4d368f0772bcb89e211c92c70d29f3540afbefb0cb7567b69bde99d190f67a10

Analysis

max time kernel
134s
max time network
127s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 23:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe
Size

42KB
MD5

27368a062dfb5115722356e9c178f40c
SHA1

7abfd2b0ef2ec15197d0c2bd466bcc8bdd07ac94
SHA256

4d368f0772bcb89e211c92c70d29f3540afbefb0cb7567b69bde99d190f67a10
SHA512

26b287117a2852be39936552ef540704530451455e2ed097e1a752fd0d6e16243645ed19c2ad209a2ac5f182cec6777ac28f2e2ee935e3d2a437bd02e9541680
SSDEEP

768:kjGwQhoBl3KGryrtHR+SafO68PjCf7QM+NKgwjkwkwhT:kjG4KUgxbqe6QJwjksZ

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2448	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winkei32.rom,SaKRun"	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winkei32.rom	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winkei32.rom	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426385317"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{67E1A611-3B29-11EF-8F92-565622222C98} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2624	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2624	iexplore.exe
2624	iexplore.exe
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 1920	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	28
PID 2860 wrote to memory of 1920	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	28
PID 2860 wrote to memory of 1920	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	28
PID 2860 wrote to memory of 1920	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	28
PID 1920 wrote to memory of 2624	1920	cmd.exe	30
PID 1920 wrote to memory of 2624	1920	cmd.exe	30
PID 1920 wrote to memory of 2624	1920	cmd.exe	30
PID 1920 wrote to memory of 2624	1920	cmd.exe	30
PID 2624 wrote to memory of 2680	2624	iexplore.exe	31
PID 2624 wrote to memory of 2680	2624	iexplore.exe	31
PID 2624 wrote to memory of 2680	2624	iexplore.exe	31
PID 2624 wrote to memory of 2680	2624	iexplore.exe	31
PID 2860 wrote to memory of 2624	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2624	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2624	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2624	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2512	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2512	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2512	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2512	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2448	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	34
PID 2860 wrote to memory of 2448	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	34
PID 2860 wrote to memory of 2448	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	34
PID 2860 wrote to memory of 2448	2860	27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\27368a062dfb5115722356e9c178f40c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start iexplore -embedding
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2624 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\gos1278.bat"
  2⤵
  PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\27368a062dfb5115722356e9c178f40c_JaffaCakes118.bat"
  2⤵
  - Deletes itself
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e014a400743f6b7f77bce2e9a6e81831

SHA1
eb10d057d509484ecd196384d73dedaf06b38a33

SHA256
3de64070420f9aab651661af2e9b8af94aac201d436514f96eb1a6fe0c55a4d1

SHA512
2530252d74adbf230349aef1040b4e4e648b5976225cc21c92f273d92c46d4735877162df63dc5b85ca09e925831d328fc4a2e5f36a65ae83f9229a6e53943b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b59e89e1707045f37326a3c6dbdfa60

SHA1
54685ad5699a85835a9558d660662557f88b4995

SHA256
4686006f737145f4167bca51515fb3ceeab3ac3e0cc90a180778d06813803c46

SHA512
9e2a503ad9cd405afc096f12e575521657074f0837c0b162cddab0996c48defdc4907b9b274459f542d5ef6865084a2a0d554880856c6b6bfec8688c5f5f8a92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67bb8ace273fcc55ba9df34b15810367

SHA1
3688045a3b0c97b0a20b810ef109401768bb0273

SHA256
97d0dc830920113e2096b9376caa2e2bf1282d724a43eed8560a2f7d2b3d9060

SHA512
3339195a3235fa2716bfd46b1f38ac6f93b9a5016949b5c727bc60fb1c3729e5a7627ed472ae667e644cdf6d2dd87bdf8f0d3c661f1b5c461cf3e26dce6a0895

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
979c93f87471b902f387e6cebc7c7083

SHA1
011dd462ad5246a6cd93449ffa39aa7042c94647

SHA256
b0ad1d2d2304fc54b44d190993e7bfba594bf91eb4085bcc3432bb8bfeff7a57

SHA512
7ec43d87d8b723455e48168d593d6bb08bda08c90b9b52543a681882cb095edbe691c7ece1b805a2445506c3f35ad837c82c06c48c050fea6aa5d554544d7590

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2ce6b1a42dc795af8f45c44e6e0bc4b

SHA1
3fab301486ab1ab58670ae9c9f7fda716f2c19d2

SHA256
17ac3cd47bf966866e629849f901c5898ce14ba5117a67cf59cb271fede06901

SHA512
6b51c723e3592ebe5385a43d2a06b8101da0c85ce57da0eb29a8744ad94e94f5f1c27e2555cc8a15ce21578d5ccd04fe2719c33b5438fcd77f9e24bd4cc5c655

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07a1d74b60c70b0b3e7e18035d2871ab

SHA1
a25fb6974bab9ded29899f71dadea62e18db1a1e

SHA256
1341c9433399c6be4b447308ec05f8b1790c8f2ad0ee023e7df678ad24ea156d

SHA512
dd983c7a5116c3f1e6ac1a17de8f70ae84067535e65c48a2a3f1439788000c7360094659cbc9fb740bc1402a977e6fc6b9ef7d7f96e28b3e166ad86a431d9c9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d2caa34e3d15e1507a2dbaa996f2e11

SHA1
cc313eaa3d05ce9edba1bbdc34ab8b05a75b1739

SHA256
94f9d207bacd83bf540d3b5ae9969e3fe328a7f8de6bfbcd1c518e57fb2f2a77

SHA512
ac8c2ed523f42cc852f56e4f6c24a97bb5f35ab3db051085c0b956b0cde05c3730f7b9d268d3ceefba7165ddb864a0fcb79b71948ade83fa7d45da594959c639

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f53c548b58480784314746c48664e0a

SHA1
7c0abf30545949bec4c3f1cc79ee0e6b0aead9f9

SHA256
c5ff9091aea627cec20bb36b52af24ea96ddd0702cfb5c5b6f14f56ace1dbe2d

SHA512
50c089d4bf1634e7b9e0f0b826055f81d66dc9927cb3c4e04a02c2f61b46e0b55e37a7cfe98d2b4c4f50b6006709a94a49cb004199eeded675ebc12293cd2223

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57abef36ad2542e786f08776fab79e95

SHA1
3e6dac2047dd085d27627ad1a8a884bd170d5b1b

SHA256
010ec4c8036538ca546992fa240de85ed9ccf674585339ebc3aeddbec4ec6310

SHA512
0514304deb7021b2691c63a2caf714b2dbaef555dc93368318536119d41fe28bd26636d9ec56227e2aba9a6270e84f924abe8fcc5c263f88d32039bc8bc9f5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\27368a062dfb5115722356e9c178f40c_JaffaCakes118.bat

Filesize
305B

MD5
020e8ad5bd43b59661f41ab99a3ed5f2

SHA1
601fdd2d5ae8305a88f6372277ebc3fd6e036c54

SHA256
d44e84ac565adc63409994e48244d75f391a6bbf8aeef9792134aecc3f03a18a

SHA512
ea8c3a97fb43de89b5f1bba29a8c8ea4d902be99a6a3c3ab052e21b2e9c9459f1f27c2da19d7d632bdd9cee8709cae9f2cd1d2a7166edfc0d6e1e699882786e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab127A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1356.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar136B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gos1278.bat

Filesize
188B

MD5
f84d79a8a35dc31580d00f2adc533d06

SHA1
eacafa00ca1f1c4f5fa40b81e0f92f586d923671

SHA256
f6b05e4119c300c159ad3462f5e38e221e159787c1f71dd586e0185712669dc7

SHA512
9c1ea4408ddf8f89b953442094ed3eafce73a1a5fa1f57d37d8d275eb283f3efaa54df63b0672b27e2a5319623d0e1d11c55bb8e17c395dea727f6df82389d54

Download Submit
\Users\Admin\AppData\Local\Temp\gos1278.tmp

Filesize
31KB

MD5
2ba0013117ca8ec104c937ae2b7e8c26

SHA1
33a4858f7bb1b40e15f65fd4e385ad9e732d999c

SHA256
6b865694f1886052641f35155b03ba6757ba63b420731133e2013a527d7e00f8

SHA512
c26adf09d4ef5705b4a9d1d8f4e18f4abbac83a2d5667cf4ab9f5ba43b903d5bfa074f732e45f0d8d811385e86180c274d9a36450f71907e05f58d4e2ecf05d0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads