ae6192f91d3a29aa5651a5208ad882bac3e56cc51b1296bde6a22ddf8371988a

Analysis

max time kernel
121s
max time network
130s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cfb2b831c73c87e6332b7c2d6ef8365_JaffaCakes118.dll
Size

16KB
MD5

3cfb2b831c73c87e6332b7c2d6ef8365
SHA1

79edcad2582d420b976352138e8cc17203e11bff
SHA256

ae6192f91d3a29aa5651a5208ad882bac3e56cc51b1296bde6a22ddf8371988a
SHA512

5b919f6297a36e5c7fc196547d478a2e7ce6375a98309f4848817e2f5c3c6d6f7b5eeeafe631a0506ba3d1d6bcbfb357ebdd11726447cec1499c6184284c8346
SSDEEP

384:2wxc0zXcHeOxoAlRJH3HYSO15mIjt7AIRGHRCyTXJ:2wxnM+rW0H1kIRwXJ

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2488-0-0x0000000010000000-0x0000000010021000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{67B8EEF1-4038-11EF-BCCD-5E235017FF15} = "0"	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{E43B6656-814B-4839-8FF8-AFFDE0DA9A3F} = 00	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426941517"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{E43B6656-814B-4839-8FF8-AFFDE0DA9A3F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E43B6656-814B-4839-8FF8-AFFDE0DA9A3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3cfb2b831c73c87e6332b7c2d6ef8365_JaffaCakes118.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E43B6656-814B-4839-8FF8-AFFDE0DA9A3F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E43B6656-814B-4839-8FF8-AFFDE0DA9A3F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E43B6656-814B-4839-8FF8-AFFDE0DA9A3F}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E43B6656-814B-4839-8FF8-AFFDE0DA9A3F}\Implemented Categories\{00021493-0000-0000-C000-000000000046}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{E43B6656-814B-4839-8FF8-AFFDE0DA9A3F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E43B6656-814B-4839-8FF8-AFFDE0DA9A3F}\ = "Internet Service"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2944	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2944	iexplore.exe
2944	iexplore.exe
1188	IEXPLORE.EXE
1188	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2488	2476	regsvr32.exe	30
PID 2476 wrote to memory of 2488	2476	regsvr32.exe	30
PID 2476 wrote to memory of 2488	2476	regsvr32.exe	30
PID 2476 wrote to memory of 2488	2476	regsvr32.exe	30
PID 2476 wrote to memory of 2488	2476	regsvr32.exe	30
PID 2476 wrote to memory of 2488	2476	regsvr32.exe	30
PID 2476 wrote to memory of 2488	2476	regsvr32.exe	30
PID 2944 wrote to memory of 1188	2944	iexplore.exe	32
PID 2944 wrote to memory of 1188	2944	iexplore.exe	32
PID 2944 wrote to memory of 1188	2944	iexplore.exe	32
PID 2944 wrote to memory of 1188	2944	iexplore.exe	32

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3cfb2b831c73c87e6332b7c2d6ef8365_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\3cfb2b831c73c87e6332b7c2d6ef8365_JaffaCakes118.dll
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1eefd1e5470273e5d75173e9cbec69f7

SHA1
b51fe62d9ebe61678b76ce4f1566de18040cffeb

SHA256
12e98b0c7825d88fd75ccbe7a57d2061ef78845eaacc750df5af2ce72401aa47

SHA512
240b86dea2b7aa3a278a1b12010d9d0ef981aa465c3cc7b55f601c7483516f5742bf59d3590ca3382ce2bfbdd1998c0148f42e7e107c8a1ce7b4c02a5712cb49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1d3afc42db9d0a3fca9ae6a6c115119

SHA1
12016c2319f4cc770861ceddba9c895b95801ac4

SHA256
b0a4956c945029d49e3415f92248900ded25e90a7caa53c0ec2546c67a287d22

SHA512
24e9e8b6afe79f22d7589126fcec1ad485c10c95f8fee1da330dfd9693bdf79775f0539aebe2f21c037b460f35d0613b38ff8eda71b8e2aa89964e86a0d0ee4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4985cb17c59c93adae7f4673692198a0

SHA1
8f13df216536578df99415b1d7400e93e72d0e3b

SHA256
61a92442570d05a0edafa2b07bffdb2ed31d7f45c39fe503fd6f402cf99e5602

SHA512
d905ef34923dcea696f83efa0dbe775aab107ef58f6a1ac18dba9eb24e88aa59ed1e8c0bfa3a403899833aad06a3908e57957b80af9d2e69fe997ab5e91e1dc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed243ccfb6fcd805bdf5d92faa3a8860

SHA1
0ad3881e99a9b889ebb22346dbe624f8a48f2530

SHA256
a1f859ce1222537f63aef1a4ae28acfc36bb7685e0b59eb1ddba37e832acf398

SHA512
a08640f20f3b03a8c3f0d77ed349f516e1d95a3147d5bf13467ad775e9a7e77793f868aae82e3fbcecccc870c4feab96cc59cfd795583be2dc8bc1d3dfdc71b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
480022ef27c3292e474bb2c519fdcc90

SHA1
d48a4b158710006d688a7c523e53e538b13d0463

SHA256
ea23ff02771f0f8dd62ecc10041defad75a5510aa4104ebcf2d92c6fe6ea5168

SHA512
6d7bc150c8372826f141afd0163116305b74c5f9704c1cd260b282b1fbdfad22d8578b7eefd09bbaa729385a067ea683ae053359554c07c43c2603fc7f89f551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a844d385751502f4b9ff98083c285d0c

SHA1
58ee17021e22aca73b7c702701e2621d752b6f39

SHA256
e4b04b455ba40888bc7b1db2c19dac91e3693702b2c85e8f9ea658f65f8a86a8

SHA512
8c7277f65ec192146a8f2f5086eae9e1575fec19f7eea8cbab51b955a2f727f7e17ec83977883ce3a06b20c307896e1ad5cc5de6a77f0343dd2f94b9612e1a28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5eeb8065c2699128b1c6e5b05d99acf1

SHA1
79728a942017a9a9ef9761dd1a52d387fea78e0b

SHA256
b2709d40a222f281f17f7cd325523fec7f34be3dd2aa9e4d5e535ea2d922f70f

SHA512
49a8900b7f2af20a1f816460fc85f02244e1b363c4c8fd5aa73888fefcdb567b0c46d8d775305d60107c1e2dc270762b092e02c4f98878a8ad3f1543beb805fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c3193041445c2a4e5342ae781f82d0e

SHA1
a248de240f5262b87b91bb4e5b3fa874481cedb6

SHA256
67138d0ebbd0ae790f39542726c9bf8e8423bac91af5c13c3e875210683ff2c3

SHA512
a3f4b73ca58d6cdc4896a19d1eadaa4bd344155940bab5a04e91e5ef866c941813f9e27080a01895e7e9ff8eab1f2ee885538cef41b8c1628f585361fd52612b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8218e461180189cfc24cc642c48c8869

SHA1
d96648611cc1231ba074c54b743829e22a95c5b9

SHA256
3d08c506464e559281bd2bf4d9ac04647ec49fb3b2b345a017819f4cff3b2ddd

SHA512
020ac13eda73a924a181e6348501c08273507e433c0f618c3577a703851964330369cf7c12395979d99aa6fbd398460508c3faeed9241bad5d7cd386e6199ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBB36.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBBB6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2488-1-0x0000000000370000-0x0000000000372000-memory.dmp

Filesize
8KB

Download
memory/2488-0-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download