2f7af967dcf748242f4ea04aefd4812585121b84799fe18ae98ea7dff68566b7c95d83854d7e2dffe7d75a3f7f6bfd87988
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55c35df4406b86573e5f822340c69d8cb
SHA1f8a446e69794c91b40388127f1207bce0d778ce6
SHA2569bc1dba66499ecae0a0a1784c48e501271e2ad5ebf4dc9f1a097f07140b51d10
SHA5120345f2f62460826878ee6b574da099c8690812b77a6f946b5aac62df1adf8e5e5b92320602d136bc9aac4aa5b965410b7fcab6b2a2fc797b2ace44b5f479facf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD516300d21986dda9f75e78ac284837eee
SHA1de3bc1d69f96e7d105c715816f8130587a3c64e0
SHA256096ca759b7215aef1b91ae7c6ba1582948bb3538fe4b33d8cc72d916b7bd3c8d
SHA512f30ec1768ae9353b490feb7e989550fed883a4c4cde168a9433c2c4ac54c68297e9f0dc51b5ec5b4c5ef527a05de631ed640b236574252626d2121b19716754d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58632dd6c74d8e32f9e92f136e5ff6643
SHA1dc2495a718a9f11b40864afc6c80d1de09bb1a5c
SHA2568ec2def81c752b675dfb161200f7596579d86af051d705cfe5f80100f89506bb
SHA51259fa9d9d3647a878a829c5829847389d625be7e898e875b4ad19c21ac53103ec61280f31c1f24fe50b229d84c9010b8c691130de0ca21a96912dd4aa9ae0dced
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a