f03bb60b1ae57586258787e3b218148820f010517a3338eef1cc39f078fe4b7c

Analysis

max time kernel
92s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
Size

791KB
MD5

33ff102d03b1ef0d0b9708c05bdab32e
SHA1

809a277b7a8fe08f4629511cdf251823dcbab861
SHA256

f03bb60b1ae57586258787e3b218148820f010517a3338eef1cc39f078fe4b7c
SHA512

0ff78d8e73e4cea08f9161f7a8eb1de89aed82365c3c676eaf2b41f440326ced71ddfc8e23e0379fea308900c83cf03d1aa8c53e776b18c46a2200319ae9bb8e
SSDEEP

12288:YvnG8GiSd4R+w0xerCvWnjE6t3jVqZn/YeBcMH4N+td4D36CIsttD+YTP2wRL:YvG81SdaH0VcE61jcnB4N+t2JfywRL

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023457-4.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
5088	tyercservice.exe

Loads dropped DLL 6 IoCs

pid	Process
1372	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
1372	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
1372	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
5088	tyercservice.exe
5088	tyercservice.exe
5088	tyercservice.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023457-4.dat	upx
behavioral2/memory/1372-5-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral2/memory/5088-25-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral2/memory/1372-37-0x0000000010000000-0x0000000010128000-memory.dmp	upx
behavioral2/memory/5088-42-0x0000000010000000-0x0000000010128000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tyercservice.exe	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tyercservice.exe	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tyercservice.dll	tyercservice.exe
File opened for modification	C:\Windows\SysWOW64\tyercservice.dll	tyercservice.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\882aef05749a54f6e880e1b97f291d61.dat	tyercservice.exe
File opened for modification	C:\Windows\Fonts\882aef05749a54f6e880e1b97f291d61.dat	tyercservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{42A20D36-3E97-11EF-B355-C605466CACCF} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "385854717"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31117988"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117988"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31117988"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "390073542"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427365459"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "385854717"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "NO"	tyercservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1372	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
1372	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
5088	tyercservice.exe
5088	tyercservice.exe
5088	tyercservice.exe
5088	tyercservice.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3236	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1372	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
5088	tyercservice.exe
3236	IEXPLORE.EXE
3236	IEXPLORE.EXE
3568	IEXPLORE.EXE
3568	IEXPLORE.EXE
3568	IEXPLORE.EXE
3568	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 5088	1372	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	83
PID 1372 wrote to memory of 5088	1372	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	83
PID 1372 wrote to memory of 5088	1372	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	83
PID 5088 wrote to memory of 3236	5088	tyercservice.exe	85
PID 5088 wrote to memory of 3236	5088	tyercservice.exe	85
PID 3236 wrote to memory of 3568	3236	IEXPLORE.EXE	86
PID 3236 wrote to memory of 3568	3236	IEXPLORE.EXE	86
PID 3236 wrote to memory of 3568	3236	IEXPLORE.EXE	86
PID 1372 wrote to memory of 2040	1372	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	87
PID 1372 wrote to memory of 2040	1372	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	87
PID 1372 wrote to memory of 2040	1372	33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe	87
PID 5088 wrote to memory of 3236	5088	tyercservice.exe	85

C:\Users\Admin\AppData\Local\Temp\33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33ff102d03b1ef0d0b9708c05bdab32e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\SysWOW64\tyercservice.exe
  C:\Windows\system32\tyercservice.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3236 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\del_file_b.bat
  2⤵
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MQYRE6E5\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\Exmlrpc.fne

Filesize
72KB

MD5
f79ee77a4f30401507e6f54a61598f58

SHA1
7f3ef4945f621ed2880ff5a10a126957b2011a17

SHA256
cf8e29720823eb114fbc3018569a7296ed3e6fcd6c4897f50c5c6e0e98d0b3f8

SHA512
26ccde784b06c46f60fb5a105c806c4d9dc1497fd79d39728fbcfa869d470ca2ba018b0665f3cbc05019fb0766dac2eb1084a6fdce2f9aaaae881beb09dd3739

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
405KB

MD5
be7c7ab5b5cd19ac739e679b8750c3bf

SHA1
f5dd1d0c2a3b46b8c48a82dc98f709c2064e7f58

SHA256
44912d51643c8964fc13118dc678b42e6d85481bb33f154128f209f5c2a1135a

SHA512
cbb7ec7c9e231236e47a1b55c617ea336dedf33b2d1248d53e2bcea81185200b2a45b356b137e8631021aa934934a4b29c9a2e958343468eba7692c5493997b2

Download Submit
C:\Windows\SysWOW64\tyercservice.exe

Filesize
791KB

MD5
33ff102d03b1ef0d0b9708c05bdab32e

SHA1
809a277b7a8fe08f4629511cdf251823dcbab861

SHA256
f03bb60b1ae57586258787e3b218148820f010517a3338eef1cc39f078fe4b7c

SHA512
0ff78d8e73e4cea08f9161f7a8eb1de89aed82365c3c676eaf2b41f440326ced71ddfc8e23e0379fea308900c83cf03d1aa8c53e776b18c46a2200319ae9bb8e

Download Submit
\??\c:\del_file_b.bat

Filesize
235B

MD5
46d6600c00fb6cf3e3e3b71e1c91bcfb

SHA1
406e5b6d3024456a1d7ffa0786767c0cb545fc6a

SHA256
96118c461fc73bda8e9bfc1d1d4df4d9b9caaa7498f6a497510167cdcda81f57

SHA512
8dff63d95322bbdbe332ce9cc0b367c34bc062b695d88d8e524aea074a1709c4bf02c59e03864ad0f15846bb18696afa2f36572ab9cf2f4745159039b0a598ee

Download Submit
memory/1372-11-0x0000000000620000-0x000000000063E000-memory.dmp

Filesize
120KB

Download
memory/1372-36-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1372-37-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/1372-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1372-5-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/5088-25-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/5088-31-0x0000000002540000-0x000000000255E000-memory.dmp

Filesize
120KB

Download
memory/5088-42-0x0000000010000000-0x0000000010128000-memory.dmp

Filesize
1.2MB

Download
memory/5088-43-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download