70888da1e4742ba9c39375af1a929736f519e4b7d85ffe5595404f067dcea399

Analysis

max time kernel
150s
max time network
133s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe
Size

298KB
MD5

4be8ed86e17763d30115400b9bfdb325
SHA1

e838fb964812f7185a0d4d11373f63cc55b98e05
SHA256

70888da1e4742ba9c39375af1a929736f519e4b7d85ffe5595404f067dcea399
SHA512

da69abf8d9412a1b6c8367c5e6e7fe9fe7edf86439996c9f6cf049d6f0d9a239ab6ea95e305d9ef5c95a70240ee2af2945d992c2a2a4ab12cf8955cbdcb71ceb
SSDEEP

6144:yRHUlXZmcUtyKNVwWJcsf3r1qfw9EYjOUt6f8H0p1SpaFqed:ZmcUtHbcsPpCw+LUkqA1D

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2104	SABB85.exe
3052	SABC03.exe

Loads dropped DLL 8 IoCs

pid	Process
2532	4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe
2532	4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe
2532	4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe
2104	SABB85.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winirq32.rom,ALUqrwyL"	SABB85.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winirq32.rom	SABB85.exe
File opened for modification	C:\Windows\SysWOW64\winirq32.rom	SABB85.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2704	2104	WerFault.exe	29

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427248710"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A59939A1-4303-11EF-920C-D692ACB8436A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
948	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
948	iexplore.exe
948	iexplore.exe
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2104	2532	4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe	29
PID 2532 wrote to memory of 2104	2532	4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe	29
PID 2532 wrote to memory of 2104	2532	4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe	29
PID 2532 wrote to memory of 2104	2532	4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe	29
PID 2532 wrote to memory of 3052	2532	4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe	30
PID 2532 wrote to memory of 3052	2532	4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe	30
PID 2532 wrote to memory of 3052	2532	4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe	30
PID 2532 wrote to memory of 3052	2532	4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2456	2104	SABB85.exe	31
PID 2104 wrote to memory of 2456	2104	SABB85.exe	31
PID 2104 wrote to memory of 2456	2104	SABB85.exe	31
PID 2104 wrote to memory of 2456	2104	SABB85.exe	31
PID 2456 wrote to memory of 948	2456	cmd.exe	33
PID 2456 wrote to memory of 948	2456	cmd.exe	33
PID 2456 wrote to memory of 948	2456	cmd.exe	33
PID 2456 wrote to memory of 948	2456	cmd.exe	33
PID 948 wrote to memory of 2008	948	iexplore.exe	34
PID 948 wrote to memory of 2008	948	iexplore.exe	34
PID 948 wrote to memory of 2008	948	iexplore.exe	34
PID 948 wrote to memory of 2008	948	iexplore.exe	34
PID 2104 wrote to memory of 948	2104	SABB85.exe	33
PID 2104 wrote to memory of 948	2104	SABB85.exe	33
PID 2104 wrote to memory of 1216	2104	SABB85.exe	20
PID 2104 wrote to memory of 1216	2104	SABB85.exe	20
PID 2104 wrote to memory of 2932	2104	SABB85.exe	35
PID 2104 wrote to memory of 2932	2104	SABB85.exe	35
PID 2104 wrote to memory of 2932	2104	SABB85.exe	35
PID 2104 wrote to memory of 2932	2104	SABB85.exe	35
PID 2104 wrote to memory of 2704	2104	SABB85.exe	36
PID 2104 wrote to memory of 2704	2104	SABB85.exe	36
PID 2104 wrote to memory of 2704	2104	SABB85.exe	36
PID 2104 wrote to memory of 2704	2104	SABB85.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4be8ed86e17763d30115400b9bfdb325_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\SABB85.exe
    "C:\Users\Admin\AppData\Local\Temp\SABB85.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:948
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\AFGC12.bat"
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 176
      4⤵
      Loads dropped DLL
      Program crash
      PID:2704
- - C:\Users\Admin\AppData\Local\Temp\SABC03.exe
    "C:\Users\Admin\AppData\Local\Temp\SABC03.exe"
    3⤵
    - Executes dropped EXE
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abc6e0a83b0144139372029a7b03c47e

SHA1
56539c69279a6989d913f991babd685dbd09fc2f

SHA256
1703fffc9075f4dc1d67a85e42afd9895190fea87d9972b0e2d2162ea92874f5

SHA512
6bb278be84928f286468dda5aedf2e81db7be87e6dd15214b968693b549f0d0f419ed1c2ff98507dfbc4702227800bfd3ea1d7ce8331f86bfcfbcb44ceaa1251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ca17bc32d1f7ea74e0b887f60dff9c8

SHA1
4f3aaa78430b38726df3e0aa6b3988d004d1161b

SHA256
a70251e4fb011e6976ec9ad019ba1f5f4718805eda0d38ba2ccd0a809babaa61

SHA512
3d7e69feb747ba19289a7b635c56b5bb330aa2a23ff8536fc978f89fc8252c868a2bcabebd8b2a5988cbd9b2b359b407999e7889edb13d60767eeb7dc5efbb4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0306f4fb743a85b6ebdffefad2142f0d

SHA1
213ac0f5d066234cb64b0cbc4bd5d2a37eb1f728

SHA256
f4cc9c0e5a2eedbafaaba9a7a0885914d069204385efb56e06ef65cbaadc67a9

SHA512
ee8c0ba1a9b0d2c29d55427640e41b7f18b8b2fb97b25ff2499f6e22721880de63707b41a2dd3e47de4034e309e60f0f00507cd3ef0f9bab36351d83d262d174

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c9ccd9dc78d2422646589169add7e5e

SHA1
1c0a87073a0082dcb058649c3287d6b29f24401d

SHA256
846927ece056e7e4491eeb91a8709e670bed1f379bf2bc3f286103389f437689

SHA512
1de418803b2e6a0346557ef5ecb460db0f8c9d4aa3a574605e2ac7483be9b07d2905278e5064cae8ed4e4ca25510c786c721b20ae0bece86ab332cc6a57a5692

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66ddaa5a03c6e44db7014353a84f174b

SHA1
fb607d37a9e5a844bacfe3925d54fdb45c0319d3

SHA256
150b19823536db018cf88559dd551b4fc690bd2efaf0dd4dee4f0b7a20fe28f1

SHA512
f2f64d556f6047ca17d5a9cae080aa01210152bbd3a64ad2ba0593c12d1be7325d26372b7cd0d535f7043d3766e1c2642316986f12f293438bd7c0e6234027e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1971f2f8c3c08c95a964ca568b945ad0

SHA1
1e6406de3710a76bb489a86ce960452f4d7133f2

SHA256
4a6d8bbd54c945c551ab97db1c995bb649c7a01f3a5d362db08078c170215eb4

SHA512
68d5bc328869873b208bf90133e41521886ee25f1cea7189be0bf109bbd42b75b9b768459b5a6817b2156ea1f7990d34cc860df6b755669d13d21ffa80931052

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2377ba54556a7c4fb795ddab9468a7ad

SHA1
d6206cdab8b16c8a5a95f6ae11ac405f820e580c

SHA256
9560686cc5a47dc834c0df15b3916c6f9019f989ba305e6a14713e6f198e2896

SHA512
48719d5c204b804b08a548f03ad78bb5cd7a471dfec8fa73b5d79895697ca9bc494b14309177b2599786c6b78b3035c468f55b06524cc7173446f85403fb170e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e156d57e666673e664b8792595ab3123

SHA1
d28b8b3d16d1d2e1f403bbbfce8636c350841da4

SHA256
990581dfeae70e268f1751c482f171db658d7f2f99eeb1488b6baa4fec504fd2

SHA512
ea164b2070ddce5682bc750eda52882fb1258b0d35a9385a7519363be5b0d33803b99818750da2f1300af250cee80f3e0beacc00dd8bdf3f589ca6184e8c3b29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccd0a4157e5db3c09697bbfcd550a453

SHA1
2b17c0095977942a9f4c83ee2ec4ee5810bb9fb1

SHA256
413a7ce42519a233a1b9d065a8aa96b2c1f48d9191171a68b131f7e165c6fe09

SHA512
73c3dec1b2771bbe26daf9b0000aafa1e86ac08c3d05969a6e225a887f534e54a191b8042d71c9a28ed3f5ac454ba7968ad864068704ae8b7ba28eaa6f63c8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFGC12.bat

Filesize
185B

MD5
5f876927f5e2ff6e12b13854310106a2

SHA1
3dbe2a4f5f790f90123f870d6d41dcd3216ad376

SHA256
eae095719b2d459ee451011cc94e92c5de716654bb75db18688f1293246a2917

SHA512
1596bf47b3630d549a08064b0268f428b81caa227fbd6af26ad2242ad804fdb3a17560e2b4833111d9ef237a6ad8d7cf2d9606cbeb957e7d3fd769b58a5a3beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDF7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SABB85.exe

Filesize
133KB

MD5
a2b3a7c27f6569858d2dbfbf1f4858d4

SHA1
93ed7e0517176342b7f70393776b54ba918e3bf5

SHA256
2a364ae850abf4ab7cafd81332151b19b5ec062e33ba71113cfda5a619963690

SHA512
1bd0c959f19b7d2b91832e878d5849e3184ce26c7efc4cab0f03ef510b7a9c932d207414a948cf8fdd7c1f17ff90c27a5874804268df996a65fc2a29e414f463

Download Submit
C:\Users\Admin\AppData\Local\Temp\SABC03.exe

Filesize
90KB

MD5
d3457d4d1fc2c4ccb383a099a6d464f2

SHA1
213f013aa924c5e957ae32ad5e94f0df45039ad5

SHA256
a82c6534fb86e5cb189f20b9b11cb76f6845beedd5be5fb4a6dd313db08eaf8a

SHA512
6f04f77886b6f21529125a46771637da74255f0f5f48ef7360cf7c66c7fdf161f706bc9423bc7f4cd584eb1f8df31677892b5ae2b9c064437b27fec42e16f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEC7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\winirq32.rom

Filesize
60KB

MD5
e0580110d563b9825819840a3a5acc57

SHA1
8ad196cac4f4ba2cae767a296a5167b1b59404ab

SHA256
e55789fb610deadf5b2f1e1653ecd3cce065e1e79aa0125eb92af5d4573b2f95

SHA512
8e9c2cacf697bca7a9a2f84b4bcbaf626caf5a931fabbbc0617f1cc1bfb0625e90a28317ab708af9e178d7703d5f8b898c0b4950996b8f49b3924563e88b4852

Download Submit
memory/1216-45-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1216-42-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/3052-40-0x0000000000FC0000-0x0000000000FDC000-memory.dmp

Filesize
112KB

Download
memory/3052-41-0x0000000000100000-0x0000000000118000-memory.dmp

Filesize
96KB

Download
memory/3052-22-0x0000000000100000-0x0000000000118000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads