5aa02be2838e8e150095a6d7bdf03fd9da6b9de8f30029cac713cb37a102bc75

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe
Size

72KB
MD5

267b38cf2ae9f58fff9edea4d90c9959
SHA1

f8de865ca329b70f75af4d9eab168562752f98fa
SHA256

5aa02be2838e8e150095a6d7bdf03fd9da6b9de8f30029cac713cb37a102bc75
SHA512

c4470cf2ed701a262867f63d27baf8fdd1e933825e4d99c89c6cfaff8da2b699ba7d3def5c8844f71dfdb845481148e3e1db9aea41f2b927bffa115ee999211f
SSDEEP

1536:LB9i01Ha/G0bqgKiLlVVO07AOgRXi6S12g4hdeTpGXJmD:3HwGVQLlXO07AHXtI27hdehD

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winuji32.rom,eHxXSwQ"	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winuji32.rom	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winuji32.rom	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	848	WerFault.exe	27

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8548CD11-3A56-11EF-BA8B-4EB079F7C2BA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426294742"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2640	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2640	iexplore.exe
2640	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2108	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	28
PID 848 wrote to memory of 2108	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	28
PID 848 wrote to memory of 2108	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	28
PID 848 wrote to memory of 2108	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	28
PID 2108 wrote to memory of 2640	2108	cmd.exe	30
PID 2108 wrote to memory of 2640	2108	cmd.exe	30
PID 2108 wrote to memory of 2640	2108	cmd.exe	30
PID 2108 wrote to memory of 2640	2108	cmd.exe	30
PID 2640 wrote to memory of 2652	2640	iexplore.exe	31
PID 2640 wrote to memory of 2652	2640	iexplore.exe	31
PID 2640 wrote to memory of 2652	2640	iexplore.exe	31
PID 2640 wrote to memory of 2652	2640	iexplore.exe	31
PID 848 wrote to memory of 2640	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	30
PID 848 wrote to memory of 2640	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	30
PID 848 wrote to memory of 1192	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	21
PID 848 wrote to memory of 1192	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	21
PID 848 wrote to memory of 2744	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	32
PID 848 wrote to memory of 2744	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	32
PID 848 wrote to memory of 2744	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	32
PID 848 wrote to memory of 2744	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	32
PID 848 wrote to memory of 2748	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	34
PID 848 wrote to memory of 2748	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	34
PID 848 wrote to memory of 2748	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	34
PID 848 wrote to memory of 2748	848	267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\267b38cf2ae9f58fff9edea4d90c9959_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start iexplore -embedding
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\fig1FFF.bat"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 140
    3⤵
    - Program crash
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be9ad8048bbbd5bf1eac2189d2de474b

SHA1
2442cad66488a3213a8d7c8b9e417fafc86f7fd1

SHA256
1dd500dfc378ab3710242505e7526ca25392283b38055f4d6d8e88a6a7c45745

SHA512
f0c7a7f2fc6d03c94b33063d4b815ad3f825c68b62011889493e04f1341f285c0ec990443091097c757f229bd04cc5bafbc49c434cad806857eb7e9c17e9ddd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e26e776b38a7ba16b037d58735cdd45f

SHA1
b24891e1f2d8a15e441f1ba322711fadc69ed64e

SHA256
ccd3c661972f1e29c17619b3ebf811c1821f67d18df09c65b16e6a2e870f3169

SHA512
37d9f72297a95d3fce45c59ae339c0d7800b0109280c27dfff5006ece6818916cb03d70581fad5b423867be5b007ecb93675ddc56310298a01853708c916d0cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4421d116ce3f5164a7864bebd22d75f9

SHA1
e5a2ef47037315976001c8375cc35f39b9fd05ea

SHA256
f980d762d443bfe27c876510a8fc27956c0c3fcace12f1a239340239553515f0

SHA512
2201a48b04e07fcc9f696dcecbddd63aa5440c7301c4573e37a4b6a806690f24997b24070255b35295a6807e68bb6d55e954b12f46751e2282e3d32e397fd5fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06db75d9bb5f9186f2f05fd8a54e33b1

SHA1
c2ea36bb567f28cfad00bf40eff4428979e0accf

SHA256
4cea191bf78016a171ee35b7b4d217e288ace425a3eaf10f8cb2583245f38d82

SHA512
58ad81f20e59ee5c7acc48ef19de236c7a9cf239de83df209828e565071dbfb593b1369f3e3c92392fee517c79e6905de058e3c2f351caf98067e9347e9b3ca2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aab0bdbccb637934591a3f389d684b4e

SHA1
26969b899230b37c76d6c3689add7ab95e95e0a4

SHA256
e241afbfd6abf338f2fff4f46ef693dbc7a92a969b3c56630552e22fc28bb07c

SHA512
5806ab085f318071861a11f076647f943ccd73c057e6d8602da39ce0d969e92960cdde176cfd3bdd52484fa424be20401dbe3638621f5587a4e168dca1d40457

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c3516d574c59b3d3eda338f877fbf28

SHA1
a69049abf4985a7dc2eb2b09a4e54d26a14bbeec

SHA256
dcd5a728061669334bf459fec60d1d8152451821c77948a9a6fceec6767277df

SHA512
debc3c9cdad3cb1cf65f1981e53ddccc7651594cfee48510f3cf588d797a014e1405a5c6bc8cff164dfdc042fc50c9675c2b19e409b98215e66883d34ce351cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f2ff586948e337ebf47f71a1b7e83cb

SHA1
37a330fcb765836e395bafe2d30c746b4cf3bcc4

SHA256
c63d29d07cb72e2e3ddeefc96730da5db73c6b88edd5ec790aa2a14bb2ad50ab

SHA512
1d24901dae8564bc9bc8865beb1baa1d146be1f96e60d77a7e93787d482932dbc521b004f14b84d3727167c878981f0497f597d7fa12817ed9579ee6a2e9b52a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
788b2740c7ade1b63673e4414f79b88b

SHA1
45cb4621e2133c4729c1edc267a798ee42828408

SHA256
1ccfe417b7fa884b2ac24051f518f31154feb05d9bab48070a45e660dcc57da3

SHA512
268539bbe24d28c3ee5e8f08211a51ce6a5ce729d562e8099dc5d0665c68f3e7720db05b2fbf032d3014bb228d15a0a1599bafff3b1c25c58b55ff8044de2ead

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eea91ad1b90f35658907ff64ce0bde45

SHA1
23a86c6773cddedc5d32976573d5920928462c23

SHA256
e42a09d03fe3a8613104b5a5d4a166479e867ad8c88bb1aae3827c8d9d2dec0c

SHA512
641c7826d23ec5773c59d6886e156e99a97cf3634ee72a0c06f4a6adefd1b70c53a6f8ab10a7838a1982be3fff586db4941b4e43c97bfbee8c9975fe53adce88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2129.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab21B8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar21CC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fig1FFF.bat

Filesize
188B

MD5
be3e3bdcefa341db5fe6fb24a276ecd0

SHA1
e31ae2984f7ff886349714cb94b7875eacd8a792

SHA256
b4c91d618a4834136a76345bab66bd51413a902d2e28e0b69260970ed3ad12c7

SHA512
acc71c52e048ae136541e23c1d7c4a58ac10e32c3b6e68093ab7fec2d162b3abbdcaf883c8d63d41114e66daf6922dbff3a384cc89c3745db68538e71194affb

Download Submit
\Users\Admin\AppData\Local\Temp\fig1FFF.tmp

Filesize
38KB

MD5
7f2bb41388533c3a55e67aa8f5d83fa0

SHA1
060f587baaf37876d14fbae8f751391882c2d1e6

SHA256
e1dc9770c2c125d52a24c5e04e37881da168ed71a1bf232d45b7c2937e29fce4

SHA512
7e9451c43f96bdcd2a94257e9500be40ddd5d036a5b76092d334a9f8292e58b55064aebff87406dd368fb6136fb36e270f939527b143fd2c15ac4abdf3e92fdc

Download Submit
memory/848-36-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1192-22-0x000000007FFF0000-0x000000007FFF6000-memory.dmp

Filesize
24KB

Download
memory/1192-25-0x000000007FFF0000-0x000000007FFF6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads