b2775f496f6f120602cf87e9fc339925e8988aabe3a41ac68941bc5d7edb1ae3

Analysis

max time kernel
85s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe
Size

144KB
MD5

3cf6d2cadfdd05296495a92d942a2fe2
SHA1

fb541e5810730f619c69736a180067fb71673b93
SHA256

b2775f496f6f120602cf87e9fc339925e8988aabe3a41ac68941bc5d7edb1ae3
SHA512

7b77f7b51a8a581136a5123660a5d3a751b5982d6eda4149e805b071332bbf8ba943edf2c83c38ecf526aad3a3ed85d5134f78b8f5a24ae2bb78beea3cebd855
SSDEEP

3072:Rv/q95IBXql2k7xDsL/F3U2AqvpfV71Bzs+:c8677xILd3Mels+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2084	Fkrhrm.exe
2276	Fkrhrm.exe

Loads dropped DLL 3 IoCs

pid	Process
2524	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe
2524	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe
2084	Fkrhrm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fkrhrm = "C:\\Users\\Admin\\AppData\\Roaming\\Fkrhrm.exe"	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2064 set thread context of 2524	2064	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	29
PID 2084 set thread context of 2276	2084	Fkrhrm.exe	31

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{89A84CF1-4037-11EF-920C-D692ACB8436A} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426941154"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2524	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	Fkrhrm.exe
Token: SeDebugPrivilege	2904	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2824	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2064	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe
2084	Fkrhrm.exe
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2524	2064	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2524	2064	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2524	2064	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2524	2064	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2524	2064	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2524	2064	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2524	2064	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2524	2064	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2524	2064	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2524	2064	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	29
PID 2524 wrote to memory of 2084	2524	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2084	2524	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2084	2524	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2084	2524	3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2276	2084	Fkrhrm.exe	31
PID 2084 wrote to memory of 2276	2084	Fkrhrm.exe	31
PID 2084 wrote to memory of 2276	2084	Fkrhrm.exe	31
PID 2084 wrote to memory of 2276	2084	Fkrhrm.exe	31
PID 2084 wrote to memory of 2276	2084	Fkrhrm.exe	31
PID 2084 wrote to memory of 2276	2084	Fkrhrm.exe	31
PID 2084 wrote to memory of 2276	2084	Fkrhrm.exe	31
PID 2084 wrote to memory of 2276	2084	Fkrhrm.exe	31
PID 2084 wrote to memory of 2276	2084	Fkrhrm.exe	31
PID 2084 wrote to memory of 2276	2084	Fkrhrm.exe	31
PID 2276 wrote to memory of 2820	2276	Fkrhrm.exe	32
PID 2276 wrote to memory of 2820	2276	Fkrhrm.exe	32
PID 2276 wrote to memory of 2820	2276	Fkrhrm.exe	32
PID 2276 wrote to memory of 2820	2276	Fkrhrm.exe	32
PID 2820 wrote to memory of 2824	2820	iexplore.exe	33
PID 2820 wrote to memory of 2824	2820	iexplore.exe	33
PID 2820 wrote to memory of 2824	2820	iexplore.exe	33
PID 2820 wrote to memory of 2824	2820	iexplore.exe	33
PID 2824 wrote to memory of 2904	2824	IEXPLORE.EXE	34
PID 2824 wrote to memory of 2904	2824	IEXPLORE.EXE	34
PID 2824 wrote to memory of 2904	2824	IEXPLORE.EXE	34
PID 2824 wrote to memory of 2904	2824	IEXPLORE.EXE	34
PID 2276 wrote to memory of 2904	2276	Fkrhrm.exe	34
PID 2276 wrote to memory of 2904	2276	Fkrhrm.exe	34

C:\Users\Admin\AppData\Local\Temp\3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3cf6d2cadfdd05296495a92d942a2fe2_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Roaming\Fkrhrm.exe
    "C:\Users\Admin\AppData\Roaming\Fkrhrm.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Users\Admin\AppData\Roaming\Fkrhrm.exe
      C:\Users\Admin\AppData\Roaming\Fkrhrm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d888f77346dae9b5b336429223d46aa3

SHA1
74bc0ba6edb7cdbac186d6bbc613819cf3db7156

SHA256
e6e5c1c5bce9f2a1178647942d18b831b53d7fbdfc8b3dabd20728c954f1507d

SHA512
7dfb7acab1984e327e27a652d38d5838df262fea9396f30e5e12ea38bd189491e7f5260f20d7fd1603f85c288be5ef8e9e1692c92e678a323ff65f5e9da63490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
779a46f850a0f4fbe058322510537469

SHA1
530d0bdf65f1c7e80c8cb82d76815cd712b4d203

SHA256
006b1560fc61755600adf94ceda7aed42df6ae3aa66d9a12b3f25f94434ebcc1

SHA512
d7f1eaec6e9f6f85c6472f4bd66d77be280473a5ea3ba5368a898f1179424c58f340598ba346c802c19b0fac67cb3b97e899e7c969a7a143502b566d81384276

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
693dc031df0f7e6cde577bf8d8d1b6a6

SHA1
c55b0a43521860d73d83f8462b84ae134c5de91c

SHA256
7c54d27a7d690e0f19e699491a324bf04a851dc38cc1a491079b1f83f26dcd3a

SHA512
4759f7739501ce1944ce49bf96585865d73b362ae18cbcff4c4abf1ad2c7db57c78b4280936ff447857454a98a15f8551d4c9d71b16ed9688051c738dca3dde5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dab3add078a734c30821ba25155d8b0

SHA1
bd9e719c00bb3b1f217f2b7f4b64703d510dfa62

SHA256
89e098676aeae9b65e077a5c8f12913ec06e1d37f030cc87f21e3cfffdc9c256

SHA512
4d6fb22fe641cb4802b5d3473f434346215a6dc83f37279155806c82b0d6f1da77b893255cfab2788b4a89bce0c6a603bed3cf39843f1dfeedc3e600a33776f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dc682b869ea922645832eb49d6c19dd

SHA1
6f6ada7c6937a13d7dfa48c1a3d6d868ee158575

SHA256
668914e8840bbff7cdf5c080320f89c2598b891f5e4e46b2e79536ec401e32da

SHA512
a4a64f44f08b54d3bf8c2a68d0da6e569c0100ca8bbf72fad60fb58a83c4b01d7266796c17e0242f8bda894ac684ffcae8005808a866ffb51de4e74509fbabe9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ead4b92dbf185f239b375ec07823543

SHA1
21409b32646533df08701caa045aa3be4e7a156e

SHA256
ad1c44023a15635931a537ae70cc948cde079d3595314866518ff3e6543f4fd8

SHA512
971a994a3c0543115c682aaa49ea5d04868bc8ab64e08723fa77d9d6046a76ceaf4142c6f9e69136919bcb1b99336f31576bd6860bf5f63a476da27075ccb51e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a088bff65998caca51aee3619afce84b

SHA1
fcb35600ab76d462722ef276decbcf248219f170

SHA256
2965d3d9e06128d84058000ef42ad87e2e4a77e9faf92e9e9feca30c462b2dfb

SHA512
fb9eeb2caa64a3044e0088ede574e68a2eb6828cb5fad9048a73b257342add0376bb2181ef92375d2c168d5fa9bca172430ed935876ba103707d45ebc99187e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f13ca3576c78107111646fd908c2505

SHA1
0608a700a14072eac5c0f3129b1a617790207e1e

SHA256
6b5b3192abcb2eac331856557bdc8052faf5f35e66625aa0d27f0809884f2004

SHA512
d22ca3f36b2bd76f48eadd6fccc392f5b413cde21aca3ae14e7ed53b8a8437d6ff83659e0c89f831a61ae454467d5813323d2f436a132c4c87acc0377de60ac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d48f350b890b4ec3b6cd81e0386a025d

SHA1
6497ace78845e2ffe4100e426bf751a4f2a936be

SHA256
7535613fe49977ca3430575627a0a6201676cbfdde05605199f1d25878995e07

SHA512
4ef19d6669318346cbc683aa96f6de451e818f170db7f7074e8bf44e314f44beb990339c540761dab1793b9dfaced533c1487c2f91b3d41506e04cbb1c6096bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3E1C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3EDA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Fkrhrm.exe

Filesize
144KB

MD5
3cf6d2cadfdd05296495a92d942a2fe2

SHA1
fb541e5810730f619c69736a180067fb71673b93

SHA256
b2775f496f6f120602cf87e9fc339925e8988aabe3a41ac68941bc5d7edb1ae3

SHA512
7b77f7b51a8a581136a5123660a5d3a751b5982d6eda4149e805b071332bbf8ba943edf2c83c38ecf526aad3a3ed85d5134f78b8f5a24ae2bb78beea3cebd855

Download Submit
memory/2276-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2276-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2524-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2524-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2524-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2524-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download