f03bb60b1ae57586258787e3b218148820f010517a3338eef1cc39f078fe4b7c

Analysis

max time kernel
121s
max time network
131s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 08:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
Size

791KB
MD5

33ff102d03b1ef0d0b9708c05bdab32e
SHA1

809a277b7a8fe08f4629511cdf251823dcbab861
SHA256

f03bb60b1ae57586258787e3b218148820f010517a3338eef1cc39f078fe4b7c
SHA512

0ff78d8e73e4cea08f9161f7a8eb1de89aed82365c3c676eaf2b41f440326ced71ddfc8e23e0379fea308900c83cf03d1aa8c53e776b18c46a2200319ae9bb8e
SSDEEP

12288:YvnG8GiSd4R+w0xerCvWnjE6t3jVqZn/YeBcMH4N+td4D36CIsttD+YTP2wRL:YvG81SdaH0VcE61jcnB4N+t2JfywRL

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016aa4-4.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2868	tyercservice.exe

Loads dropped DLL 6 IoCs

pid	Process
1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
2868	tyercservice.exe
2868	tyercservice.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016aa4-4.dat	upx
behavioral1/memory/1964-6-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral1/memory/2868-27-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral1/memory/1964-43-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral1/memory/2868-50-0x0000000010000000-0x0000000010128000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tyercservice.exe	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tyercservice.exe	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tyercservice.dll	tyercservice.exe
File opened for modification	C:\Windows\SysWOW64\tyercservice.dll	tyercservice.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\882aef05749a54f6e880e1b97f291d61.dat	tyercservice.exe
File created	C:\Windows\Fonts\882aef05749a54f6e880e1b97f291d61.dat	tyercservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "NO"	tyercservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426762354"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{41FE37D1-3E97-11EF-B36A-FEF21B3B37D6} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
2868	tyercservice.exe
2868	tyercservice.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2668	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
2868	tyercservice.exe
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2868	1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2868	1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2868	1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2868	1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	30
PID 2868 wrote to memory of 2668	2868	tyercservice.exe	31
PID 2868 wrote to memory of 2668	2868	tyercservice.exe	31
PID 2868 wrote to memory of 2668	2868	tyercservice.exe	31
PID 2868 wrote to memory of 2668	2868	tyercservice.exe	31
PID 2668 wrote to memory of 2792	2668	IEXPLORE.EXE	32
PID 2668 wrote to memory of 2792	2668	IEXPLORE.EXE	32
PID 2668 wrote to memory of 2792	2668	IEXPLORE.EXE	32
PID 2668 wrote to memory of 2792	2668	IEXPLORE.EXE	32
PID 1964 wrote to memory of 2848	1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	33
PID 1964 wrote to memory of 2848	1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	33
PID 1964 wrote to memory of 2848	1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	33
PID 1964 wrote to memory of 2848	1964	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	33
PID 2868 wrote to memory of 2668	2868	tyercservice.exe	31

C:\Users\Admin\AppData\Local\Temp\33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\tyercservice.exe
  C:\Windows\system32\tyercservice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\del_file_b.bat
  2⤵
  - Deletes itself
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aaea548dcdd714015ca4213f63807ffc

SHA1
ce494d439fcfb14e2a73ed899bee54f58c7647b3

SHA256
4e84c5e56c17875abcbb8057288a58168537f3a38f7872780e4be295989b2df6

SHA512
415bdc11e4a70650315844aea292c089010630efdabc04623d5b3c3ac9d830b7a7fab1b62c5c6d9374243842ffb00546af7f809decc8bd4f62245946661521f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8bb51af7ea19a62605379e037f8b614

SHA1
18ce07b52707e654ee99cb97f710bcdad97aab8e

SHA256
2f1be86d526fe82343ec92128b4345d4d8b7e1b3b1142854ee7efdf4fc8ea924

SHA512
bde77b63991a22c36936d52e42d2599f4213df0867b25a24b50fba022fd5615fd8b67d38a986f9c512bdb75295528fc54bb2a6d14ae6fb76043ed8447c4216dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ffb3249b6c0d8b161e3cd7e6c4af0d0

SHA1
13c3e15b1a9e4ce49f75a57ed844a2485033e16c

SHA256
eda8ff2f9bee5f0c2bdb09802d76927bdabb00994abb336da3dd0c06f7700fc4

SHA512
746f813da6bd92a2b3b0713e08cd95768bd337d1f45ef84578ba5c9ace341bfb32494becb0feb57f2ebaad96c24e41df15b4471a89db0f6dee779c7d7dac86f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8b0f3971420f87055ce51ec518154fc

SHA1
733e7c2f9cedd335de0da2de22d4ab5c41e08fbc

SHA256
c8d8f3acccc58dddc0a9e731d4bbb1c6dabcb84245fa6df08cc4a5bd495c4a3f

SHA512
8183da51c1e1ffc25cda13b937d7cd798f5da4a26051da994f92c3a66c863752ab41c1f828250ef7900201c096698cf4bced914c82fab6fcc6bf78e36031872a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dea3fd05caa8abef4fb788592f62c931

SHA1
d44697c12780d6262f14a49c021ee57c097e91f8

SHA256
f5b69c6bf06bcc430a55cc82855d3796d0a3c552fc7697484c694d07ec919234

SHA512
89c35a7e7ceb43f4f00ccd7bf9877ba11092a76485513d477b900ea51ba36187c15df49d60e4123c879469a1ace8528b351cd7641940def2668f6359fde43c6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bee941ba96cbd6caae4c2d2149aa62bf

SHA1
0b5840b27903dfffe818e7fa5583bf97fe9a5d7b

SHA256
e7897107cafa39f75619e07e649beb97a1d64938afe97d0da5d1de3450ba8d45

SHA512
f600050b9f16fb4e1389246d2550b908843341783689c0c55df5b80b5223dea9bdf34891d7678c2388a3e4f2c240c5bfbf1a13f985fec4d0997f9f27eba007a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3f5e714efb6c3c3336690e4aa4e31d6

SHA1
6086d84c0e089e9cc926bc56535546fdfcf3532d

SHA256
bdb241f5babc64e99f7cce8533bdd5bbf75d1b792117f4c126175f7b8b564b2e

SHA512
d7a5b2e307ce0dedac894dbdff7ce974a5e5153304bd35499b2b771ba03b1ed6a9db2e911c84ac3ffb0fa2a5ab1ffdd6a3aa3ba07efb6605f707fac3c1695779

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2fe3730a827943f0d4c0d65ba722ab4

SHA1
da7b9ca096fb91a131c0492553a75a93a1363050

SHA256
46d64940a70213d790f90d089d212f51da6bb973155191c1ea1e19db537cdae3

SHA512
bda8f8dfe3d2894e06a1c22a11ea8fcb951983b1b4df8c46cc410af003a021d4f26eaaa0f86e467b36f5f732150422857cd4674d97d7f917a3ea15543043a4b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCD40.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\Exmlrpc.fne

Filesize
72KB

MD5
f79ee77a4f30401507e6f54a61598f58

SHA1
7f3ef4945f621ed2880ff5a10a126957b2011a17

SHA256
cf8e29720823eb114fbc3018569a7296ed3e6fcd6c4897f50c5c6e0e98d0b3f8

SHA512
26ccde784b06c46f60fb5a105c806c4d9dc1497fd79d39728fbcfa869d470ca2ba018b0665f3cbc05019fb0766dac2eb1084a6fdce2f9aaaae881beb09dd3739

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCDB0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\del_file_b.bat

Filesize
235B

MD5
46d6600c00fb6cf3e3e3b71e1c91bcfb

SHA1
406e5b6d3024456a1d7ffa0786767c0cb545fc6a

SHA256
96118c461fc73bda8e9bfc1d1d4df4d9b9caaa7498f6a497510167cdcda81f57

SHA512
8dff63d95322bbdbe332ce9cc0b367c34bc062b695d88d8e524aea074a1709c4bf02c59e03864ad0f15846bb18696afa2f36572ab9cf2f4745159039b0a598ee

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
405KB

MD5
be7c7ab5b5cd19ac739e679b8750c3bf

SHA1
f5dd1d0c2a3b46b8c48a82dc98f709c2064e7f58

SHA256
44912d51643c8964fc13118dc678b42e6d85481bb33f154128f209f5c2a1135a

SHA512
cbb7ec7c9e231236e47a1b55c617ea336dedf33b2d1248d53e2bcea81185200b2a45b356b137e8631021aa934934a4b29c9a2e958343468eba7692c5493997b2

Download Submit
\Windows\SysWOW64\tyercservice.exe

Filesize
791KB

MD5
33ff102d03b1ef0d0b9708c05bdab32e

SHA1
809a277b7a8fe08f4629511cdf251823dcbab861

SHA256
f03bb60b1ae57586258787e3b218148820f010517a3338eef1cc39f078fe4b7c

SHA512
0ff78d8e73e4cea08f9161f7a8eb1de89aed82365c3c676eaf2b41f440326ced71ddfc8e23e0379fea308900c83cf03d1aa8c53e776b18c46a2200319ae9bb8e

Download Submit
memory/1964-15-0x0000000000240000-0x000000000028C000-memory.dmp

Filesize
304KB

Download
memory/1964-43-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/1964-42-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1964-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1964-8-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/1964-6-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/2868-50-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/2868-49-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2868-32-0x0000000000750000-0x000000000076E000-memory.dmp

Filesize
120KB

Download
memory/2868-27-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download