0abc15531418ac27c07cb87219faf078bfdd7a353282e743a3987e90f65f57b3

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 23:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

011eb6db7cc653369d4afdd134638130_JaffaCakes118.exe
Size

680KB
MD5

011eb6db7cc653369d4afdd134638130
SHA1

1874ef46eb69a8902963d60c273f3dd1486cf4a2
SHA256

0abc15531418ac27c07cb87219faf078bfdd7a353282e743a3987e90f65f57b3
SHA512

d9c5b5ce80b1160ed8c29564478c1fd754ed5350401d0c74d642b099aa9e96c7945e9fd960e5fd59aba74fafa0c16d002d5a1353f87f3abf907669e9ae7badb7
SSDEEP

12288:gzy6rRxEkVU00hr1gM+zDTFByrgOPIVYboY877j65YpPWxTVZj2QJWgVo51uIhpv:z6rT5VU0krGF0I/xPW5VhEgVoTuCbr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2140	CWK.exe

Loads dropped DLL 2 IoCs

pid	Process
956	011eb6db7cc653369d4afdd134638130_JaffaCakes118.exe
2140	CWK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000008de7968252c13bc1bb55acef2d5d568d319f92887b4afff1072064e3929a4aae000000000e80000000020000200000005953c4b8213556c8966ccb9bb3d75cae1d5d7c3e9fee77176ed6fc12a2b78924900000002499677669990ea6064133fde33d726ca6f11412a7652f7d1e8cbd607caa6edee6ec7da23171597af3416f59d5e85f5e6254a14f31f830eb9729e8f9c9004d899b2a7f377456cbe01e2d39de5d07c48505df3173176ecb3ea958332c3a9fe843f09c356895c257ba2c5ee381c87c458fe817b65c8abc4c5d59a3bd789620fefe4c209d790e3f6211bb97ddf247a29806400000006d987b058416639e4bc47eb7c65c15ec56a71e9fb78b302d1909c77ce4d7b9db6481eee3cb3b3c79d5dc29c95e6c93012df802891dcebdd542c74862fccc7ea8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{79DE4F11-2E92-11EF-9BF1-5630532AF2EE} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425001102"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f058cb5c9fc2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000005feb86f37a154fe52657b565a85281ffa9733cfeb6057847bc81d8302827ba6c000000000e800000000200002000000093b0bc76e8f9f32453c268c376a00350453d97de5b2d6f6b6546eec819cea24a200000000be8b433e222332eb82feb413ddebaa6f75126ef05aa13bf83f80965eb82d02740000000507533ee95fcf17dba6bf422dacc4e82941debf3f81cb2337ffb3a7ec7df34af43bb7626903827dc8ee16ca70aae9146fb9105f510ce6b17c9646ac64368e540	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2140	CWK.exe
2732	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2140	CWK.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2732	iexplore.exe
2732	iexplore.exe
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 2140	956	011eb6db7cc653369d4afdd134638130_JaffaCakes118.exe	29
PID 956 wrote to memory of 2140	956	011eb6db7cc653369d4afdd134638130_JaffaCakes118.exe	29
PID 956 wrote to memory of 2140	956	011eb6db7cc653369d4afdd134638130_JaffaCakes118.exe	29
PID 956 wrote to memory of 2140	956	011eb6db7cc653369d4afdd134638130_JaffaCakes118.exe	29
PID 2140 wrote to memory of 2732	2140	CWK.exe	30
PID 2140 wrote to memory of 2732	2140	CWK.exe	30
PID 2140 wrote to memory of 2732	2140	CWK.exe	30
PID 2140 wrote to memory of 2732	2140	CWK.exe	30
PID 2732 wrote to memory of 2544	2732	iexplore.exe	32
PID 2732 wrote to memory of 2544	2732	iexplore.exe	32
PID 2732 wrote to memory of 2544	2732	iexplore.exe	32
PID 2732 wrote to memory of 2544	2732	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\011eb6db7cc653369d4afdd134638130_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\011eb6db7cc653369d4afdd134638130_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\CWK.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CWK.exe" setup
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.happycomputer.pl/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CWK.exe

Filesize
1.4MB

MD5
9e56f56f7b32b44142bc5259350f3fb0

SHA1
7afec48478acb2584dc622924c094ffef10205ad

SHA256
4153d1fa4f7a79f676ab59e4357570266deea2ed923a51f5a8c00385bda5ade2

SHA512
3aedc4aefb066c149e44fd5d25b3ea7a72d3148c8d795862846cc95c2af601eb4ed704bbce0db97bbb7911a42bcd50cd30e55f484ee51080b7f7eba9ebaef36b

Download Submit
memory/956-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/956-18-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2140-11-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2140-14-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download