1d3ea1bcd3e448de1b2ad97bf9a6004cea02cbe5f0c17e50b2a323d29ba48f5a

Analysis

max time kernel
140s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67a2e852578a44251a44b83aa139ce60_JaffaCakes118.exe
Size

162KB
MD5

67a2e852578a44251a44b83aa139ce60
SHA1

064a6c34c3b9c7562357293ee752a96ab84a43cb
SHA256

1d3ea1bcd3e448de1b2ad97bf9a6004cea02cbe5f0c17e50b2a323d29ba48f5a
SHA512

a34d35a6bdc2a0c50b81a199628e8a397cb84aba7341bd3727496fda2fb6025c062d9f9f0f80a88fe4bb34233d15caca4749ff963dc2daf23a72ac550e2ed0ac
SSDEEP

3072:DQIURTXJ+MOWjvIvndGdxLyE9ctXp42v7ZIo+VeEJNeAgoIcIhekJhzG:Ds9B8qLUt54qUZ/g5tzG

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
4936	RUNDLL32.exe
2656	rundll32.exe
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
4316	IEXPLORE.EXE
4316	IEXPLORE.EXE
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sysinternals = "rundll32.exe C:\\Users\\Admin\\AppData\\Local\\Sysinternals\\mvbgarkl.dll,kdfjfslkdjfklfjsdlkfj"	RUNDLL32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31120637"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3600974555"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428503518"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3600974555"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{02427E03-48F1-11EF-B355-4A319C7DE533} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31120637"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4936	RUNDLL32.exe
4936	RUNDLL32.exe
2656	rundll32.exe
2656	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4152	iexplore.exe
4152	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2656	rundll32.exe
4152	iexplore.exe
4152	iexplore.exe
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
4152	iexplore.exe
4152	iexplore.exe
4316	IEXPLORE.EXE
4316	IEXPLORE.EXE
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE
4316	IEXPLORE.EXE
4316	IEXPLORE.EXE
4316	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 4936	1640	67a2e852578a44251a44b83aa139ce60_JaffaCakes118.exe	85
PID 1640 wrote to memory of 4936	1640	67a2e852578a44251a44b83aa139ce60_JaffaCakes118.exe	85
PID 1640 wrote to memory of 4936	1640	67a2e852578a44251a44b83aa139ce60_JaffaCakes118.exe	85
PID 4936 wrote to memory of 2656	4936	RUNDLL32.exe	87
PID 4936 wrote to memory of 2656	4936	RUNDLL32.exe	87
PID 4936 wrote to memory of 2656	4936	RUNDLL32.exe	87
PID 4152 wrote to memory of 2808	4152	iexplore.exe	91
PID 4152 wrote to memory of 2808	4152	iexplore.exe	91
PID 4152 wrote to memory of 2808	4152	iexplore.exe	91
PID 4152 wrote to memory of 4316	4152	iexplore.exe	100
PID 4152 wrote to memory of 4316	4152	iexplore.exe	100
PID 4152 wrote to memory of 4316	4152	iexplore.exe	100
PID 4152 wrote to memory of 2176	4152	iexplore.exe	102
PID 4152 wrote to memory of 2176	4152	iexplore.exe	102
PID 4152 wrote to memory of 2176	4152	iexplore.exe	102

C:\Users\Admin\AppData\Local\Temp\67a2e852578a44251a44b83aa139ce60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67a2e852578a44251a44b83aa139ce60_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\RUNDLL32.exe
  RUNDLL32.exe "C:\Users\Admin\AppData\Local\Temp\mvbgarkl.dll",kdfjfslkdjfklfjsdlkfj
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Sysinternals\mvbgarkl.dll,kdfjfslkdjfklfjsdlkfj
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2656

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4152 CREDAT:17410 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2808
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4152 CREDAT:17414 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4316
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4152 CREDAT:17416 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MQYRE6E5\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\mvbgarkl.dll

Filesize
389KB

MD5
c9c123fdf0e7b7124d419590ac387e0b

SHA1
0576403dab2da7bb94a673b5c3a252053dcd0ee4

SHA256
7e663835edd6b61b3ffcf93b62331dabd248399f1f656c6c98b46acebe7d1558

SHA512
c68e611512cadf981b95018a0ef8f20e9bdac839feaa1c8ce8bf44c95c77e69a1b698b7c0cd77dd51b1444c5028a9d9931e91041a4f1c997101f3b0c627216ba

Download Submit
memory/2656-6-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download
memory/4936-4-0x0000000034000000-0x000000003406B000-memory.dmp

Filesize
428KB

Download