1c74ccb070bd075ec8bed834851134d9afc78f7e0872ddb1f075349bb3867fdb

Analysis

max time kernel
93s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cf12798c3df358f313d2be661228d6c_JaffaCakes118.exe
Size

350KB
MD5

3cf12798c3df358f313d2be661228d6c
SHA1

d0a4b021699c965d540fd4f0f0e3169b531c2df1
SHA256

1c74ccb070bd075ec8bed834851134d9afc78f7e0872ddb1f075349bb3867fdb
SHA512

dff94cb008435995fe05a6a9361ca7d94eb7a7c2282b996b6b88c9c57c3a6a3557fe8c6475da27b89c420cd86ac345bdb7bb76640dba0e6d99b8c990a082de6d
SSDEEP

6144:qQqOqkiNtRRJli7NNV8i6A6SeDWAfNFAMIVpWHGVv3tbUT9zvrZnC:dqk4tRRK3yi6BSCRfNSMIymV1be9PZnC

Score

7^/10

vmprotect

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	3cf12798c3df358f313d2be661228d6c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	cfÎÏÅ£Í¸ÊÓ.exe

Executes dropped EXE 3 IoCs

pid	Process
2252	cfÎÏÅ£Í¸ÊÓ.exe
3452	ÎÏÅ£Í¸ÊÓ.exe
2436	´ó·É0126°æ.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000800000002343c-12.dat	vmprotect
behavioral2/memory/3452-19-0x0000000000400000-0x000000000042B000-memory.dmp	vmprotect
behavioral2/memory/3452-20-0x0000000000400000-0x000000000042B000-memory.dmp	vmprotect
behavioral2/memory/3452-101-0x0000000000400000-0x000000000042B000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3452	ÎÏÅ£Í¸ÊÓ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a0000000233e8-5.dat	nsis_installer_2

Kills process with taskkill 1 IoCs

evasion

pid	Process
3212	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31118403"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2237727817"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B0DFA104-4036-11EF-AF84-56B4F41D064E} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60a2b77443d4da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2235852517"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31118403"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31118403"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2235852517"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d6ae7fc137728b4d8f1885e01307ea05000000000200000000001066000000010000200000008498d22e5ecd213c6638da66788dd8f36dacc60232325d6c71b65d4389d14d68000000000e8000000002000020000000662717ea8f5d7f5c0b9841e83a1e26004c9728020786fd0be7fc1b603b8b13ae20000000a340f8c4b2e6f49d079c9a3b953b03ebe20020a7421b38c510c1ae66c9334ac840000000c3ed917d26c6750a19b362e48fd94a85a08a6bba75855bbd769f89af1601c6d2374a5cdaf3d254d1ea8393860f72947ea5cc59f8b999dbd5e583e8be95404d15	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427543886"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	cfÎÏÅ£Í¸ÊÓ.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
852	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3452	ÎÏÅ£Í¸ÊÓ.exe
3452	ÎÏÅ£Í¸ÊÓ.exe
3452	ÎÏÅ£Í¸ÊÓ.exe
2436	´ó·É0126°æ.exe
852	IEXPLORE.EXE
852	IEXPLORE.EXE
412	IEXPLORE.EXE
412	IEXPLORE.EXE
412	IEXPLORE.EXE
412	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2252	2124	3cf12798c3df358f313d2be661228d6c_JaffaCakes118.exe	86
PID 2124 wrote to memory of 2252	2124	3cf12798c3df358f313d2be661228d6c_JaffaCakes118.exe	86
PID 2124 wrote to memory of 2252	2124	3cf12798c3df358f313d2be661228d6c_JaffaCakes118.exe	86
PID 2124 wrote to memory of 3452	2124	3cf12798c3df358f313d2be661228d6c_JaffaCakes118.exe	87
PID 2124 wrote to memory of 3452	2124	3cf12798c3df358f313d2be661228d6c_JaffaCakes118.exe	87
PID 2124 wrote to memory of 3452	2124	3cf12798c3df358f313d2be661228d6c_JaffaCakes118.exe	87
PID 2252 wrote to memory of 2436	2252	cfÎÏÅ£Í¸ÊÓ.exe	88
PID 2252 wrote to memory of 2436	2252	cfÎÏÅ£Í¸ÊÓ.exe	88
PID 2252 wrote to memory of 2436	2252	cfÎÏÅ£Í¸ÊÓ.exe	88
PID 2252 wrote to memory of 1952	2252	cfÎÏÅ£Í¸ÊÓ.exe	89
PID 2252 wrote to memory of 1952	2252	cfÎÏÅ£Í¸ÊÓ.exe	89
PID 2252 wrote to memory of 1952	2252	cfÎÏÅ£Í¸ÊÓ.exe	89
PID 2436 wrote to memory of 852	2436	´ó·É0126°æ.exe	90
PID 2436 wrote to memory of 852	2436	´ó·É0126°æ.exe	90
PID 3452 wrote to memory of 1628	3452	ÎÏÅ£Í¸ÊÓ.exe	91
PID 3452 wrote to memory of 1628	3452	ÎÏÅ£Í¸ÊÓ.exe	91
PID 3452 wrote to memory of 1628	3452	ÎÏÅ£Í¸ÊÓ.exe	91
PID 852 wrote to memory of 412	852	IEXPLORE.EXE	92
PID 852 wrote to memory of 412	852	IEXPLORE.EXE	92
PID 852 wrote to memory of 412	852	IEXPLORE.EXE	92
PID 3452 wrote to memory of 1036	3452	ÎÏÅ£Í¸ÊÓ.exe	93
PID 3452 wrote to memory of 1036	3452	ÎÏÅ£Í¸ÊÓ.exe	93
PID 3452 wrote to memory of 1036	3452	ÎÏÅ£Í¸ÊÓ.exe	93
PID 1036 wrote to memory of 3212	1036	cmd.exe	95
PID 1036 wrote to memory of 3212	1036	cmd.exe	95
PID 1036 wrote to memory of 3212	1036	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\3cf12798c3df358f313d2be661228d6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cf12798c3df358f313d2be661228d6c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\cfÎÏÅ£Í¸ÊÓ.exe
  "C:\Users\Admin\AppData\Local\Temp\cfÎÏÅ£Í¸ÊÓ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\´ó·É0126°æ.exe
    "C:\Users\Admin\AppData\Local\Temp\´ó·É0126°æ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://123.kukankan.com
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:852 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:412
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\´ó·É0126°æ.vbs"
    3⤵
    PID:1952
- C:\Users\Admin\AppData\Local\Temp\ÎÏÅ£Í¸ÊÓ.exe
  "C:\Users\Admin\AppData\Local\Temp\ÎÏÅ£Í¸ÊÓ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 C:\WINDOWS\system32\shdocvw.dll /s
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /f /im empty.dat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im empty.dat
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LIDWBKOU\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfÎÏÅ£Í¸ÊÓ.exe

Filesize
263KB

MD5
97a2bf62d16d752cd78b13d4120f52b6

SHA1
041902eb8269d87d1ff5acdb00aa0062114f021c

SHA256
fa722a2880eaa6737271de8c1f6506f42b5ee6e43a0fe188d45ad82e691aea7c

SHA512
b1ac9529f29295c27e612ccafbb3b0f394ae91806d50c5ecaec4a3d8f82e53c32e9b471f4e144d77618b9833620ba9c889a4bf433df84c7b1dda0789caf63cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\´ó·É0126°æ.exe

Filesize
238KB

MD5
1b09cc5d84b88c96e08f78dbfc426168

SHA1
5685a2a312dfbfca4da4b1923f59502706b9d536

SHA256
f5cff9b9cf4aede7af19e45a7902f084999984735d283af5e1c07860d86ef5bb

SHA512
2572681364eb58cffc03da80374f34d3ecabafb4fb656c5d4cb8e579f730c249f47acc403e13a45dba54b1309f86c5088adfcf08b1909e519cdda611636e7389

Download Submit
C:\Users\Admin\AppData\Local\Temp\´ó·É0126°æ.vbs

Filesize
1KB

MD5
efd05135c1895db2a8a563899234770c

SHA1
743e73052903d000dc73fa08d9c05be1b8afa363

SHA256
564c8fcff599eb12b85e30b64cdbafdd0fbddfdf09ffc4ffda6637275feb3a7c

SHA512
63fff5bc79d31fc2380318e8e52c67f4533f16b98bd2a5fdb2d7505241c6830ca8d18ce279dc20309f133f89e4ddf19ea97a05e5ac921b1bb7a024e808e63255

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÎÏÅ£Í¸ÊÓ.exe

Filesize
84KB

MD5
7ad7ed7fdd25baea8e6c1a8a639b4fc5

SHA1
d5f22c8eb1eebb74853eb4b63127e240211ede6a

SHA256
cea15b32f02d28194725a4156b682f1a9bc8608adc326cbb3aac7149facd37fa

SHA512
eaf422438fd21fe272c181bb45ba27a1e25cbefb242b766ec0361ecb6f2d880c3ce4ffcc813f5740ee65eb765c53ffb8c1206967638fd5ebd444fec0fec6892b

Download Submit
memory/2436-32-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2436-33-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2436-100-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3452-19-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3452-20-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3452-101-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download