f799a6cfb79f9fde7c6689aff3ae41ac7cb0f51995ff6a5acd24db62df5a527a

Analysis

max time kernel
134s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe
Size

42KB
MD5

65a8ebd2f8ecfd6c708f5ca10088916e
SHA1

7d6ec83d2748033fadb6ce4d6217a94796a6fa31
SHA256

f799a6cfb79f9fde7c6689aff3ae41ac7cb0f51995ff6a5acd24db62df5a527a
SHA512

566ed17fe1c824627336e3a7629672a579b98f025bd0619aad48fe41f1611ec00d68c5a8df47217244a7c0ccf7f8d5e198407992beb52f924f309d576c13c6bb
SSDEEP

768:0i+GMBFeEFcsrYg9KJmZHB/w82KDWVeJ/ZIcHUeOmCe07GO:0i+GMBFpcqf9KwZHTyVeJZa

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winqeo32.rom,aoLRun"	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winqeo32.rom	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winqeo32.rom	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D5369211-489F-11EF-8E5A-6EB28AAB65BF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427865546"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1844	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1844	iexplore.exe
1844	iexplore.exe
2472	IEXPLORE.EXE
2472	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1732	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	29
PID 1292 wrote to memory of 1732	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	29
PID 1292 wrote to memory of 1732	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	29
PID 1292 wrote to memory of 1732	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	29
PID 1732 wrote to memory of 1844	1732	cmd.exe	31
PID 1732 wrote to memory of 1844	1732	cmd.exe	31
PID 1732 wrote to memory of 1844	1732	cmd.exe	31
PID 1732 wrote to memory of 1844	1732	cmd.exe	31
PID 1844 wrote to memory of 2472	1844	iexplore.exe	32
PID 1844 wrote to memory of 2472	1844	iexplore.exe	32
PID 1844 wrote to memory of 2472	1844	iexplore.exe	32
PID 1844 wrote to memory of 2472	1844	iexplore.exe	32
PID 1292 wrote to memory of 1844	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	31
PID 1292 wrote to memory of 1844	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	31
PID 1292 wrote to memory of 2496	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	33
PID 1292 wrote to memory of 2496	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	33
PID 1292 wrote to memory of 2496	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	33
PID 1292 wrote to memory of 2496	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	33
PID 1292 wrote to memory of 3060	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	35
PID 1292 wrote to memory of 3060	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	35
PID 1292 wrote to memory of 3060	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	35
PID 1292 wrote to memory of 3060	1292	65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start iexplore -embedding
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1844 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\twe9F4B.bat"
  2⤵
  PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.bat"
  2⤵
  - Deletes itself
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9aa62ce9eda8de03c53e3b33cfad61fa

SHA1
bc13d9183829e62d4ca818806a2651c468f5b7a1

SHA256
4b00ac6e294357845f929cd06eb4514f51cd7f9e226b38f96f6f72c25603153d

SHA512
314cebdfc313b5d1e92910b437e70c8015a53dd37c4cfb9121ed727996059c51d97766068b634cb45789392e43103d4e9344344db47304501e45f256e3bd4fca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06778a1d2e2cbbbd254f5dcbb4d8b4fa

SHA1
b77871955b2496d385de964aba4c1aa4428eb83f

SHA256
74796b7722bd0c047ceac38106c3dd68d0befbc5d7489d4f5a32a611769b4d3b

SHA512
ded31b764b0bc2656b1e81b442ce98713a1167191f56be034b8d399f9706bb5287444a3bafea58eb4822d87d804fdace9206a4b6ea5785ced54e98cb0ce701ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9051c3c2ce413384af4897987c5a8238

SHA1
f7ae1f48bbe562f5d37d05ca6cc6a2a7c9195673

SHA256
daf17cdef3954fa57e8afa378d5b51f7e14896a4c25f2bc0f6b86e45ab0c8000

SHA512
519f9bd97e0090268ce334df8ce0c24574fbd71c3f3d791bc46720792858cec10c7aef7e0955584c13bc7a86a666340ee063c04eaa7b5045537893119a058718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
230e1701a4a9164992f55a21071e3ed7

SHA1
7d283607d7cdf53a63b23f219343148cfe13c206

SHA256
1503ef0923b6d4852ba8e276937c75573ce01e88caf8ac6bc0687c9b7a9a9943

SHA512
7f27d30188c466327235ac667b736fd5319625d50c77664ffa8b37aadcf309311900843ac1ffe4fc81311c7b4766d6fd60fa3eadeac04f8eb01cc4155646e6bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2931b808be4468e5f369c9f43d3fe587

SHA1
fd6f2baea486277351fc763027a183d28ff86210

SHA256
269c489335e748ddee15279f63012bf41b4c331e541e7321a224b87f033c2dc3

SHA512
14c82a900e94dabb9634a1f75333419205b3770d15314f8b9010bb313b29c98831d94c8648d36e56a96422d6166965a17ec7a6e4cc55e1ee846132e1cf40de10

Download Submit
C:\Users\Admin\AppData\Local\Temp\65a8ebd2f8ecfd6c708f5ca10088916e_JaffaCakes118.bat

Filesize
305B

MD5
5db8b5ae784d2e5b8f2c1baadb1712f1

SHA1
e719b674d3c1d7210894dc43a70aa3d4f9aedff2

SHA256
2779de7f00e0a064a4648b337a6271b3abaa394b51ec4407c099fdf1bb7b1d0b

SHA512
1c6c554181f119550f597f8731ab45cc45b1b82432fa3dd1f7816f3ba6e777c6d9f1a824c1695242c43e6886bcf8f147764b7b51a564352c972bf926a6dad09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9F5D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA00C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\twe9F4B.bat

Filesize
188B

MD5
da8e4a43bf2f877e8dbeee3a350d9bee

SHA1
d6efbc26c5aa7505d7f99560e0d00b5b088e74a8

SHA256
0357944fac1949a669d5147b5708e0dcd72dc3c12ad675b9dc4c57c109a98489

SHA512
34eeced0be971d8854ba6a5f6953e4eaaa38c40b113a790bac03f0e25982b09890a24598edf982516dc7b4111f1e8250e0ba0349762b307eff3eb3fbec6c78a4

Download Submit
C:\Windows\SysWOW64\winqeo32.rom

Filesize
31KB

MD5
660f17720f49d2d2fd6c70cc5a1f0fc5

SHA1
bd4187f3c1d2f3aec9ecddba81b225133d874164

SHA256
8eaa6726a4873e22097cf1d7b2bc583778f3afc9d20bebbd7e470b23d3e610d5

SHA512
14cbc458817f494f1af7bf448511c2df350f53dca6eb6448217a9ac37d9f0d601f75eca153b6ed8d24b3e0a85cf41459fce66f8c878a8e2b3723d13529812ced

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads