ffe6747caf8a070c8fffa71d6948d675fe0a65c44bbc5153e55a7c711e3b8b28

Analysis

max time kernel
150s
max time network
131s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe
Size

104KB
MD5

6974f27448bcbddcd47cdc6eccb8a71f
SHA1

1d7f92aa92f3668922d2b688ebd0269a19e4fc99
SHA256

ffe6747caf8a070c8fffa71d6948d675fe0a65c44bbc5153e55a7c711e3b8b28
SHA512

05fa37f04a8e59665e9dc72fac97bcd49458d5744f7da45b63069d778eb6751acca7a8893a295e19e1496fb1c1581dc39ea359318e8638af0e40edf29e97f8c0
SSDEEP

3072:QMAtK5hBnBGBl3FDDDLEcvswogdkNzY0ZybeJ:TnEPdfLrmFRXZ1

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winury32.rom,sSdQxwuyXWZ"	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winury32.rom	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winury32.rom	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2136	308	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{34DB9041-494E-11EF-90D6-5AE8573B0ABD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427940442"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2240	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2240	iexplore.exe
2240	iexplore.exe
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 2456	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	31
PID 308 wrote to memory of 2456	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	31
PID 308 wrote to memory of 2456	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	31
PID 308 wrote to memory of 2456	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	31
PID 2456 wrote to memory of 2240	2456	cmd.exe	33
PID 2456 wrote to memory of 2240	2456	cmd.exe	33
PID 2456 wrote to memory of 2240	2456	cmd.exe	33
PID 2456 wrote to memory of 2240	2456	cmd.exe	33
PID 2240 wrote to memory of 1616	2240	iexplore.exe	34
PID 2240 wrote to memory of 1616	2240	iexplore.exe	34
PID 2240 wrote to memory of 1616	2240	iexplore.exe	34
PID 2240 wrote to memory of 1616	2240	iexplore.exe	34
PID 308 wrote to memory of 2240	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	33
PID 308 wrote to memory of 2240	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	33
PID 308 wrote to memory of 1176	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	21
PID 308 wrote to memory of 1176	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	21
PID 308 wrote to memory of 2836	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	35
PID 308 wrote to memory of 2836	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	35
PID 308 wrote to memory of 2836	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	35
PID 308 wrote to memory of 2836	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	35
PID 308 wrote to memory of 2136	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	36
PID 308 wrote to memory of 2136	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	36
PID 308 wrote to memory of 2136	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	36
PID 308 wrote to memory of 2136	308	6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6974f27448bcbddcd47cdc6eccb8a71f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start iexplore -embedding
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2240 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\xzVDE2F.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 124
    3⤵
    - Program crash
    PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6a8a2fccdfbdb219cc1996e11a454685

SHA1
24451efa0ea456ec0e209979600a4f09c2ad0671

SHA256
b89c7bb7b3d5b787ae76f674af433068c307f8c590ab43f4cde1383992b1c161

SHA512
d5772b7e29bfcb1764a813599f9e15ec10feaa918360281ce4a3edcf7078b1abe7b47e71dbee2f262dd9dd02ff871ee0969d3301fdd4ff714b5b68b4dd1178e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a9314378fe25146000a39febd90150e5

SHA1
00d4a80ea36f597aba001f5e397f5998b9492753

SHA256
ace0ee4996fe915c1d7cb30eba81276cefdfe287b82e1e214bb35b0c17ff151b

SHA512
56fba6d933a22246db850942b6df7b8350da59aa7a6da57cdb0fc535ea7c183d63111a0e9ee34e3ac594f687cf580002449e06661ea99b03bb71db9a05020728

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5e4d9d7514e5a195b89851f801cd9259

SHA1
348c264fc8605fd98281eec2b35daf7675209c69

SHA256
36204590e1e3d21f067544c2d2497fa2ba54d64be130184e162c87a3ca3254c1

SHA512
5fe7cde661c84e17a8a399f594bcb94555022ad8e27937a9a5b0699752c429f210781c87bda44aa2f4628928215137c7834d45921ed7a9529411baaff5f0b6e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d99b07c19c8ca6df2e7045d9d6a2bfb3

SHA1
631574359e96310b4c3855d13d5a66399d834025

SHA256
8efc33b0e24f845fb51757c578ecf3318212499fc5f7b66b459754a63f0cc594

SHA512
ec4d81c12013f3d745158fce753aec5e25874ef38cd4d3d4fc4845a814bcbc0312d9d4ba9efeac23cec817efed746a3342b8f5a9ff52190fe8892bd0b919da28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
daef9edf08cc3d5bf2bf43d1c4d50f74

SHA1
9a3cbe5a2a6c2b17fc9bc07ba3734264ad1860e7

SHA256
9bc7b9b822b968cb1b6e577eab52bf651248e890b8502528938d15275f8fcb2b

SHA512
bc83caaaaa01ca93092e77fa527a0250d9df17d93bda4c60c248dbe5be2af7a9eebcbc07cba87c0a5db3cba0060f16ea796ae490482ad06428f301d2b4c90c72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
456fe9ebb7dc7cbe187faf1d19ad4cf7

SHA1
3f9768d24c462fe21bb38145737038b2d60f0150

SHA256
926101ad79957437aa5e335435c05f14c469a141c2277558729be0ec5d941ac3

SHA512
46707b7f4fba1f3230c148dc9e8d54b4debbf22373a8ca049a156dd127159ad0f4f6fbe45c981a3bf6b620e3f1ccdf8a3c8ed09e83c5ea7978aee73e79b49bf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7806e0ddfc8903b1488c01597d08c90a

SHA1
9c7247149355331656feb65ac4073d4b559df081

SHA256
e15dcad07ec68c922faa75ed7df4a7e0b697a8926111b4723cb6a3112815cd82

SHA512
58fc845de097619ff32e052f23a1386db5b6187fe18cc7887ca5a9e8d70f7db75a88214772029ca02d62e27d6234e48dbb002b9542a266fc2e25774c6166e61e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
da50fe4fd5495e859aee1f6896175cce

SHA1
53b28f7219e88bddedea5485dcf6423837272dee

SHA256
91324f35023593fae5cc05434d1d150752659edd162507bfe29eff018bb17524

SHA512
021929e6cf2e96e3ca5fa3e35f4346b22f82725aa1588cff3df32d9173cafaa8940409123dda2fb4aa65340ec4fc1c380acebc7c12f47df97b8d97c53d27d4bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
22b92c83dcb123c201b5958c00352060

SHA1
e692276ac6f19dd203cbf285424887b9da226bfe

SHA256
d3e2f0b22ebca2faa327e891a805e20fc3829214a7c8487d41e7f5d8843e75ef

SHA512
a25ed7634403f03a8db7669b9160f000eedf7e5a915a2c1a8d55838086d701d0effb1ce89836c0fb5ff0fd6e8f6bb3fe6c84f3db67fa751bbe2002d624cb5344

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE83F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE8E0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzVDE2F.bat

Filesize
188B

MD5
6077c0677e888f59cf5a2e7d8044a6f4

SHA1
286a2c5b76142b842ea3bb20c44d3c46963a7ba9

SHA256
c15981d7f4d3c95d4426c44b785db24e3e5685423015578fa02f9a7ab2e48708

SHA512
746bc43a71fbd49596ca2f1e5fe0fba4246dda5d5f897d35ccafbf5de996132ab26d9b66ce78b95c4dc4c741c832be0096adaee5cd1be3bac331b67c3de8115e

Download Submit
C:\Windows\SysWOW64\winury32.rom

Filesize
61KB

MD5
93d2da20963a655bf1f9825f2d8afd01

SHA1
d55cf2dbe0852216a3fb0991d9d862808bc1f5c8

SHA256
03f0bdfa7df4c43a9e5a9b2ee9a93ff77718403d921a1cffc588b436dc114fe3

SHA512
53a1619aad8b5710348e4e645904c0f092d2880ce6ba91b90c946f74afecaa45372312b30105f0dc16139eee4dd7be7849f2903cb0d9f3d7e451f1f16dab4b1e

Download Submit
memory/1176-25-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1176-22-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads