Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-06-2024 23:55

General

  • Target

    0477c3037164924dea29a1a930f3ef90_JaffaCakes118.exe

  • Size

    2.6MB

  • MD5

    0477c3037164924dea29a1a930f3ef90

  • SHA1

    202deec08cecd0f4d1148a0e96c244da75bb9b8b

  • SHA256

    d893c67791b97ddccc765bdb90b19041d518a5ba2793057169dd480e68a6b74a

  • SHA512

    912370efab3bda758a02a00328829b1d5129ff6f9c255ffab8c18d2254b87a34bf8143ede276fef6749e4197096cb9732bf5daa8f8faecc1760122d96821c0e4

  • SSDEEP

    49152:4oacvNZ+7u5X6wgT5YHNaJqDK5FaioabBrkmIdgqFjFtmaAAjp:9Z4u5KwS5GNaJqDKjaiLbBrMNFtmaAAN

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Loads dropped DLL 12 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0477c3037164924dea29a1a930f3ef90_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0477c3037164924dea29a1a930f3ef90_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\errorPageStrings[1]

    Filesize

    2KB

    MD5

    e3e4a98353f119b80b323302f26b78fa

    SHA1

    20ee35a370cdd3a8a7d04b506410300fd0a6a864

    SHA256

    9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

    SHA512

    d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\httpErrorPagesScripts[1]

    Filesize

    8KB

    MD5

    3f57b781cb3ef114dd0b665151571b7b

    SHA1

    ce6a63f996df3a1cccb81720e21204b825e0238c

    SHA256

    46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

    SHA512

    8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

  • \Users\Admin\AppData\Local\Temp\E_N4\EXMLParser.fne

    Filesize

    96KB

    MD5

    6cdb86e0200849f6ad365a36b2c0e5a7

    SHA1

    b037180c1624f6f6cbaa2b73abc1d50a49ecfeb8

    SHA256

    5925038dc68aea5e9ef509bc05d26d9c9c170c868843076fa2d4f0021a99f74b

    SHA512

    17b41bf8616b8244261d7978a8d2501bf5bf87770895c0c26c96bf7dd5f1b94b2de864b0728ccd101b67ad3f444a77550dd315e535a4975dc543090793d6df0a

  • \Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

    Filesize

    212KB

    MD5

    4c9e8f81bf741a61915d0d4fc49d595e

    SHA1

    d033008b3a0e5d3fc8876e0423ee5509ecb3897c

    SHA256

    951d725f4a12cd4ff713ca147fa3be08a02367db6731283c3f1ba30445990129

    SHA512

    cf2c6f8f471c8a5aad563bc257035515860689b73ce343599c7713de8bc8338a031a722f366e005bc1907d6fc97b68b8b415e8ff05b7324fb1040c5dc02315d7

  • \Users\Admin\AppData\Local\Temp\E_N4\PBShell.fne

    Filesize

    36KB

    MD5

    ae663d23828e2c0873fb294a8a2a21d1

    SHA1

    2edd95515215170f2e5dc2428ac631b5aa2ab681

    SHA256

    21970bccf9c8dd23cbf36b5f5bca9e6bc32335bcfb5e19d2f97a1b2ee2eefa96

    SHA512

    70225619899266d7a307f6eeab2f4c709f48b66c57a2266143c787b984209d454634daaaf9165025e850fc3de8e10a968b900c80d89389ef848551b0701ef311

  • \Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

    Filesize

    328KB

    MD5

    cbd788f4c71b9776660d6e8473ae0e09

    SHA1

    0189cd47bfa5d1cac0d7f1a33953d279f60b02bf

    SHA256

    db0a6d7b75503daaf93c8e62ce67abd3afd57daaef4a448ec25a43d1de69e47e

    SHA512

    84bc02c67e3a3a9f77418b25afe7ec55e5bb5ca5a6c05503d94dffa57a30c7608e79bb4f83fe91c39ccce16872df2b3f9e7e5a8eafb4f563b1f961b93e9b8c94

  • \Users\Admin\AppData\Local\Temp\E_N4\eNetIntercept.fne

    Filesize

    156KB

    MD5

    ca08022deda03a89eb0f3232b265bca6

    SHA1

    29a3585b6c524a28fd272214691b65a48b7027b1

    SHA256

    00a98605d8ee60639c8de56862a50f1adf3f83e265ab636f98c017b719b013bf

    SHA512

    65587c3c0a3d0feaf1aa7c676626ae0a8bd158595af4e855cf7588ef8a831903350a756dd2f8010dda10173abdb1418751e92c509c6b74a3b829465ab5030c15

  • \Users\Admin\AppData\Local\Temp\E_N4\iext.fnr

    Filesize

    216KB

    MD5

    cba933625bfa502fc4a1d9f34e1e4473

    SHA1

    5319194388c0e53321f99f1541b97af191999a09

    SHA256

    25549c7781b3f1b92e73b0ea721d177207cce914a66f3229a71291f2eb160013

    SHA512

    f5fb4b97c4f68a20e0847e6528740ce659c4501726f3b2dff1ac83e88a3b7198099da03edb0f069cd4af7ed568a2373597b235cd239895addfa5226d3a444142

  • \Users\Admin\AppData\Local\Temp\E_N4\iext2.fne

    Filesize

    460KB

    MD5

    6eb20bb6cafd6d31e871ed3abd65a59c

    SHA1

    ae6495ea4241bcde20e415f2940313785a4a10d2

    SHA256

    2b3fe250f07229eaa58d1bc0c4ac103ba69ad622c27410151ce1d6d46a174bae

    SHA512

    562edc1f058bc280333a6659fceb5a51b3a40bea7aca87db09b0cc1ca1966f26f2a7e4760b944e2502e20257544f85cf9c32f583f1dec06271a35dcfb8fa90f4

  • \Users\Admin\AppData\Local\Temp\E_N4\internet.fne

    Filesize

    192KB

    MD5

    0503d44bada9a0c7138b3f7d3ab90693

    SHA1

    c4ea03151eeedd1c84beaa06e73faa9c1e9574fc

    SHA256

    7c077b6806738e62a9c2e38cc2ffefefd362049e3780b06a862210f1350d003e

    SHA512

    f14dfa273b514753312e1dfc873ac501d6aa7bbd17cd63d16f3bcb9caddcb5ea349c072e73448a2beb3b1010c674be9c8ad22257d8c7b65a3a05e77e69d3b7a8

  • \Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

    Filesize

    1.1MB

    MD5

    638e737b2293cf7b1f14c0b4fb1f3289

    SHA1

    f8e2223348433b992a8c42c4a7a9fb4b5c1158bc

    SHA256

    baad4798c3ab24dec8f0ac3cde48e2fee2e2dffa60d2b2497cd295cd6319fd5b

    SHA512

    4d714a0980238c49af10376ff26ec9e6415e7057925b32ec1c24780c3671047ac5b5670e46c1c6cf9f160519be8f37e1e57f05c30c6c4bda3b275b143aa0bf12

  • \Users\Admin\AppData\Local\Temp\E_N4\xplib.fne

    Filesize

    48KB

    MD5

    37a58e1c5ce48e401ee8dd1d1da54814

    SHA1

    a87d00d78838c2d968b72330ee6f21f69b2caae5

    SHA256

    1c426928fb90bedb31fcffa0f3fbe7bdbca4259f93f5abdefed6a9a089f2982c

    SHA512

    e85052fc305040bdcaf47262e0ce6eef0848b319baac72a076dc94e7d20ea7ad8fbdd7d5381606a3154ab84fe81429bb339123ac1cd94551b1dc9cecfb7a08bf

  • \Windows\SysWOW64\ESPI11.dll

    Filesize

    120KB

    MD5

    c3adbb35a05b44bc877a895d273aa270

    SHA1

    8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

    SHA256

    b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

    SHA512

    614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

  • memory/2344-72-0x0000000006FB0000-0x0000000006FBD000-memory.dmp

    Filesize

    52KB

  • memory/2344-0-0x0000000000400000-0x000000000059F000-memory.dmp

    Filesize

    1.6MB

  • memory/2344-74-0x0000000006FA0000-0x0000000006FA3000-memory.dmp

    Filesize

    12KB

  • memory/2344-18-0x0000000000380000-0x00000000003AA000-memory.dmp

    Filesize

    168KB

  • memory/2344-76-0x0000000006FC0000-0x0000000006FFF000-memory.dmp

    Filesize

    252KB

  • memory/2344-28-0x0000000003070000-0x00000000030A8000-memory.dmp

    Filesize

    224KB

  • memory/2344-80-0x0000000007000000-0x000000000701E000-memory.dmp

    Filesize

    120KB

  • memory/2344-68-0x0000000006E00000-0x0000000006E83000-memory.dmp

    Filesize

    524KB

  • memory/2344-83-0x0000000007020000-0x000000000702C000-memory.dmp

    Filesize

    48KB

  • memory/2344-24-0x0000000002740000-0x0000000002784000-memory.dmp

    Filesize

    272KB

  • memory/2344-88-0x0000000007030000-0x0000000007051000-memory.dmp

    Filesize

    132KB

  • memory/2344-99-0x0000000007020000-0x000000000702C000-memory.dmp

    Filesize

    48KB

  • memory/2344-98-0x0000000000400000-0x000000000059F000-memory.dmp

    Filesize

    1.6MB

  • memory/2344-121-0x0000000007020000-0x000000000702C000-memory.dmp

    Filesize

    48KB