929435a5f3423df3469feed300627691142af912ca78ccd2f4e5e0db0ff78143

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe
Size

617KB
MD5

0b1e864b222d300a39e03e7f391c76bd
SHA1

ff94e34249b1fac21c6c08a8a61c54c1fc34605b
SHA256

929435a5f3423df3469feed300627691142af912ca78ccd2f4e5e0db0ff78143
SHA512

fd219b1ec7a18adc343d3b0b8a9c70af899c7a9f0fa8932de8a4c8754dc6f714ae1ee901a81d87f0aa8a8ed7048c410c120404dd6a120b3081d428c75ce24c37
SSDEEP

12288:HZjMLf11MmPQeRXEHYYS3gA0FJO1t3r6Q9A:HafIiy4NwdLpQ9A

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6ABC6FAB-327D-11EF-92F1-D6AA8B0874BD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f0000000002000000000010660000000100002000000046afcb45e5a73ef11efd3a2ae22e1544c852a86ca5c25e3d84c767eec59aeef3000000000e8000000002000020000000ee3edc1125dcb899fced2581ec09a2ef77460cb1e211cbd43134c8cb40df7bf920000000d5d42cd83bcee37e692f0cd4cd7d34e95e0defe4c5b3e82bb2193792ea7154b9400000007e861b06bfd1b9193b1d21ab7ce9008a549c1fe5db4a45d7ecad1abdbc12ea258f1902c27b77b5c91c742bb2d86859831a637e19730969907c36a39a0f783430	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425431850"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6ABA0D7C-327D-11EF-92F1-D6AA8B0874BD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3056954d8ac6da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 402a8e4d8ac6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f00000000020000000000106600000001000020000000db28b687e40c419123c22cd107c693b09b538a7914fb570619cd8cb2074dfe7f000000000e80000000020000200000001ff7f3a97e45a80e0671f34b6f961b501e0b2f7a5f89caca55e299d9f882d14720000000150c777f224e9adc4e89bc721344e5da728201a27ab1c5139cbadd682c7226ca40000000261f6d5aa356105fd4160b8d817f56d4cb97ff050765bd207a2c744e2d43fcd93090eb4f3ed07ac4c6ab96ab01025a080cb5b19f2b47fd84f727c71c35ff0fdd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4528	0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe
4528	0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe
4528	0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe
4852	iexplore.exe
592	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4528	0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe
4528	0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe
4528	0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4852	iexplore.exe
4852	iexplore.exe
592	iexplore.exe
592	iexplore.exe
4924	IEXPLORE.EXE
4924	IEXPLORE.EXE
4648	IEXPLORE.EXE
4648	IEXPLORE.EXE
4648	IEXPLORE.EXE
4648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4852	4528	0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe	81
PID 4528 wrote to memory of 4852	4528	0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe	81
PID 4528 wrote to memory of 592	4528	0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe	82
PID 4528 wrote to memory of 592	4528	0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe	82
PID 4852 wrote to memory of 4924	4852	iexplore.exe	83
PID 4852 wrote to memory of 4924	4852	iexplore.exe	83
PID 4852 wrote to memory of 4924	4852	iexplore.exe	83
PID 592 wrote to memory of 4648	592	iexplore.exe	84
PID 592 wrote to memory of 4648	592	iexplore.exe	84
PID 592 wrote to memory of 4648	592	iexplore.exe	84

C:\Users\Admin\AppData\Local\Temp\0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b1e864b222d300a39e03e7f391c76bd_JaffaCakes118.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.jipinla.com
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4852 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4924
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.1234.la/an.htm?dn84
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6ABA0D7C-327D-11EF-92F1-D6AA8B0874BD}.dat

Filesize
5KB

MD5
d7c17c58d8752209bd64dc21697e4c74

SHA1
d37cc8b15ed4e5a9311b0ae7246e820a83066499

SHA256
a73127504b4dfbe410b7fb59a87a8fd6f2139451e61170090e90203bd6b9fa20

SHA512
6a221f4e90cf9535a4f09e005a7cd58fb1e3ace9d3a65bee3dca7a0091edce0190bc0de0bca64dbaf1c4a496191df392884713aa46836001fe3c5dac1414388d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6ABC6FAB-327D-11EF-92F1-D6AA8B0874BD}.dat

Filesize
3KB

MD5
b95638a963ba53362e936627b8bd8ab7

SHA1
5eb91754554aef452287f36b2bdeaab5fd11a7c7

SHA256
c7e1bc93bd33ca94e6bbf0e853bf57a89cbb33ba7daa624f9d7e293e19637dfc

SHA512
8c4f6f4b32916537cf926a82d26b08bb179cbafff95f15c63b1d3642feb6d3ca58367bb5ecc29941a1a2b3bab91cd90ee021868566cf043c645ec2a5f09d3661

Download Submit