3a01d0131ab2e5854e6e01603fcd33ae33b76cb5562de3974b27472cb6054da2

Analysis

max time kernel
117s
max time network
142s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
Size

1.2MB
MD5

47814959cdb37a0fdd899077b0beabb7
SHA1

b4387a2c712ac2cbb58edda927c5378634a0a3dd
SHA256

3a01d0131ab2e5854e6e01603fcd33ae33b76cb5562de3974b27472cb6054da2
SHA512

d7cf9ca1db735b8b05167a4cdde55a54d14f899814219f0c7af4e0fcdb439a8482057f635c5c08a57d78dda6d08ccf0a78c0b330fd9c7aa3fae8ed4ec24bd87b
SSDEEP

24576:XLZT6ecMnbj9lJmR/tHMna2NPCiWZZXb87jcMeSGauWrziWC:XLN6ecMnbhlJmR/2apFbbJMeSGuvC

Score

8^/10

persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAAAAAAA-IWE2-R26D-0I80-XP2V372A0343}	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAAAAAAA-IWE2-R26D-0I80-XP2V372A0343}\StubPath = "C:\\Windows\\system32\\msnmsgr.exe Restart"	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2156-7-0x0000000013140000-0x000000001314F000-memory.dmp	upx
behavioral1/memory/2704-9-0x0000000013140000-0x000000001314F000-memory.dmp	upx
behavioral1/memory/2156-0-0x0000000013140000-0x000000001314F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msnmsgr = "C:\\Windows\\system32\\msnmsgr.exe"	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\msnmsgr = "C:\\Windows\\system32\\msnmsgr.exe"	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msnmsgr.exe	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msnmsgr.exe	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 2704	2156	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	30
PID 2704 set thread context of 0	2704	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
PID 2704 set thread context of 2836	2704	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DECA4271-4243-11EF-91C9-6AF53BBB81F8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427166350"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2704	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2836	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2836	iexplore.exe
2836	iexplore.exe
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2704	2156	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2704	2156	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2704	2156	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2704	2156	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2704	2156	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2704	2156	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2836	2704	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2836	2704	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2836	2704	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2836	2704	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	31
PID 2704 wrote to memory of 2836	2704	47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe	31
PID 2836 wrote to memory of 2812	2836	iexplore.exe	32
PID 2836 wrote to memory of 2812	2836	iexplore.exe	32
PID 2836 wrote to memory of 2812	2836	iexplore.exe	32
PID 2836 wrote to memory of 2812	2836	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\47814959cdb37a0fdd899077b0beabb7_JaffaCakes118.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a890034b83714fe38ab41a5f53457c71

SHA1
b92acee315d917feb59a9eff4b0183507b804ac4

SHA256
4826b1ad783e809bdf7ae54824c427e494f17c9c7c8110598a99eb56edc1fa15

SHA512
e1d4b126a66ba1ce869ffaea2649dedcc7a5fc36d5270fb0f8d48abc03433dd641b0a168abc9e85478f20a05fe88a16b2e6e9fcf2573bfb2c5811a63a8f275b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70435431ccc84c85bd096032a8243654

SHA1
1bc810891d1a0760350db6c406dd680ad11cfdf2

SHA256
aa5151069faa9836bb10626805420fbee0482223247ebaf435a4a5495746fd8f

SHA512
84345d549c774dddfc2d0775caa6f14478d7572671c1e3ee51e1ad50245596e59cb6dcafff928de72315dbc78b68f1fc6350b72f338af683155670aff79b1c45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d08dc5261cbc7aa539f39d5cc5fd1e7

SHA1
e464abe0b1fd0fbf7b5d7299d8b0a8bf31aefc32

SHA256
256d7ee5f0cdc770979d1b9a8948dd21c91072dee8bd8a92ad3960262119d341

SHA512
d1733198e2f8770428435af9e7bce68848c3924c295159fe93b498d9756565896f78b72e65e746a3afecf0d80d49f6479b00370c607a0f0e45ae8ef91e775fed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc17e1185387b119d11392fccace788c

SHA1
e229b36e29d5515cc679f1f43c5aacea880996ba

SHA256
349ac8de4e2d7c71334987a7de6dd3ca7aed5917360a06bee7c393c840fbd963

SHA512
98eaf660d3b63c00cd2fb7c8aa31a4393fb7ed0a26dba95ec7a9db8c88e375768f0db5d1061ab34c07d0d0513fe359950a27d32adf2580bd7a98abef8c8dbbe2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
767e2696e3c463db3160fe2e5547d9a8

SHA1
156b07f912fa719eab1f860dd5f4db66bfd794d3

SHA256
5e40cb397849d98f18bef1db783ee296ef451bbde9e67a352a6d26c7b7b7f7be

SHA512
3c958754aac6522a02caae80b0bb2b56b6aa8183d90fdf6f192ec46b013be223f6ab6c99528afe668aa87f763c65b1169540f45f9604cadbe7d2eeadd15690ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dc96162e94f227702b4e00c3e9c81f9

SHA1
ac538759e39dd850b663a92566a6a5ef8a7896c4

SHA256
d93549ed2e186a34c8a87767b562680b9ec7deb7eb65616dbae7be418b6e943d

SHA512
64f594d032f8479de1e1302dd14f4ebca34a674b48ae25c37b247a94fd39e0a9afa5dc3b344683a5691149134be1fbb74d7586b2615e16e0e452b0ddd328b32d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00d6ce254d8190c6453c55475d0d639d

SHA1
a97e3360cf69dcadf4be83d868f52f2ce8ea259a

SHA256
e7d88fac6a6e7d9d61bfc6a38886c188ab41b8c8aae859dc76de8ff091750274

SHA512
cbd531cddb85909062ed71242cd2d903bc76ae724ea9fd9d3fbdad358bcbdf5cb6606f3c2204a5829a3e9899352fef0be72b2d392527f65afcac7eb447f5a137

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3DCE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E5E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2156-7-0x0000000013140000-0x000000001314F000-memory.dmp

Filesize
60KB

Download
memory/2156-1-0x0000000000360000-0x000000000036F000-memory.dmp

Filesize
60KB

Download
memory/2156-0-0x0000000013140000-0x000000001314F000-memory.dmp

Filesize
60KB

Download
memory/2704-9-0x0000000013140000-0x000000001314F000-memory.dmp

Filesize
60KB

Download
memory/2704-14-0x0000000033140000-0x0000000033284000-memory.dmp

Filesize
1.3MB

Download
memory/2704-2-0x0000000033140000-0x0000000033284000-memory.dmp

Filesize
1.3MB

Download
memory/2704-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-5-0x0000000033140000-0x0000000033284000-memory.dmp

Filesize
1.3MB

Download
memory/2704-11-0x0000000033140000-0x0000000033284000-memory.dmp

Filesize
1.3MB

Download
memory/2704-10-0x0000000033140000-0x0000000033284000-memory.dmp

Filesize
1.3MB

Download
memory/2704-8-0x0000000033140000-0x0000000033284000-memory.dmp

Filesize
1.3MB

Download