Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 00:18
Static task
static1
Behavioral task
behavioral1
Sample
9c6af1d009d361c73877d55a3364c2c7_JaffaCakes118.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9c6af1d009d361c73877d55a3364c2c7_JaffaCakes118.html
Resource
win10v2004-20240508-en
General
-
Target
9c6af1d009d361c73877d55a3364c2c7_JaffaCakes118.html
-
Size
154KB
-
MD5
9c6af1d009d361c73877d55a3364c2c7
-
SHA1
d70945db90c1eaab98cf4c9f4e9efc3b56917b7f
-
SHA256
8f1a0bfe8e0b37e0f6f820f8b05ac62a20ebde90da1ef331d0305768a0e8fcab
-
SHA512
3187e9e8c2885c86a043b7004165ff996487260b9cb816059a25445a26ddeca89c02a2768ebf10633054652b8d12a3bd3b7436620451d5c244cdb4c2511418f1
-
SSDEEP
3072:i57Pc2MNsD1syfkMY+BES09JXAnyrZalI+YQ:i5cGD1RsMYod+X3oI+YQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exeDesktopLayer.exepid process 1044 svchost.exe 2988 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
Processes:
IEXPLORE.EXEsvchost.exepid process 2620 IEXPLORE.EXE 1044 svchost.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\svchost.exe upx behavioral1/memory/1044-483-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1044-492-0x0000000000230000-0x000000000023F000-memory.dmp upx behavioral1/memory/1044-491-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2988-495-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2988-497-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxB931.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424227012" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2FCCD011-2788-11EF-A3B3-6A83D32C515E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000080b3e2398e8ba841ad88e503a2cebad500000000020000000000106600000001000020000000839d577e011cbba33be82faf4733cdd602b7e4457f090372b18eecfc832e8086000000000e80000000020000200000008662efdd9106a909ca5850d07960c226505f0e000910922ba2d8d1ba9e5827f6200000000b1d85f9de57bccaaf2a1f0761347b5f59a37aafd023580f0dbf58f538cc4a6c40000000c2dd1500d6707f6ac7a0b446be0d83fed4ca170215cf53acdc01e8e75291865cc723e033e4901bc56f525fcbc0951e5d81d9e478d332e856df18fa6f2314dfd0 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 101c904395bbda01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000080b3e2398e8ba841ad88e503a2cebad5000000000200000000001066000000010000200000006d695dc033737bea59e19357a37ab82d4a201fc9fbcef235a525c37553119229000000000e80000000020000200000008ad6cd503025f349f8cb630664fa88dee6f5e4e464779790b003b28b3a2340729000000014e131bc49c7c2a1dd528ea1484857ebc41e2a7fb475bd563c1320761e2dfa1f35c8f857e072779985ac7f25aa28f0dea3a99fda42818fa8839c2b442d817d1dc6f24d3a39e0a2e834e13045b74e6ea6f0a1a98d79ef22ef67e0b714646155067aa148a89ec9e1869dede65ce569216dde6c7f8f523e9737c311d300a652c73e60bfdf64e55b347a394fd06cca6a0bfb4000000029f1caaf2ac0e7c950a057c67659e666065cbee8da846596e9ca98af003e9eaab4b5d179503ff1b1d97dbdf02be156055050f1b88365db76eed26fbbacb2030d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
DesktopLayer.exepid process 2988 DesktopLayer.exe 2988 DesktopLayer.exe 2988 DesktopLayer.exe 2988 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 808 iexplore.exe 808 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 808 iexplore.exe 808 iexplore.exe 2620 IEXPLORE.EXE 2620 IEXPLORE.EXE 2620 IEXPLORE.EXE 2620 IEXPLORE.EXE 808 iexplore.exe 808 iexplore.exe 2044 IEXPLORE.EXE 2044 IEXPLORE.EXE 2044 IEXPLORE.EXE 2044 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exedescription pid process target process PID 808 wrote to memory of 2620 808 iexplore.exe IEXPLORE.EXE PID 808 wrote to memory of 2620 808 iexplore.exe IEXPLORE.EXE PID 808 wrote to memory of 2620 808 iexplore.exe IEXPLORE.EXE PID 808 wrote to memory of 2620 808 iexplore.exe IEXPLORE.EXE PID 2620 wrote to memory of 1044 2620 IEXPLORE.EXE svchost.exe PID 2620 wrote to memory of 1044 2620 IEXPLORE.EXE svchost.exe PID 2620 wrote to memory of 1044 2620 IEXPLORE.EXE svchost.exe PID 2620 wrote to memory of 1044 2620 IEXPLORE.EXE svchost.exe PID 1044 wrote to memory of 2988 1044 svchost.exe DesktopLayer.exe PID 1044 wrote to memory of 2988 1044 svchost.exe DesktopLayer.exe PID 1044 wrote to memory of 2988 1044 svchost.exe DesktopLayer.exe PID 1044 wrote to memory of 2988 1044 svchost.exe DesktopLayer.exe PID 2988 wrote to memory of 1752 2988 DesktopLayer.exe iexplore.exe PID 2988 wrote to memory of 1752 2988 DesktopLayer.exe iexplore.exe PID 2988 wrote to memory of 1752 2988 DesktopLayer.exe iexplore.exe PID 2988 wrote to memory of 1752 2988 DesktopLayer.exe iexplore.exe PID 808 wrote to memory of 2044 808 iexplore.exe IEXPLORE.EXE PID 808 wrote to memory of 2044 808 iexplore.exe IEXPLORE.EXE PID 808 wrote to memory of 2044 808 iexplore.exe IEXPLORE.EXE PID 808 wrote to memory of 2044 808 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9c6af1d009d361c73877d55a3364c2c7_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1752
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:808 CREDAT:406536 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53eaa8ee4baab0c3b1122ad3168fabd43
SHA1c9175fdc6b6057a73a1e31c54c88c17226cae4c5
SHA2562e4185c1deae544d5f3bc73d2daa98da0b681929c6e02044ab35e412bc10e6cd
SHA512cc04319f069e13cfba6fd258cb0108b12678dc247d056bf51c4dde655371508334978aa6eb5f5eb3f392911141c2c769516c2a685a03ecd3af45c5f6d7242813
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59830c71450ee1fbcd58dc577c8ede25f
SHA1622fe6a051e7127157c0079a01eb74e0fc607bf4
SHA2569b207d1ec122b7353d82aab34b74d349fedc11ca570a6087bf1909875cd2bca6
SHA512561b53cde41d8b904889f2de15c8f6ec0a7143468da11f22a7f6a3a273b2bc19ba5515f9666b131fed5457d4c3c31a51f1e26d39f2b04aadcc93401d5017e2a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5209b9c43e90bc0f0cd2aa419b1474744
SHA118347850c76692e2d768a19fc69b70c0ae120bad
SHA25690c94d5b05519eeb23ee055788d5444c064792685fb649029bd25a738b9df9b8
SHA512768100e3881409a791336a59491e3e991316c0d3c47e8100bfb9f065e98c390e92fc1b64499233a6f1235e739f2456ea78dacacf1c45700d5a11c6345950fa9b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cd0c8311f468d1d81f7f553469a4d68f
SHA11d59959944278152a2947318ed2d24e3ab0c61f0
SHA256a10c56eef7f07ca807348e15fdffc5498e86c15059997578274372ce01aa188d
SHA512176e14aa28fba51ea4f90ee3a9dd7cf313a52eba19bd646edf34b28543a9d86b0227bb57aa32d32d3ef7df8d667f71a961ea6794a0546e4dc5f47c5b5b916b10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54171f3bacd87fd8570298c3c5c29c4b1
SHA1261773acabf36e5b4c4731cbdbfc9c6317a8db62
SHA25655f31eaf50981104c800239fddbb14fb74bc35a56fcf59aa01216567c3a4bc7b
SHA512521343d348a06cec72562eb6fe9f7f7f96720dfda161ab17f87f413a476d669931b7558d773bab94e3805b2f83080755ef9d8ec251af4a991cd2720b32bd2a66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bd16122e7b5a60f8d20594c1a740202e
SHA1863a00b24979181da87580e9b9d9f05d834e80b9
SHA25699616fb22dcbb6c65997b953033c61ce45dec1d59db23c62ccb263fc270785d0
SHA512ac8f210624b79a0cf1ad1abe1b54dc243703ea349d560e6bed9730eb18645eaafec9fde77205a4ebac1d3f690afe00c302462f66fee52d66f811e58a4533a9f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50687a40ccf0adebacf47dfcf2fa1e648
SHA17f17141451b02a2a288570dbe9628a76c438c062
SHA256b3650a7ccb6f46cbc4d8cb7336aacc3c15de93c8fd64c42df4be6c5c4b3a210b
SHA51214898be86172da5cfd1b925bd2559bce6353a903e2fe78dd7447daeb04b43b4ea5557ef8ca18c83ac06a8fa1d07533a85ffead9ff840d919012173e80519ce9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56ae1ec107f224bc0fefc2e026158a39e
SHA1d32b7a6380624606c4ba45440bf4e37dfff5444a
SHA25607347b1a254362b91d7fd6b03e00773d0f743eb77dd46f2b2a5d3a5cfc1beadd
SHA5121279640a962ce9f0c98feed24bec398fa3dee2b25900fa76cf6d1fb3d9344c079f06ed70c592fc350d32dd2921e020bfd2ef3a676d016c74a833851e875095c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50405f436dcb8a403d4b1e3f628cf375c
SHA116b31e098f5720eb0c96a946351f0c8f654d1f2b
SHA256ef56ad64b3c5d66c127a52b775eea2f3007874755c7264f8d13a3434a2bea50d
SHA512b945bc7c6f6764d99e3bf0c20ca8824cbf1a0a1fed8a503cbea53ff366ca4958ae3a3fd12c0549bd79d1f9804233f974544e6a5d767ae999a76aeaf15fe7d25f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53e6cf524e4be8588beb8315e1dace93a
SHA1b9e29b3789fd57541ce2f3de128c5e861604df55
SHA256d772409134010f7e564af18122fc73545bb4d24697d85061b97a07672beecf7b
SHA512e456f1381ae608db9f8c32d2db3909de325436bab26415f4a03ce353af8889102d32a4cc65fec882ce4b301c36d72ad5204c8bfca0add6beb5b3f31f9f3abf08
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a