5d36244f243c33c7f0700231d92558d7ea84975310fb34900b7265560ee99e99

Analysis

max time kernel
121s
max time network
138s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

675893111f243b965cbf829005f0612c_JaffaCakes118.exe
Size

47KB
MD5

675893111f243b965cbf829005f0612c
SHA1

bb0f943d4373b30297f02ba3f6c4746faf25a731
SHA256

5d36244f243c33c7f0700231d92558d7ea84975310fb34900b7265560ee99e99
SHA512

60ee509f19d417209504936521f0494560d331b1f1c9499cb58fdaf6158786604d10135d1a7e97bcc93078aacf03a291fc3d58f982d3b8f60fec756e22393cf0
SSDEEP

768:8PZ7qtPegxpQozpzpn7UM4epXNeyvrvlTaXRubLrlFLy/CoNh/BRijM1/f/nKXlB:DBtQOzJUMRNXvxTaXEpI/7hz/3n6B

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2CE67A11-48E7-11EF-AF97-4E18907FF899} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427896192"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe
Token: 33	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2724	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2724	iexplore.exe
2724	iexplore.exe
2076	IEXPLORE.EXE
2076	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1828	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	30
PID 2292 wrote to memory of 1828	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	30
PID 2292 wrote to memory of 1828	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	30
PID 2292 wrote to memory of 1828	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	30
PID 1828 wrote to memory of 2724	1828	cmd.exe	32
PID 1828 wrote to memory of 2724	1828	cmd.exe	32
PID 1828 wrote to memory of 2724	1828	cmd.exe	32
PID 1828 wrote to memory of 2724	1828	cmd.exe	32
PID 2724 wrote to memory of 2076	2724	iexplore.exe	33
PID 2724 wrote to memory of 2076	2724	iexplore.exe	33
PID 2724 wrote to memory of 2076	2724	iexplore.exe	33
PID 2724 wrote to memory of 2076	2724	iexplore.exe	33
PID 2292 wrote to memory of 2724	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2724	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2628	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	34
PID 2292 wrote to memory of 2628	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	34
PID 2292 wrote to memory of 2628	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	34
PID 2292 wrote to memory of 2628	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	34
PID 2292 wrote to memory of 2528	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	35
PID 2292 wrote to memory of 2528	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	35
PID 2292 wrote to memory of 2528	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	35
PID 2292 wrote to memory of 2528	2292	675893111f243b965cbf829005f0612c_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\675893111f243b965cbf829005f0612c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\675893111f243b965cbf829005f0612c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start iexplore -embedding
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\gos20BA.bat"
  2⤵
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\675893111f243b965cbf829005f0612c_JaffaCakes118.bat"
  2⤵
  - Deletes itself
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7a3ff023d8640123484a638c8d2bf04

SHA1
f552e9e3c63b4148f66a2535b73a5d7eab9aa56a

SHA256
789e1a10f0df1d40fdc1a8836c37a4900f133b62278f288082fba9672b377a83

SHA512
46204b47582eac9eb830d43e74ddb2efee8befe6f0e23abd4fb85057091a7d46ed062625f5c3a97df56b17604fc1bac4518eb28c9a35599ddff396790cd4cd8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b5a832f25e6acd04c8b66a3b97b8903

SHA1
c1268636051f44e8ccee8e2921ffe5a4a4f3f247

SHA256
730768a9cef312d8f1f028d2b4d3f343cb1489cfa85c7807209d19ccfbb9dd36

SHA512
1f3fa92e2b93206ed4cf472cc989e0d06b5551befe44a6ae117479095f333ec9678057fff2b31308709164b3ad5ef7b7d043085d9fb6c88ff687d48515c2a517

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a58bdda992aa36fd559f6c8c34d4ab4

SHA1
13446b6949a5b905759d55582ac8bb3be30fdbef

SHA256
4bf819ac9861b5c1aade2b9ef202981f08f540febadeb94ba4638ba4717a8ec9

SHA512
0bfb64c560dead248fb97422b1450a40c58169abff224f8e69e0eb1963d4954e0ff50fa365fa285cbbf19d64c005b41e792f0da13727050e1a1dff8ac881ec0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
874ccdaa30cd9c731c5a0b49136f1d18

SHA1
36fbf21d659062cd7b0df02d98f8423cb2caf266

SHA256
e65b0ba93dd98f59401d1e607429e4820a92ae9b9eff53b5d3a5c71ba75cd15b

SHA512
ed2e6163341da1389dcf52bd5284034699ccfb6dbebc5c26dabbb2ecd75c39959580966fa2015cc792a6aeebacc2b477302cf4e8be134c27af4a6fcb6b9540c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ae1666db31f292a32e3e63ead962068

SHA1
2f68cca5cf11e46edf53d90af46f7cca4f4e77cc

SHA256
3b83a4d1e08ca27d704f0a26297e8626b0840cd1058c8e59666969d76b5b840f

SHA512
a922d449efd21aa78cfa3dc63ba5f6585d73ff03988073388a43c9195014efde0c95d8025a098ac8d1fb606c7e57d7309aa67a7784ce4d2d9159b6e79b51cd31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
279504820416bfbe69ead5ba2d6e017a

SHA1
1ca420eab834c1c109d98bae4e7759d63d0c303e

SHA256
74992e4552ef222d9bed9926c8aeb637b54892e40df6006d801d45746012b396

SHA512
d78156ff72cb8b07cab9b4e4afec42a87249737aae534c96f768e813af71987997012cda41959cc57e2be82b27ce0f8ac51735b932b211c2f54b416aa9d3ce88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dc7393e08811a3c6955b8c393ae3944

SHA1
279e843e4e8a1a65e04aa93f86dbffc7ca8e2e0a

SHA256
236d69183ada357da3eb08be210edd4fe4e8fbe1f77cda9c7f6e4f157e5f41a9

SHA512
696adb32d5d589dc76385795f67574ac93e87d197fd8e47d450d049f7865a4f468c4ac8a265232f8e4db5a984c7d983c744de3ab653cf26d8258db14d4456783

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85c763a0c003db22cc2066a4efe18726

SHA1
9722317cac0127f7b283bc67e9aa2a429a9b4362

SHA256
08686ccb81bae30a31886313c1a50c707a718ff211234c3c9bc687ad3e39af1d

SHA512
a03bbe4ab10834e6e190b511552f984ca34372a8a3ac6590d9934365a0150a3d726b52de7176e1fc52fcefe84cb8532ad4c27ef08aa0cd5f8e88d40820ccffbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80930bd0a861b5f1a49527c0dcf927d7

SHA1
5387086affef4c3ae7575fb09f201dda03fa9bda

SHA256
75ff81f24e9ce10c70933e87a6bc20618203edaa0720ca6cdf96b4cb9b8234be

SHA512
2fef1665f5addc0ca1a3ba6333353a593a5bdf02d7d6481537140ad50c975018ede201065b7fc06ee4a8425bb27fb36303a86380e28fde4b43580abac463798b

Download Submit
C:\Users\Admin\AppData\Local\Temp\675893111f243b965cbf829005f0612c_JaffaCakes118.bat

Filesize
307B

MD5
6a1a7b971a636bc7c4ed9b4517f2bce8

SHA1
405d39446276c0c205992fe587ca98942af887bf

SHA256
4ab7b5220309fa971de52ca25dc8ec56aba54703ebc4b82cb4f2a35c34edfb0c

SHA512
504177882d594ed16277416ec7c392ade5a382e16e0dbbed735c17315d88ba3b8c10660bdcd099d9592d6eb71ae2854692696555fb124fae8ef6fe41c7de1358

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2F4C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2FFB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gos20BA.bat

Filesize
190B

MD5
dba16f7216d6434dae4514a37779ad1c

SHA1
c16d511deb4f720c209023e5656603ec2213c598

SHA256
027fa3f60187cfca49ad564251ea3ddf639cf28d36238a2a70b1ac312f3359bf

SHA512
fd14ebd62e2a782b6ee0dd1f40391ab7672b93ce8ccb24ada710e3ade643aff47561cf28fb01a5f22f1711630b3b9a17a87e2657deb9517ecbfcfaad190cc2e3

Download Submit
\Users\Admin\AppData\Local\Temp\gos20BA.tmp

Filesize
26KB

MD5
a5f25b49632f6e91e0a0e8fa0465473f

SHA1
94a246dea7f6eeadedeacc3df3f353ddea306389

SHA256
a000322d6d7ee57b072461f651ecc6feecd5f3441d5353931ab7ab660cfaf913

SHA512
85765a3cd9b4c9b1031e0c2d3107ab74da0eef82f7712527e87e85164e718c5cc2e00080326b2fe99764602984d3817e96cda127c1d02cf8ddbc4b99f7141088

Download Submit
memory/2292-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2292-39-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2292-40-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/2292-41-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2292-6-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/2292-5-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2292-1-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download