fb58c516ffc69852a75374ffd1fcde976bf025d47cd3a5c7e77f426f78c4e173

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Size

18KB
MD5

6fc6be59efbb1e8ed408846e2d5e1651
SHA1

6eac83d62b40f19eb2cba84c620c2b81862749b3
SHA256

fb58c516ffc69852a75374ffd1fcde976bf025d47cd3a5c7e77f426f78c4e173
SHA512

e22bd26fe2d44a76e182046a4f02c915551128e39cf8cdf11904492cda8a57233fd42d787c6809ae811907cf5cbe8977317a4ec51e81ee80921f39c6392f2497
SSDEEP

384:4Z0NjUfyn3Dkot9qd1+94uqtTslF7YooiT+2j0FmllNGO9iG9OQ:4Bg3BtId1+9ETgWXiT1XJ0Q

Score

7^/10

discovery persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "????(&0)"	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.budazi.com/"	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Internat Explorer.url	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Modifies registry class 44 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\ = "????(&H)"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" %1 http://www.budazi.com/"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command\ = "Rundll32.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.budazi.com/"	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" %1 http://www.budazi.com/"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder\Attributes = "10"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\ = "????(&H)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command\ = "Rundll32.exe"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\ = "??(&D)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder\Attributes = "10"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\ = "??(&D)"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "????(&0)"	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1392	regedit.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Token: SeBackupPrivilege	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Token: SeRestorePrivilege	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Token: SeBackupPrivilege	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Token: SeDebugPrivilege	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Token: SeRestorePrivilege	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
Token: SeBackupPrivilege	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2156	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2156	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2156	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2156	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2156	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2156	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2156	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2540	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2540	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2540	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2540	3048	6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe	31
PID 2540 wrote to memory of 1392	2540	cmd.exe	33
PID 2540 wrote to memory of 1392	2540	cmd.exe	33
PID 2540 wrote to memory of 1392	2540	cmd.exe	33
PID 2540 wrote to memory of 1392	2540	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6fc6be59efbb1e8ed408846e2d5e1651_JaffaCakes118.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe advpack.dll,DelNodeRunDLL32 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Runs .reg file with regedit
    PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TempIE.reg

Filesize
2KB

MD5
7fc26795b4b8aa785f4d907a73db630c

SHA1
59298b634861f6f2ff36819fd27a9f8483323416

SHA256
e940d331af8cabb12926a66123a27ec902f513faf071d905fcc7a2525be164c5

SHA512
d55b85da998d9807f80b34b79f89c30251df4832044115a741c9419796635bbb09286eb79385bd9de0caf42b43e49e00b8b33cf022a117af5245f3288c0360ba

Download Submit
C:\Users\Admin\Desktop\Internat Explorer.dll

Filesize
83B

MD5
ffade1cbb9dc3a534e65a9cb92d9fa87

SHA1
713cc6f8b1f562a0fa3b222419d9b78248b61407

SHA256
af1a79eaaaf6829158b5d5b07126002e558042547ace0d87fa83b21ec6aaaf2c

SHA512
32218e1980d8bb5a74824613ded82fa98271a85e4cd1b86cf06b821d8a3ef3cd6cdc38615810a450526db65b9d89c8c8b4d27229b718a4ae142ca92d804fbf3d

Download Submit
memory/3048-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3048-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3048-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads