Analysis
-
max time kernel
133s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 12:40
Behavioral task
behavioral1
Sample
088fb015b5add247137b27e402d61441_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
088fb015b5add247137b27e402d61441_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
088fb015b5add247137b27e402d61441_JaffaCakes118.exe
-
Size
250KB
-
MD5
088fb015b5add247137b27e402d61441
-
SHA1
3536172939a18651a1f85ac6e1dc42638f0136d0
-
SHA256
99d8b77ef4a32159a8581cb99b234b2952f9e7d0f6ea2018524b4ca47a2c8d4d
-
SHA512
e2a15131e4aaf8251852d9dfddc71918702f15ae4d320182be122f5ac2dad2a9f239db93a588cfc95dfe2dcc073932c5020bce27f37fb4460b4d018e2ef9b49c
-
SSDEEP
6144:ghieuJDr5T8b2ufqBLjSB/MS7irtIa6cwoD8ZroSfjGFA:heKrJJuf86AYcwoaoSbr
Score
8/10
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 2484 cmd.exe -
resource yara_rule behavioral1/memory/1916-0-0x0000000000400000-0x00000000004B1000-memory.dmp upx behavioral1/memory/1916-36-0x0000000000400000-0x00000000004B1000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1916-36-0x0000000000400000-0x00000000004B1000-memory.dmp autoit_exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\WinRAR\winrar.jse 088fb015b5add247137b27e402d61441_JaffaCakes118.exe File opened for modification C:\Program Files\WinRAR\winrar.jse 088fb015b5add247137b27e402d61441_JaffaCakes118.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425394737" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FAAF9DF1-3226-11EF-84C7-4637C9E50E53} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000ccded5f3b2d6bfa8f741ebcf73b4d7463a82986a509fb32c3a8d3fc910821fce000000000e80000000020000200000000d3365e68ddae51bdf879bc413663725e0866b28ed1c5f22d1ead66c0b72e40820000000cf9e63387af4dc9615d7843a966009f3ab80567ea69dc7ddd46c5808f8dd2242400000005b6f9f71a4e563313c05701132eec426321f8c6e448fc12bdc2e95143cf8cf74179fc3c94151ef1e5d97262b82fe5961e30f318cea23bee8b01810734bcd220e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0d94be033c6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000006c609cc83e83c1e46c4520868683e8fd34ea7def3c9234c0d05dbf192b868cfc000000000e8000000002000020000000dcfd8ef403af1e0844f6e16b47225b900e22513eea1b6e595f1d5704c709277b90000000ef1f23a29778704963cd5ae76b1e71d1ba9d1554a7402367f1940c07e7c0702000265aeb849588c095c9fd40b04095f90a0a10c58d54fcc4446eb8281ef51b7712962024bcb9849840905d851c166771db7d39ac452ffa2c152b95e42b359c3e26304533860322d2b326e0a7456b5eb646217038dbfe9d465ec4fc21b0df5b430c47669e2256f3ea6dd6a23cc93cbf6b400000007603ae4dcf0c4aa1c1eb01c08914320271959af7a9794f5c9d5d508b299a32be4c2b9d2089d1c4b01e93ac6f138902edcb8774b12bd252a28d5454fefc2a7034 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe -
Modifies registry class 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\ = "open" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\ContextMenuHandlers WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\ContextMenuHandlers\ WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mmc WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\ = "¿ì½Ý·½Ê½" WScript.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mmc\ = "mmcfile" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\command WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\IconHandler WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\NeverShowExt WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\DefaultIcon WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\CLSID WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open WScript.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\command\ = "WScript.exe \"C:\\Program Files (x86)\\Winrar\\winrar.jse\" \"%1\"" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex WScript.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\IsShortcut WScript.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2904 PING.EXE -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeShutdownPrivilege 1900 explorer.exe Token: SeShutdownPrivilege 1900 explorer.exe Token: SeShutdownPrivilege 1900 explorer.exe Token: SeShutdownPrivilege 1900 explorer.exe Token: SeShutdownPrivilege 1900 explorer.exe Token: SeShutdownPrivilege 1900 explorer.exe Token: SeShutdownPrivilege 1900 explorer.exe Token: SeShutdownPrivilege 1900 explorer.exe Token: SeShutdownPrivilege 1900 explorer.exe Token: SeShutdownPrivilege 1900 explorer.exe Token: SeShutdownPrivilege 1900 explorer.exe Token: SeShutdownPrivilege 1900 explorer.exe Token: SeShutdownPrivilege 1900 explorer.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 2752 iexplore.exe 2752 iexplore.exe 2752 iexplore.exe 2752 iexplore.exe 2752 iexplore.exe 2752 iexplore.exe 2752 iexplore.exe 2752 iexplore.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
pid Process 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2752 iexplore.exe 2752 iexplore.exe 2900 IEXPLORE.EXE 2900 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1916 wrote to memory of 1728 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 28 PID 1916 wrote to memory of 1728 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 28 PID 1916 wrote to memory of 1728 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 28 PID 1916 wrote to memory of 1728 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 28 PID 1728 wrote to memory of 2752 1728 WScript.exe 31 PID 1728 wrote to memory of 2752 1728 WScript.exe 31 PID 1728 wrote to memory of 2752 1728 WScript.exe 31 PID 1728 wrote to memory of 2752 1728 WScript.exe 31 PID 1916 wrote to memory of 2484 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 32 PID 1916 wrote to memory of 2484 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 32 PID 1916 wrote to memory of 2484 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 32 PID 1916 wrote to memory of 2484 1916 088fb015b5add247137b27e402d61441_JaffaCakes118.exe 32 PID 2484 wrote to memory of 2904 2484 cmd.exe 34 PID 2484 wrote to memory of 2904 2484 cmd.exe 34 PID 2484 wrote to memory of 2904 2484 cmd.exe 34 PID 2484 wrote to memory of 2904 2484 cmd.exe 34 PID 2752 wrote to memory of 2900 2752 iexplore.exe 35 PID 2752 wrote to memory of 2900 2752 iexplore.exe 35 PID 2752 wrote to memory of 2900 2752 iexplore.exe 35 PID 2752 wrote to memory of 2900 2752 iexplore.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\088fb015b5add247137b27e402d61441_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\088fb015b5add247137b27e402d61441_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\WinRAR\winrar.jse"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g83⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2900
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\088fb015b5add247137b27e402d61441_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\PING.EXEping -n 4 127.13⤵
- Runs ping.exe
PID:2904
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD59208c38b58c7c7114f3149591580b980
SHA18154bdee622a386894636b7db046744724c3fc2b
SHA256cb1b908e509020904b05dc6e4ec17d877d394eb60f6ec0d993ceba5839913a0c
SHA512a421c6afa6d25185ec52a8218bddf84537407fd2f6cabe38c1be814d97920cfff693a48b4f48eb30c98437cbbb8ad30ccd28c3b4b7c24379ef36ac361ddfdbf1
-
Filesize
255B
MD5a0c4d2f989198272c1e2593e65c9c6cb
SHA10fa5cf2c05483bb89b611e0de9db674e9d53389c
SHA256f3170aeec265cc49ff0f5dcb7ed7897371b0f7d1321f823f53b9b0e3a30e1d23
SHA512209798b5b153283bea29974c1433fe8b6c14f2a54e57237d021ecc1013b8dc6931dedcc2fe173d121c719901045fdf2215177ba164c05d703f2e88a196252ec4
-
Filesize
149B
MD5b0ad7e59754e8d953129437b08846b5f
SHA19ed0ae9bc497b3aa65aed2130d068c4c1c70d87a
SHA256cf80455e97e3fede569ea275fa701c0f185eeba64f695286647afe56d29e2c37
SHA51253e6ce64ad4e9f5696de92a32f65d06dbd459fd12256481706d7e6d677a14c15238e5351f97d2eb7bfb129a0d39f2603c4d14305a86821ed56e9face0bc252b6