364a4abb2ddafb2981c91f0ef0fff22dae4e2dfd7070d488ecd03498cc9ff075

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 11:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

059a626745ba27071dc8c1f852563c66_JaffaCakes118.exe
Size

130KB
MD5

059a626745ba27071dc8c1f852563c66
SHA1

334bdfe012934eb863d35134b492c8b4fe1e6e37
SHA256

364a4abb2ddafb2981c91f0ef0fff22dae4e2dfd7070d488ecd03498cc9ff075
SHA512

d1a16491bbb665ee6263d05a98b71f978fc02ce89fdb80981dc2ca27f6ba273ac80acb993beac11a9c9ea777f1baa85e8d6469f5242ceea882c657a4599ab359
SSDEEP

3072:bGMFQazA8UyCvixswf2VNfDGwvgDuydoOUjc7bsaGI/5:b3FQa7XxJMvhyyOUQ7lGI

Score

7^/10

persistence upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
108	059a626745ba27071dc8c1f852563c66_JaffaCakes118.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/108-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jmpu = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Protect\\qymn.gl, ydrv"	059a626745ba27071dc8c1f852563c66_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 108 set thread context of 2244	108	059a626745ba27071dc8c1f852563c66_JaffaCakes118.exe	28

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425044998"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BB7C6EA1-2EF8-11EF-8C71-D684AC6A5058} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2244	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2244	108	059a626745ba27071dc8c1f852563c66_JaffaCakes118.exe	28
PID 108 wrote to memory of 2244	108	059a626745ba27071dc8c1f852563c66_JaffaCakes118.exe	28
PID 108 wrote to memory of 2244	108	059a626745ba27071dc8c1f852563c66_JaffaCakes118.exe	28
PID 108 wrote to memory of 2244	108	059a626745ba27071dc8c1f852563c66_JaffaCakes118.exe	28
PID 108 wrote to memory of 2244	108	059a626745ba27071dc8c1f852563c66_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2604	2244	IEXPLORE.EXE	29
PID 2244 wrote to memory of 2604	2244	IEXPLORE.EXE	29
PID 2244 wrote to memory of 2604	2244	IEXPLORE.EXE	29
PID 2244 wrote to memory of 2604	2244	IEXPLORE.EXE	29

C:\Users\Admin\AppData\Local\Temp\059a626745ba27071dc8c1f852563c66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\059a626745ba27071dc8c1f852563c66_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:108
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2244 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
debc4d26371366b2ec32e53bbe7fbdf1

SHA1
3887a07aff06da3dbdfdff565ca70cfba3a03376

SHA256
75c4503eed5d3861f2ec65d8f6504524dd36b7a67d6b37cdf3f536c6585c1915

SHA512
0edb4a018ab526f2997feda7a7ddc75cb04a86c0d600d3cb6e171203f888f6cdabc5eca35f9eccc55123db1966fed64d51628cac12e20aaad52d0d39880eaf74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6804e71a15560257594428daf923696

SHA1
3bfff8edb61a94a63d0b3bbb0d2ae3f0812a4c47

SHA256
f17176daa71878c5c7fcc0c526eee74e7d2e8fcb59b20a6b6718be98c8d42b18

SHA512
abfc5331837a38742ee6ec57282fb8b5d05dfa780466fad183f670cc4e646bd93f3a9c0e496f0336f24ab4fb6ed80ccd8acfa13ad776638e17330428ad4be140

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02de610d74a2eb7510365b2d56b6dad5

SHA1
db7e4fd8295b920ff4e3b64e772b7ef9574a565c

SHA256
ef334e166ecdec8bd3ed03dae5d70fcd9f2bf4e56ad0ebeef7ac63fcb5905a26

SHA512
7cc567714fb2688144d40764c6d29e08aec727e854837c0b019d16b5d4f97116a883977e25580b07f7240c86dd17caa68dfdfc65363e1be13175942f4613d4c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcfe0fd2438051f33c07ff07c54939f8

SHA1
e3f0da4ed9b17938520e70f66e8c0f980c43a6b3

SHA256
9991906b7a90c032608b9ced6be58f9a80fc557eae41f861ec6848b62aef1249

SHA512
4cba49c8acd0f7239d23535c8589e08b78fe35c7a2324be8d2e5aeca4af883fad6bf801c4e5b73617bf63da6937aeae1a30e9ae085d642d2d9c49b654c881c8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1ead5b944444b33fad33039ecb1d7f5

SHA1
f8659d225630b926d895a47d331503b9b7eeb1ff

SHA256
13470317c17572b35697d8e8d735e882daa7899be3c23a9034e72ff57e5b4691

SHA512
ec208b350abec0a74918a9a824dfcb231046566dcab7e8e889a2ffd5eb404ede86aba0cf955c11911384cbeac6f7b4c60d5644416e21db1ccd6499791ba5c69b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
747b9378a6876863606b9edf76b81a8d

SHA1
87e80bcfd356b4ae893a1c014f65cf2f72b800dd

SHA256
71089f927b7a62ab6af52b37d1f844c821d9b46943354a95f928fefe5a63ce77

SHA512
fda254d6fb87eb8ff5344dd1b14e5940ce1013deb87c345d49e33a1b3d15d4851ff08e03adab9f7bd4aed63c823b49f7f11032ecbaecea8ab3537dd320cdba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b17184f7a5e57ad62c35a148ad9adf2

SHA1
0f85642d2804096ae4f90080a46d811079c8c2fa

SHA256
17ae7ac5f75bb6303065fbb9c34048784a1a4209e5d1146d2245d395e0bb4468

SHA512
2dba9509611877327e139f0691142c340f97266f6459057cf188ea6baae6e64e4f73b87bb918e63fcdacedde81455cc635bbffb0afefdf1a7a4ba1039d2c437d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d460d41e6cf795ebdcde7449afe75787

SHA1
07d8a1c3d8d70c5fe78fb84c9ccc87dfe93e7355

SHA256
7cf93ec340bd8bee7b51003518aea1b474f30131771dbcca03d3114b3c6dd490

SHA512
6397cb076c7a234aa4a0416982ee692b35da7b4e4d0710def3e490eb1a4deb10c81679ce2fc082598f590423283473bcb2e4849643e807ea5ebe8f1a016e70f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3eeb3fcce0bedf7db989c346deb8e00

SHA1
333591de77ec7ee430b7171ec9361edc8f7334e9

SHA256
00404ecaf027bf65f1aea6d92118869271312aa4d8c08096b0d63ec4d3a22b25

SHA512
231a6c5fa4cda57ed2c6d1a051a15df599f35988c1404ffbdd7411218e458abfa6b8489cc97d12c2740ba8eaba3b07aa30677718744a604d1bdb93734235b307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5d6968298b2fbc855c47336501179af

SHA1
09c355fdcf032bfa25cf8e69bbfee2cb2fc34a44

SHA256
d651748ec3f7968d437bcfc11ab6129898e21e01c02d00faaf5aff1f4c6643ff

SHA512
4076288b01e1c0b64bb28578156d69c07649209a5ba52243bd14522deb298785c8c717bdfae6338f773b9664ba6677402aa39f2c257a2866d645bf8a710f1b79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f810453c26f34bf2262ca5188d471d52

SHA1
2febd8ec5c6e6ffd76a17f232a25002024cc18eb

SHA256
64ddbaf639a75e35754cc99f60f737c23d1205ca4f9506c5619bb3db6809356b

SHA512
4f0123396d10887bbb55eb98fda7575b0edc82c93e60353d2bd7731a547bd2be2298eebe21c4e713f7172323104756e4222ca708b83c590e1c1d70a09e5dcc30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08fd60ca3a83d0cc9c19701bc468d194

SHA1
9a7cace14a3eebce205260f967e6547624501375

SHA256
1869fad62e39b87d01f78a15a15f3a62f31fb88e78c6819eb008ec287dec191c

SHA512
1a4e10f67edf1bd909c6211267e3bccc4a928e80e2938bb044752f17956f72292b0783ca4ad51926c04b05f1b2134b6a66dfd057a05959081bae6410dee591b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e12f83e3ef5934b10413bd1190915a7

SHA1
ee44b2a583e8c2f307713b235b4fb77b3ac0f177

SHA256
6adb519c04ef624792e98154a0d62b7985ba2b1283fb17a72ee97e4ae73153b6

SHA512
263670e002e9e3ffb8c8e88fd2a7f3cca6ad921bd128a2cd972e9cc9156e549f069ae0b414781b4e9267e58fc4df922b95b588d433fad4132cde39b5b19e5b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab341D.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar356C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\qymn.gl

Filesize
66KB

MD5
3a440faa714a83145844c20be09f1b43

SHA1
271c7d69c81652a5825c74220bdc4d88c4003164

SHA256
2dcc0aac709b1597880fc1bedcd082b31fae901aaf7e71a5dbea105c12968a67

SHA512
32ef166edc39448b28ac56b10619fe6817977681368a3bd57dc777b4b9de8e9dbdfe18d75b73bf36ad346b9161b30bf6276e5557c3140fea5f58d83fc559a912

Download Submit
memory/108-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/108-2-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/108-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/108-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads