e4362894399a7a2c12b17d024a0bda58b26be8e12219e4466cfd976257cc4587

Analysis

max time kernel
119s
max time network
132s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c685dc04707d7599dc634d0f08b1215_JaffaCakes118.exe
Size

528KB
MD5

2c685dc04707d7599dc634d0f08b1215
SHA1

4ec56a4de37e56b5a5901440baa7a4a4213a751d
SHA256

e4362894399a7a2c12b17d024a0bda58b26be8e12219e4466cfd976257cc4587
SHA512

fd96d51f64d1e078a33b7ad843389f597d36201c09288420924ac312159668ea82c9ae741b3395630d43e00bda406fb52eee5fe7bf2f5b7b36677c9560586314
SSDEEP

12288:SP6ys+NgzZhkDjh9rmxf5QlZI+5mmBbylA/cmFhyyly1:GBNUfk7kfDU7byW/cmVl

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000c1e23af12aa903e7debab8a0c3a365c10f2143907056e342a1efa85e22adf08d000000000e800000000200002000000036a48b4925b15fa8a6ec46c46972bd7c98c62a68f2725bcd099714a1dd1eefc290000000c94882d68440286366a0bec5ed3f617fd9c0ce55fe76e79e8b727344bf29d10e4f98b74381c19f65ca5e4f23d19a47f7b1dce767b96c9e938f246f1f4e243a7c487b56f7ad5b628117847b2c04bbe212d99d0982d405499fbbd975b90447f36dfbdeab5f165c4082d6d6c7ddd849bd97ea280209d18b006219cc82cf8ba3d6955c5a4a379e697f15f83a1dec97fb7099400000002b808d8d0f972fb0fbe06074d5b75becbe9ae339506669d6c02a3fefa85016d2f578c5149f1a8c6ddbc8aa4a784a97e9de3a48036a679e2d8882a72d8a6cfcc5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f000000000200000000001066000000010000200000007d646130d215858c08d7211db5a0326493bc0ccd5bcb27371df5f56cdf3c1063000000000e80000000020000200000000a5c7cd376b10e3dbc50e2ef2ed9593b9f4b424595fc60583fdbf597743bc2b62000000093e18ed66c8509b97393eebfb1ffa6a2683ec782afa33d27344fd91a2b73e494400000002f8c4445d388dbfe54fe9fa1cd4602a99db58f8dd96fa84f04a3fa1da4ef3a7caff3cbab30fcaeb13c8dca37b7888f7d1787abd3911a447701106e5ae805030e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426633196"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9034c56477d1da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8B96D381-3D6A-11EF-A372-5E92D6109A20} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2120	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1732	2c685dc04707d7599dc634d0f08b1215_JaffaCakes118.exe
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
1192	IEXPLORE.EXE
1192	IEXPLORE.EXE
1192	IEXPLORE.EXE
1192	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2120	1732	2c685dc04707d7599dc634d0f08b1215_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2120	1732	2c685dc04707d7599dc634d0f08b1215_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2120	1732	2c685dc04707d7599dc634d0f08b1215_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2120	1732	2c685dc04707d7599dc634d0f08b1215_JaffaCakes118.exe	30
PID 2120 wrote to memory of 1192	2120	IEXPLORE.EXE	31
PID 2120 wrote to memory of 1192	2120	IEXPLORE.EXE	31
PID 2120 wrote to memory of 1192	2120	IEXPLORE.EXE	31
PID 2120 wrote to memory of 1192	2120	IEXPLORE.EXE	31

C:\Users\Admin\AppData\Local\Temp\2c685dc04707d7599dc634d0f08b1215_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c685dc04707d7599dc634d0f08b1215_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://6l.cn/s/tj.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dff16746edac7676947096d2b555038

SHA1
5890eaf23e13cb57de1537aa07af2dae25b61776

SHA256
98e7e8de185c906ecec79e1545493af9948b7e57d7067e7a9060594afb36b89a

SHA512
132baec454071495915f1450a5a721e6cfaaacf32668a808b45d1e49deaf85eb44bcd0aef06bd4780625d0c078856df347e2300f2dbb23ba4b334313d7f149b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de604ef68649defc967b49573f8dffce

SHA1
2874574d8e75d04784a8ead163830f5c941d33f4

SHA256
999271225f79db365037d4a58da07c4c87f1175ea13d4b0938423a31e4dfb9a4

SHA512
93d8b0fdbc5f8790cdf6761f897e4e385196f7ed969be30a7f146f37071b5755381829f42bbb247351dd4e388456eb1e82570ed0e19352ece91f209d7b53f6f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b4aec83a3b4b2784a7642f170cf9266

SHA1
f9463bdd24272ec7d1388ec0fd453a97a24063f0

SHA256
8351384f3acb9c3640be3b956b672362c4caf80dfc3f12ae1802a8f2dbc985bd

SHA512
a29c0d248240716cc6f7a1f08558587e41a1cf43d417b9c07876ba52aafb228211066ca3a81caf6a1f74486b1e0cabf88d56fe338c36100198ae208c1c12d3f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c35b48e1c88a5774180573ab71aa91db

SHA1
bf52ea3082cdc7164b6a6d6e6827254e159e0022

SHA256
66f845985492a2f19f7f5320427218497790f68a1b177f1f4e4b3a807b9ea141

SHA512
1448b06af284d61626a1e90665254a2e13ed178cafc4de4b3e046f4768073462bca6b807e11bd35b46ef042a4db98fc0e0d02e71f16764443659772ff656cdb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07fed3b22d9418b9d39a7df82f864875

SHA1
0e6d2d9643c20b324fd16fd74ea5e25bb18a1698

SHA256
abec24157b5066b9e9e4cbd249bea84df5853d4b8eef00391672e40456913e5a

SHA512
e183e5fad2cf32ba291ad2c6e06af96c2d88ecd6dd9e79792ea598216c5442f26db97e5ef7b456f739b2749f481fbfb97dd63d2c5332d8e2b1bb18cff8543d0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
067e69662b86d191739d195bf4fb3fae

SHA1
f171f3c37a164d5c514bb482e0e5795611f0bf1f

SHA256
a5670a3ecb24566d308a33a5de5e95cf0198e56897e5602bb751cf629db6016a

SHA512
d0256c77dcdab4b60b9290264a4f32ceb9f31453c5282a756738cb421530a0b3ef5a86fca498d465819903f340b4408e1b0e965836ebcf23288b4888549c9415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e22a44aca0880228548bda6da60c6cf5

SHA1
99fcaaa5208314058b9b2de5ebdfcd7712885f71

SHA256
e71e2851e6aa27b691964a62fc045d5e63f634db35a6701689075a406973118d

SHA512
4df15f3364ad6c67aa1fb517f746d940bae4e55628874321f66d0ad88ff6c5a3fc7b9ba3356e81953f5d3aa7091dad97816fc1b8b5bf92553dbd8efd16441d9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36e98dd91207d6d1f3ec054f2221bcab

SHA1
77decbf80c4ec5fff00f1f5eac02fe4639be6285

SHA256
7579ff8fdc79e4f1336062c6aa9e1dee498663a50c52aa427dec3ccb800a69a6

SHA512
4c6ed7848ef200ab4ad6fbf1224fc9644d8c6fae4a6a054b9146dfdd91d929b2df21d7a5facb19f412146c290182752b0eeb5eb9e1d6b05b22e5327f36a15c76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80e825e58f6b8157a1f9d862ee2d183a

SHA1
a96fedf7b4142bfa9bd6a8877518f148aabb63c4

SHA256
b7d42db3281167118523e99990e0d542dc10e90e06be7ced44bdce8d2325ca9e

SHA512
9a16f3f95a4264c6da407ebc409f18ed1f5d5cec68237cb19175a0626e17c7ce148883c8544d5a28a3c48794b1e6c3231c71f2d394b11537a548b8daf35ba2aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf52d3b0fb8ebd2b1c467d3d5182307e

SHA1
230fcddaf0aa8ab8c268bb091332709f0a0f5c05

SHA256
7b4796178614476a48d0ebfc66c04ad4f787d463dc7d17699847a9e0b56482e2

SHA512
a7ad99bd76bd6920f97671d92aa0aafcc390a3148a183fe5e4e229ddafb987fc7ba809d9bf3b04b8ebaa89dbd456d065fe5a255e4faa0885a39cc605ee6e448b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c4abc6336e456f199607fe294f168f3

SHA1
9a4e909300766fc583546aa8d188bf015d1cff8c

SHA256
949a04b02649df2fef87063fa546904f32755e1315bceece2f5ddaf480a859e6

SHA512
b4dac19de75c4f256c9e9aa20fd08a2208361c78b9f3c085cea84d1c5113ddccbb36442d9bb3e357a952647e3dcd7a4d5cc4d323c46e6b9978f99b6c911f82fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE7E1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE8B0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1732-7-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1732-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download