Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
0f5dd209d4b48ac36c9d100d4e9c4bb1_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
0f5dd209d4b48ac36c9d100d4e9c4bb1_JaffaCakes118.dll
-
Size
189KB
-
MD5
0f5dd209d4b48ac36c9d100d4e9c4bb1
-
SHA1
95cffc889960b5d4db51e27833cb650c8c7ac933
-
SHA256
73f0f24f6324ec5076968e1a02c8c71a8b7653272cb608df94675176333728fc
-
SHA512
39738069333286369c2eedfc3713948c58d5c815f178ff50048154bf70766cd13a4ecfd47b4dd3963cd1e8bcccab04b8f39fd64cb82975904f0b5d61951e3ce8
-
SSDEEP
3072:Rt5Gf4bwPdy5XMxJZID/RlovuTyB9yyo7GcXABr:RCIpJJTEV
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation fxvVpP6P -
Executes dropped EXE 2 IoCs
pid Process 1480 fxvVpP6P 3076 qakhvrorqrjbmpbd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 3668 1600 WerFault.exe 81 2644 2840 WerFault.exe 85 692 4048 WerFault.exe 92 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C7D99A5D-332E-11EF-BCA5-DAD58692AE8D} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425508015" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 1480 fxvVpP6P Token: SeDebugPrivilege 1480 fxvVpP6P Token: SeSecurityPrivilege 3076 qakhvrorqrjbmpbd.exe Token: SeLoadDriverPrivilege 3076 qakhvrorqrjbmpbd.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3360 IEXPLORE.EXE 3360 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3360 IEXPLORE.EXE 3360 IEXPLORE.EXE 5072 IEXPLORE.EXE 5072 IEXPLORE.EXE 5072 IEXPLORE.EXE 5072 IEXPLORE.EXE 3360 IEXPLORE.EXE 3360 IEXPLORE.EXE 4240 IEXPLORE.EXE 4240 IEXPLORE.EXE 4240 IEXPLORE.EXE 4240 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 5036 wrote to memory of 1600 5036 rundll32.exe 81 PID 5036 wrote to memory of 1600 5036 rundll32.exe 81 PID 5036 wrote to memory of 1600 5036 rundll32.exe 81 PID 1600 wrote to memory of 1480 1600 rundll32.exe 82 PID 1600 wrote to memory of 1480 1600 rundll32.exe 82 PID 1600 wrote to memory of 1480 1600 rundll32.exe 82 PID 1480 wrote to memory of 2840 1480 fxvVpP6P 85 PID 1480 wrote to memory of 2840 1480 fxvVpP6P 85 PID 1480 wrote to memory of 2840 1480 fxvVpP6P 85 PID 1480 wrote to memory of 2840 1480 fxvVpP6P 85 PID 1480 wrote to memory of 2840 1480 fxvVpP6P 85 PID 1480 wrote to memory of 2840 1480 fxvVpP6P 85 PID 1480 wrote to memory of 2840 1480 fxvVpP6P 85 PID 1480 wrote to memory of 2840 1480 fxvVpP6P 85 PID 1480 wrote to memory of 2840 1480 fxvVpP6P 85 PID 1480 wrote to memory of 1632 1480 fxvVpP6P 89 PID 1480 wrote to memory of 1632 1480 fxvVpP6P 89 PID 1480 wrote to memory of 1632 1480 fxvVpP6P 89 PID 1632 wrote to memory of 3360 1632 iexplore.exe 90 PID 1632 wrote to memory of 3360 1632 iexplore.exe 90 PID 3360 wrote to memory of 5072 3360 IEXPLORE.EXE 91 PID 3360 wrote to memory of 5072 3360 IEXPLORE.EXE 91 PID 3360 wrote to memory of 5072 3360 IEXPLORE.EXE 91 PID 1480 wrote to memory of 4048 1480 fxvVpP6P 92 PID 1480 wrote to memory of 4048 1480 fxvVpP6P 92 PID 1480 wrote to memory of 4048 1480 fxvVpP6P 92 PID 1480 wrote to memory of 4048 1480 fxvVpP6P 92 PID 1480 wrote to memory of 4048 1480 fxvVpP6P 92 PID 1480 wrote to memory of 4048 1480 fxvVpP6P 92 PID 1480 wrote to memory of 4048 1480 fxvVpP6P 92 PID 1480 wrote to memory of 4048 1480 fxvVpP6P 92 PID 1480 wrote to memory of 4048 1480 fxvVpP6P 92 PID 1480 wrote to memory of 1776 1480 fxvVpP6P 97 PID 1480 wrote to memory of 1776 1480 fxvVpP6P 97 PID 1480 wrote to memory of 1776 1480 fxvVpP6P 97 PID 1776 wrote to memory of 2072 1776 iexplore.exe 98 PID 1776 wrote to memory of 2072 1776 iexplore.exe 98 PID 3360 wrote to memory of 4240 3360 IEXPLORE.EXE 99 PID 3360 wrote to memory of 4240 3360 IEXPLORE.EXE 99 PID 3360 wrote to memory of 4240 3360 IEXPLORE.EXE 99 PID 1480 wrote to memory of 3076 1480 fxvVpP6P 102 PID 1480 wrote to memory of 3076 1480 fxvVpP6P 102 PID 1480 wrote to memory of 3076 1480 fxvVpP6P 102
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f5dd209d4b48ac36c9d100d4e9c4bb1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f5dd209d4b48ac36c9d100d4e9c4bb1_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\fxvVpP6P"fxvVpP6P"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:2840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 2125⤵
- Program crash
PID:2644
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3360 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5072
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3360 CREDAT:17416 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4240
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:4048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 2085⤵
- Program crash
PID:692
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"5⤵
- Modifies Internet Explorer settings
PID:2072
-
-
-
C:\Users\Admin\AppData\Local\Temp\qakhvrorqrjbmpbd.exe"C:\Users\Admin\AppData\Local\Temp\qakhvrorqrjbmpbd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3076
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 6403⤵
- Program crash
PID:3668
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1600 -ip 16001⤵PID:428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2840 -ip 28401⤵PID:3636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4048 -ip 40481⤵PID:2108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD574f37fe4cd2c65109465b9998183a657
SHA19419ff643ebd890e108c2732a40f9b3628b35a71
SHA2564e84e2831364f0a0b9c7d552e58b9706d0de6fae139942207af33f515dcae40b
SHA51295651b579b497f8a3f4b0eb42f90bd8a722a50b38e3b6c22133ae2390e68bad21d74f7fdc4a45fc43c8aa798c5775e87bf6cb20a6e1ed9c7e80ecb9b302b4a81