799e4f3dd64142ef6d12229ab057627feb1623928208305c2155f6aded9d369f

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe
Size

16KB
MD5

1c10cacc9381db33f01e4b49cab3faa2
SHA1

0ab0efa8c0a7860ffd9ddb49abf86b62a4008757
SHA256

799e4f3dd64142ef6d12229ab057627feb1623928208305c2155f6aded9d369f
SHA512

53e9ea9845f12cc7d4f7ca0c8aadd4dd746f97bfb30647b7cb57585d19ef8bb8304623db832ce6a774a587e406d20157774bacee376f0b097d66fcb8690b7cfa
SSDEEP

384:AIWA1Tv6M8c5IkmHe6q6YaIKkrzOPSCFiAxjr6+S9Pfu7n5RDphTF:9Wk+SIHHiE6zWpxadeVRDrT

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\spoolsvw.exe	1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000039b2f25f09ddc9a5e11a9a88d2aed381865ea1729b5e2f191a3596532143efcd000000000e8000000002000020000000da5b657dcee785bb8eee9ddb7e754683de70ddda2ce4b46bd091abd3d722f8fe200000004ad7481e03e50c97ed6286b902f6a3ef0b0e7c281f148f0889a4052b59cbaf9340000000f353e70e433d5993171f485ce29753c030ba66585ab411067fbee94f3213322b783e28f562b4662c84201df9fd7002e0fc58337203e979abd0d4b3cd52b47d7d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000005dbe263c358a395848b6a942ad44838a6e17256fc733e3d7c1d52bb92e675520000000000e8000000002000020000000ea45a37d38bc9602921b62ff6e49bffceea14a8ee7102a3a92e3262b483855fa90000000d5dd504a4ff0b2d9278e0b787df25a8d340fdb918299633e20306a314d041c3538179e94e439bda8852b9a3d27ba6514a962650b33c2eeb59726cf4295f0d219853748a0c84336f89a100d7d620d4ee5f6744c62f727e878c3ccb6e093f7b12607279ee10de680e26981c9df9fd8f66bd877a745258348f2bbca7d031316086a30488973baa129c1def26e11b4ac7b0340000000e79c4b5ce3987acdd38e95f214ff7594bc70292d1f0b85f45ed495ae4bc7f3042d484ab12978f3ef5b999a7f645d565a95dd658f382cf689ca8aaddc0e6f0977	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64C294C1-37D8-11EF-A7E9-D684AC6A5058} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426020669"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d09e52e5cbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2408	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2408	iexplore.exe
2408	iexplore.exe
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2408	2220	1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2408	2220	1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2408	2220	1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2408	2220	1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe	28
PID 2408 wrote to memory of 2376	2408	iexplore.exe	29
PID 2408 wrote to memory of 2376	2408	iexplore.exe	29
PID 2408 wrote to memory of 2376	2408	iexplore.exe	29
PID 2408 wrote to memory of 2376	2408	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c10cacc9381db33f01e4b49cab3faa2_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://g1noticias.bravehost.com/timmsg.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2408 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
8b03d90134ba249401f8787877a47f21

SHA1
3e7fc5ec0bea5082a68e08453be3c2500e5e0b2a

SHA256
97cfc32ad90fab61e13f8e62c8d16fd1b81947af9c6f91201197d0a951b569e2

SHA512
707b13f7cca3960c242658ee36cb93206e072f83e10cb94d842dbcb36007ca5d0fbf54598d2ce948d91c6e70a2d11b715be8cececfd93516b6cba865e3525a1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4feaaded4bb431a332adb741715021f9

SHA1
9a9634edab7c3420820855c750291a7ac5f2f5f8

SHA256
13b5db49057d7926fd3b3f09695a626e4750da46db449e21e1f27d1c1aa6f0fc

SHA512
0b2a7890be0bad45d203f2f933666b78dc1f93ec8198802a1ebc1118d456ae1e97462f5c0b1ae260bd39a7aad78e849bf09aa3397bd95d3c3fdcaa90d7f1f95e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bc91ec9c220746e32ebf9c87f5d2533

SHA1
89f1d4e5abdde6462216747e9c5b308f739cdb75

SHA256
e2e764002a48d269fc5a63db680b68d85135e4e5e53ce0f040901132867cbe7d

SHA512
36721399a0955aafa730bed1ca228726ee897f00c645bb60d0d6ea9444e580f64c1d983868dfb17332ecb637f2621125d4ac6845b8a56257901744d17487ffed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
877dc20a2390d44c578ec206a6234b34

SHA1
0a15ab0ed4009cd7925bd8d604914cd125c6ef5d

SHA256
8aa18a67990e55cd0ba991d5995488aed41e46f68d5c7ec23421fb81e1525a1a

SHA512
13bfbf3579eb050cfa322bba1a8bfc912c08a3f58aec325fd37d05640d783e7bd1c36e71d6b3813aaff5e667228afa33f43dcc9eedaa4043b0b4bea9bb4cb22b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b1ff342cb74a92d040262acb644fd9b

SHA1
6a7de1bfcfd85c69cbe026eed5697a07e3c6d809

SHA256
50742e407c204f0b617b147c5fce63e55fd7a9aa62a0e8613876298eabda46e6

SHA512
d9cf36a504bb4367e20ab0cb9d3d6eee3d3d59ddb03f8e8499ad11f9e03b784b3947e25c6a1ec7e4fe288c603e7eb5b21ff997659c7a02d56494c7919612f901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9d98e345dc56ef0b06993cf52ec662a

SHA1
10e1a3f71d77a1e39228a4c7490b231a09ffee04

SHA256
619faa6545271d8b9f871bad8ff76c940149031c1d001bb9d64d3ec79c93af0f

SHA512
9f320cd028a0c2764687ab2341a7a4ae9accb2a890495d5b00abce5e2c0b32e3475076294bde36ebb36d8dca9da95f1bb570d7e9835769a7ad9e1830737206f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f57493f437f795a56e1e7d8dd84938a2

SHA1
6c7524ec6deddf91f274a2d1e879993de18bba74

SHA256
e616c1a43c460e97f64183849b4918e597fb1685741e81a8144957a7695c1ebb

SHA512
f1e4726b06d88e199757a9b832a06d33e9559af8f9b4911c8097fad47e1a59deb9f4c5f98c5b8edf02512813eac89d3ecba72242b646e5e32ff5153a4ec56e86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c49041915c545d751bd268bb93d3977

SHA1
efb5fa9ace9dad9e78ca6858d3d461e3cb8c2617

SHA256
b36ca28259c5884f98934a0f9ff14bdaef562ae7656ed5c4af457593b3950660

SHA512
130bbe8017c1096ae415e64494eeac48873bab563ed63cf11190cae378407363662356daf204cb22b427de830bdbfa95ffd5e8c4cc6dc8a9b668c9bc1cb727cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa459aa5bac55460e5bfc1de57ca30ff

SHA1
f6a182aab41da56a5c7f940ed7d6fc76603963a2

SHA256
c9c54dfe1333c64edbd5b812d8bcfd83edba7288255517cced3f742728ad4809

SHA512
3afd4937086d16faf3a193e8fb10a8024d7b7bdedddf21d6b166f768710a65ad758da77ab044820f006fe33796cd2027308ca54bae1b2e7e26fc8770663eccab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1864fe19f4ee37574773f0b12dbf41ee

SHA1
175b0f96bcb42adf37fdb5b0add591a102cc90c1

SHA256
30c8532c7b46ac14462ffddcb9bf8b82516cfeca68cfb0173c0ae3162bc8938f

SHA512
550b398d35ec38a9cf6ccdde1a8e6105a6df8420c94d68e66f868bd2e1356929d58744cfbacb96b1cbb91ca557fb6a9cb15bc41bc8c0d674eaf2f1ed28ebf032

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
830ab7e2cf744a05725900696ea0ed5b

SHA1
4a2333aa29f772afa538f92a2e53094d0c473af3

SHA256
918d9a7b2b24e74dce4466447020e59544cd4e367bda83380d136730af8a3817

SHA512
7b8f4fd08bdfcddce7333c397ad866609aee154d3ade700143c18577909e336edcca3e51217859e32311b7b1ddf9872c87d8f34f28796bf474f9f3893c36fcea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15c03aa3a6b9bbf01423f8867573e670

SHA1
17808513b082ca13edee20494d8bf31cd1b226b6

SHA256
19253ad59b480e45c6c5af7af9ee8296c2811d01215e31305e32a707b3b493af

SHA512
1159bfad5c2e6465efc181d2e3ddae99c8755076a541f00f622f34741e4ef0d64d02f4e65a396077534d30c58b0896ef3a52d4e21e0419c2cf20ad85d9de04b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea6eabfe9a9c3ae885c7feaaed019fc5

SHA1
5e3566ead5cd5a7a09ed5ed409a389bcd2cc7588

SHA256
3ef9f4b9aa0e2efddaf33590b3472a41c08337864bb43ddf7d4667a25949001b

SHA512
f22758151f8146b2b3dcd06e9e9be90c35f8c63e23bda13f993754dec77f560f33006562223fa1941870897563407f11efa48d592962f79b3447dce12a63fb5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
286f61eb2934f28990207511628427ca

SHA1
62aa4a170394f05543a1576e07470e3cf207d1be

SHA256
8a46ad65872e9aa0d6056eceb7d7ea2cd3499586e7c144e84dda27bab03b21a9

SHA512
aa7dbecdc890fa841a1658d0cc021da03cc976fcdcbc3670a1a9b6ddf62d0f9925b1740ba516986e9c842f3518a5c0b21337f839c713b910c4694cdcccf6f051

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e0c9d1d74ce84b798c085e1c9394aaa

SHA1
3c1e6b824d1d928405d2a53cb54488840b17f6a6

SHA256
19cefc80694521912638895996aad164672f4e7e0412026b91c7d3dcd3a3921d

SHA512
3a931454f5e758ae153f01cbfdd5a6f3531c3a633f97399c93933f993b7646528acd9ed2f7a9aa0cb2a86966ba2192767b6694d212c490c814bd8cffa4fba255

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e2d6889da77721c5a6e0e5d1ee915e1

SHA1
13289060c2f09ea5809b8bafb992f515c8095138

SHA256
875e376e84952c5f1a10b7d7407f660a8ee97f427640a8bd19b9c591cf396dbf

SHA512
af7106269d8e5366ea28fc0b33577559a09da6e54f0e6259e34b27548596dc12e143f22d5643dad3555e1c981e22c854187205dfd8b7b0ba092326b3451ff14f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47d12410ffb5fbc25d3b12909b8268df

SHA1
64e700bf7c858a92c02e41bc1989ddab3f4ad18a

SHA256
4f2d2fb93f132ffcdf85a5ec895af374974b6a2352a99051b53c7682b1addd14

SHA512
1eb079d87e5ab35aebea167f180c4b8128f36b81a4b09156bfcd365820565e7edcb19298f22594b18bc32085e0b018bbfb9385caca35e12d245d449e2c2ffb6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1070acd82b94bdc30b447cf866f88fc

SHA1
60add01d6856f9c47599dca145f6a697022b1da2

SHA256
216d9d1b4ac869c3488f2d88344d45247039472f71eb51957a8d3b1d79a18133

SHA512
83f2048c0f1af6af9402a04918cdc0cee90414ef1304e780c517a51fd7713a65307e4221b0dcf7e708c6d7f1352c386c92e56ba84d5c3ee11067c503015e4416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfb1b4df52057769d10b3df4b104c120

SHA1
35e4c8c9b92e43e627ba6bf902a7581b1cd09752

SHA256
32674dc6fdef0141e74f1989ddf278ce33c4c23f97b1565f96a96eabc142261a

SHA512
e7d2dba4d53b727b7a27f27336e4bb48212db3e40787c877d732d24065e44a976a59a2e1175f3dcbbefa5b00744b786786b276dd4c0b18d051503bc8a1c68b1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d196f61229f765f5aea680497fb5cc7c

SHA1
53fa81de5fe51499a80cd9ee7a5221830053491e

SHA256
fdd8752b9b7609d33e26c1a0d014db0e7654efe4d5df164272b9a74bc8aa5a24

SHA512
301b22f405a7db13e4fa8059f303acaad00140dc3141fc38e045f08fc53e7638311e715a53d8534589bf703e307ebe61547a185a57e887ac8e6082069a6915f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f43c4bca651af147da49ad4efa54d70

SHA1
b39dd3129b3e30e3ef617eaa43efb1829d3b4c13

SHA256
06658a8e7293e70a2856bf45e4474d94a8d6638f31bd6c3e1c50c692e109fa78

SHA512
356cb782584ef033861159b6fa2e223c3baeb7ac1078ed92bed04eae093c8dea69ff670f0e338c608672bb35222eec3eaa29f37006f95b2bdc6210753464ec35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b49e147fed751779c147beede23b6330

SHA1
b05e75f08bf3cb07b97686fd7031c3ac63c5acac

SHA256
13d2bd36657cda7df22e6f35a90d3ce9387d2eb904c3ad3725950e09a950201f

SHA512
aee3fad79ae207114d2ac28a33194b1312d54a9119f9e51909ebcfdd1b8808286709d4d2fca458ce4a2ca90fe7a3b7f8dd60b9d9e907cc40e8a44c357f8b7961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a75bce8cd2735a2922a37c4adcdbf07c

SHA1
98d48acd983639abb1173d804a0cb4c29afa738d

SHA256
0a57bc57e420dc3d96e035bb1845286a3a56639ce221083c142cedfafccdd071

SHA512
e3863f961aff75ff8753071a339739068468d5ed10da603f1417efa57f2da45a6286b8a674801214b7a0a595a8c1217d708195e87f289a1f1f9d8a593bec140f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2228.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\spoolsvw.exe

Filesize
2KB

MD5
57aaacb775b71aa88e62ef838b953932

SHA1
c711458057b72a381479d1d62cb68a18a71a98aa

SHA256
27c0a4c2b96de0c79a9ba512ec76d965e8a3ce8741e3f0231aae3258047af4b7

SHA512
41c1b8bf6fad914acd114cfbdbb2e250bed7db38d5336d8b9adcc3e1bb2f622b8a787097b56d6c33bcaa9f63186f67a1a16c700b26da21450cac72f22475c55e

Download Submit
memory/2220-171-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads