Malware Analysis Report

2025-03-15 05:52

Sample ID 240628-ajqzdszgke
Target 1814180cbc718603b624aba48cf2bf40_JaffaCakes118
SHA256 336061655e7c3fbbacad5fbdb8caefd7298aa929b7aca149055e584f48695e6b
Tags
vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

336061655e7c3fbbacad5fbdb8caefd7298aa929b7aca149055e584f48695e6b

Threat Level: Likely malicious

The file 1814180cbc718603b624aba48cf2bf40_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

vmprotect

Blocklisted process makes network request

VMProtect packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:14

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:14

Reported

2024-06-28 00:17

Platform

win7-20240221-en

Max time kernel

117s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1814180cbc718603b624aba48cf2bf40_JaffaCakes118.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config.dat C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6F839691-34E3-11EF-87AA-FA8378BF1C4A} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425695558" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1688 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 2252 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 2252 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 2252 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 2252 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 2252 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1712 wrote to memory of 2252 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2252 wrote to memory of 2308 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2252 wrote to memory of 2308 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2252 wrote to memory of 2308 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2252 wrote to memory of 2308 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2308 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2308 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2308 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2308 wrote to memory of 2556 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1814180cbc718603b624aba48cf2bf40_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1814180cbc718603b624aba48cf2bf40_JaffaCakes118.dll,#1

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 462.800h.com udp
DE 3.64.163.50:80 462.800h.com tcp
US 8.8.8.8:53 462.haha.la udp
US 76.223.54.146:80 462.haha.la tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1712-1-0x0000000010000000-0x0000000010031000-memory.dmp

memory/1712-0-0x0000000010000000-0x0000000010031000-memory.dmp

memory/1712-2-0x0000000010023000-0x0000000010024000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab33FD.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar34FF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d86ad3689c37837cc23b0a46edadfb05
SHA1 37768d707a265b1f047a9cc5a156c1db6f652aea
SHA256 d8da7866898bd49185ccec308c6fb4df226443c051835b41bb511dc6077c08f1
SHA512 235f417ba63463f259476320c782f7b63d024a6197222ac51792279fce393f4f438d882b71bff8b9eb5689f3644c88d15c58a06eb7740fa1698291cf6f387dd3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d892d24e9181d6d790464306f49d37fa
SHA1 58d1e7fb00fcf7a2add63b878709dda3940a37b3
SHA256 63aca351af515c10871d1b9a04db07851980bd643d731491a060709c9d9a0ef1
SHA512 94bec3103b4b5c551bdc392fa45e1111b0f4de55ce58bc1a4df553766663884548d695b54fc0be5186c6392475f5ed2e6f55a9b7ca82984a4832a6a0c5ae97e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7bf9e328862b96cd769662c1eeffbe7
SHA1 8fde1f1cfc3b3ad2a6d265d06f67ff164e122764
SHA256 963605caee5b884663cf8b22c9d4bd90446cbb70d6a0ca78006b46741bad8e91
SHA512 3baea7c9643300cca49d3ded1dc1130af77575f6ece95829036b1acc694966d8e92f114b1b80c9d786bf8a1a6ed2b7924c6f2c79ce38b7565f0d6d939938253f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 970feab96d26896c5c74f766a1dba21e
SHA1 bc3372ebee3534de2ac3aacba10bd3453f619aea
SHA256 b19a3b72bcb28fc2b8ee53d26ca580238434e9de754e0e6562b0e5c219b78420
SHA512 db1cb45a629bbc0f66569819b7274e43df6285f8735200ddc6fbed085c5f2dfe85b0893fcf3ec0513426e3dca2a4fd47fd2883dd3511cbb52c95c30eb5c85197

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1baa77002e30462265acc2c778f8f97f
SHA1 d97c2183e6d41c9eaff33e80241a0a6f6b355e9a
SHA256 0caa2959be2680a77e44d66023991e5b043ad62dbcfea578b4049dc13ea992d7
SHA512 2c9a393fac09be8b7e72f2e2ef45f577d908f988345d8c6b0985c43f052b2d7198087d518120cf0163ad2bbf26bd84debd7c7869960e2183ea31233e6363aa06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e35c832bb6faaed5e82d8552476eb18
SHA1 69bc836d4ada7a5b4f77588a1fc256c36c54f7fb
SHA256 ed97d04b324b9d51a9463fc79020a1e87e25bb6d71c2ec445ded648542a5ec34
SHA512 1baa9343637d077f75b481e3941f9b1f8770ce80a2659b72341377f0807c968ce217329da2f83a686524c7f61dec9b81cf1b1c3c3fdf022e534d5bdb996804a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34b9f4716a0fb9fc8939f8a2dbf52be8
SHA1 fcedc1268140603622bad2da83c45dd675e54398
SHA256 d246fffbf7ce5866c79ce214d54bcc8009a0adcdc680d69998e797497b95813b
SHA512 10c051a90cbf0b5c35b1569c3e44317ae1e6bffdc6f16e5fbb89bd2f0907a5a1663b0d3b8c0ca4869f4a63ea102d56e72f528314b23ba941a98520881d55ab37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 117075964e9164452713e4b931fc9e1e
SHA1 5787847fd8d68abfa0a301015fafb3dc7c8e0a35
SHA256 112ef2bc0a0ae23b7d777a223f2379080f22b9aeb72f995206d242f797821187
SHA512 2076991b40a48923ca892bc90f1f612be5fe3cd37bfa36e2f538895ced9d259747aee5a90e94e67987cf9c1eb34d92f2f0d32ccfc26f9059154057379284b170

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64f36d78c93cc840b18a20788f837772
SHA1 ffc51857d1d749f0f06d37cbaeee27d32d918d34
SHA256 e4dad84e78bd5fdb9f38fcac27ede9f66ca5b6094aae99ce156d97864e469337
SHA512 2c5101ca62a2ccd9676637c7f61a6cc8fd628fd5a3b8f03c607768ca0b7a790b4aeafad5a90f87327af93e88421b726c8c331435c22f75c56377dad885cdc781

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b11d0d0e6033cb62b69c1e0a6461f7fc
SHA1 485112a979416a36c540516e6ab89a413cf98ed1
SHA256 fb2b9f8517705aa71a807d644501b4e97bb2c5697d86479933073e73b67a228f
SHA512 79f3d0a16420c823e658aeb40847b923bafc19640eb7f7c4e9f6ca212f4c66d1de319259b301351945c317ccf1cf4863f5de1c75dfa439a3ad69cbb16e5c0b0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4ccfe076e1e1c09d653597295c5ca3e
SHA1 b4c16f894595ad9f2808feffe4a653f3dac499e3
SHA256 7f31b9e17494aa898d066098268f39e05689db3ae6b1121c2a9a312f866f1f6c
SHA512 a716fbeb583ee9d586343ae2c5ed972136b0b28f1f1061031f8a0085851efe2fe03f64ec177b97d611682d4f3f22d295cce73bc040eb1b2115834f55d44ae2d7

C:\Windows\SysWOW64\config.dat

MD5 e89f75f918dbdcee28604d4e09dd71d7
SHA1 f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA256 6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SHA512 8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1ed0d48697f1a418b9f7cbeeacbb553
SHA1 22a40cd61427c8c916dc6bbb9e0e5a97cf969733
SHA256 d9e3a4633afa55e7706c1c1a432ee52d77a21c315a48b36561cacf404f109904
SHA512 4e3031c6e87f9d87d9208bc1d0785ff893bf943b1ab5fbc739aaaa4a508fe9617357310e02b76cd7310df52e2e851b6a558744a486835ca23e6f55c6b4f472c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aca02978c71ec2a406e4f836b1176e4e
SHA1 bd6333b1b8b185ca34d9632d20d6544394b890fe
SHA256 e14c9ec8d921dd3329c00639e7fcda6b0affa9fcc9ca1dea2f4c6df7546aac0f
SHA512 3fc9bb14ecd1158723d4968fa6e0c97a0dda8ab1ef5ee2532cf3a973aa6cfb3b08b8f2d77e06e687bfff977bb38af1d13ee4c0bb41d5c6ab3fa6e7060e7033c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a78fc66587575964ba269d2c197e35f
SHA1 e7157cb86b58fee5a4eb7aa0e2f0f02653eb63b3
SHA256 257d6796161906938d138d1ff5a8d7eefd98b117cf75ab28f972745335125a40
SHA512 24908050a5b8c9424d526c54e204569fe6ebbb77703edc835ea5334c5dd10ecdc0218a66f0825de16b217c375cdb56d26f8c2679390ffedce8490f55883da5d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a43815f9b117bb670765b1a468e172b
SHA1 42517e160a231441a0ec0a6f164f0a0cf805feb4
SHA256 250c32f39ed4e98c9b06f08b8c2e20eac9e7a4786c3bfef0b984969d3e1ad7eb
SHA512 ba709421192e69a9d43b7c2c09fd7d81d856916d3cbf7c6c1c3471477ce93d4928822061e762b02d54b30e8b85c11f2f8709f6fb5aa37ae93229c6e889b48486

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6943e045d40ef1d6339cc338069b8499
SHA1 4b149b42b76ecc244369b9f311d63403be291ee9
SHA256 96c6371214e795cd19cc12691bb1efdb2669de0a1e2cdca8506a2a779e53ad28
SHA512 1920b5a25fea47f0917dde017905e41d7f499f06917cab13d75a64824fd6b4fc863a8b0b36853d1289bab85216a3450f6b6bb2a5bc1c6c1089858dffd0a60788

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 539744a99c18afd52e14ddba1a1bc2e8
SHA1 48c731e154a14ec862c4893a93f9f076513d2624
SHA256 3b7a295faff2b882cb29ae24dcc4bb831aa56e44c5dca9ba2222f3e111426f9c
SHA512 1b9536af3c2abda29f30aa8620d74f3fc4f936557dd5329b3e4b09fc92fc382c6cd0061297beed374ce181bcbb6757dd11df951e992b73e8938e68f7eb3ecda2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92fef1af86826a45d9703b51f4b9e6ba
SHA1 b64581b391fa7e2ebff8a316e64ad5f9df73184d
SHA256 211d55d64df34322a75b5dc7e24208ffca392f310cea8b3a6b4b886c4b9def49
SHA512 1e3166b8d6146c7c96eb15378af3287b19260a9f91344974fd072bf318d6eabf528441cbca9a099f51d3e319193732f032b33d1eb98961aafed75ea1fd84809f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c78a09ecf66e6d7d0a1eff552f2fb700
SHA1 ae0ba4e2d0d6d805023cc19b050ef6de2afd9b2b
SHA256 7bb24e1e3c6cc27eb5a5cbf4d26cc3fc89fc32df6a3e4f0e22c01d3c3d6823e7
SHA512 314ac37a061bfd15bbb636f8face4ac1bcc918a80d105ac53f9e75ccbaeeddddc0813e75beea66c54094e790ecd8960084a9acf1b12255c6f07bd281f48dd85d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 689b2e7e0c6c098a104cff3f2ad59d35
SHA1 03a9f0cdd68c1107b8b808e92a6e2c9fca90fc98
SHA256 8cfc5c43037be3a1538c1fb707eac7f522fedb0437a9a0ba313ca755d613947b
SHA512 874bf72786ddbba818dd476ba9c48835097d9bb92ca3ca153b6ae1c8dacddfe35d8fe3271f85f1bb4b36e5f18e47f6ff451358e69dfb2dd772cdc759ab414255

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d50b6392249f35823cb33962f81d7f2d
SHA1 c7e80b8cdc4b005cad9cca45f9f95a7ffb7aaf3d
SHA256 af3d3cbb1327cddeb53955354de0c7e00581fb1e50118b71787546c4b4773cc0
SHA512 82c7a32eb51073b647c800d678b8d8481c44f9722fdd3c87d460b15a42d4dff63af9ac641fb6e6ee97d2465d97ddaefa03ce3d6bf6d3370b29e654cf2bb43e29

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 00:14

Reported

2024-06-28 00:17

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1814180cbc718603b624aba48cf2bf40_JaffaCakes118.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config.dat C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1236120235" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1235965101" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426298678" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115504" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{74FA3F52-34E3-11EF-B9F7-4AFB17CC47EB} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115504" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115504" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1276901722" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4268 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4268 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4268 wrote to memory of 5080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5080 wrote to memory of 3968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5080 wrote to memory of 3968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5080 wrote to memory of 3968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5080 wrote to memory of 3968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5080 wrote to memory of 3968 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3968 wrote to memory of 4608 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3968 wrote to memory of 4608 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4608 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4608 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4608 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1814180cbc718603b624aba48cf2bf40_JaffaCakes118.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1814180cbc718603b624aba48cf2bf40_JaffaCakes118.dll,#1

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4608 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 i.pki.goog udp
US 8.8.8.8:53 i.pki.goog udp
GB 172.217.169.67:80 i.pki.goog tcp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 462.800h.com udp
DE 3.64.163.50:80 462.800h.com tcp
US 8.8.8.8:53 50.163.64.3.in-addr.arpa udp
US 8.8.8.8:53 462.haha.la udp
US 13.248.169.48:80 462.haha.la tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/5080-0-0x0000000010000000-0x0000000010031000-memory.dmp

memory/5080-1-0x0000000010023000-0x0000000010024000-memory.dmp

C:\Windows\SysWOW64\config.dat

MD5 e89f75f918dbdcee28604d4e09dd71d7
SHA1 f9d9055e9878723a12063b47d4a1a5f58c3eb1e9
SHA256 6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023
SHA512 8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 fa34ecb8815a2d98849888cb1cdbf38b
SHA1 84fd0e04586009efb3683c98da8d9aa41487cd42
SHA256 5077a54924f80491a74ed78bbd73ff7bf85a27caddb80ceaa9ccb86f8b9a11be
SHA512 ccfdb76ccedd0076601e17272d346229e2b9c0dd884c09bb7701b32c5dc177da8a91bb539ce751297d8ea44716fc497e8a337a9499c93a474ba85915f28f1053

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4a6b0a7f7ba9233598000e97712a5cc0
SHA1 c2f87f4d1c996543cad489317e85572ddc2fb073
SHA256 0c9329ece9e2265bb2e0c7e1fb52aeb995e5a035f5244f16fb413df21588dd77
SHA512 6666d28b76ca9c4e66a0a59014d215e4e88d854d763b78c61fb355636835ae9ca600a21f26a3aa8ee29cf4eb7eec8cf39981f999cc6f6af9fad142375fb8d1e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee