8ff22d645a321931496b1b7bb454cceaeec341fb74bc725004b03ec2da420b12

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe
Size

61KB
MD5

6fe9d60f018a5482aef63263e29e3afe
SHA1

8e272c8e9d7a756887314bd6e2a78233bf9285b1
SHA256

8ff22d645a321931496b1b7bb454cceaeec341fb74bc725004b03ec2da420b12
SHA512

62da4b50c1ed38e0f94e4aeac15ec663ac63962a37d891892591a70b3130c56b99be7874a39bf2176f60cfe7160283a3e209891e80bc3bff02346104338489ba
SSDEEP

1536:ejJEPbaG87yNbm1t2YEGehpwYf1J2GmkRFnPvtgcUtjsnfltc:QJEPumot2+KKYz2sRoutc

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winyfm32.rom,XtAoYJS"	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winyfm32.rom	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winyfm32.rom	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2968	1976	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0AAAC321-4A90-11EF-8E00-526249468C57} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428078669"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1960	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1960	iexplore.exe
1960	iexplore.exe
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2548	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2548	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2548	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2548	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	30
PID 2548 wrote to memory of 1960	2548	cmd.exe	32
PID 2548 wrote to memory of 1960	2548	cmd.exe	32
PID 2548 wrote to memory of 1960	2548	cmd.exe	32
PID 2548 wrote to memory of 1960	2548	cmd.exe	32
PID 1960 wrote to memory of 2720	1960	iexplore.exe	33
PID 1960 wrote to memory of 2720	1960	iexplore.exe	33
PID 1960 wrote to memory of 2720	1960	iexplore.exe	33
PID 1960 wrote to memory of 2720	1960	iexplore.exe	33
PID 1976 wrote to memory of 1960	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	32
PID 1976 wrote to memory of 1960	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	32
PID 1976 wrote to memory of 1196	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	21
PID 1976 wrote to memory of 1196	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	21
PID 1976 wrote to memory of 2908	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	34
PID 1976 wrote to memory of 2908	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	34
PID 1976 wrote to memory of 2908	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	34
PID 1976 wrote to memory of 2908	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	34
PID 1976 wrote to memory of 2968	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	35
PID 1976 wrote to memory of 2968	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	35
PID 1976 wrote to memory of 2968	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	35
PID 1976 wrote to memory of 2968	1976	6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6fe9d60f018a5482aef63263e29e3afe_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start iexplore -embedding
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\eDaB28D.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 124
    3⤵
    - Program crash
    PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1732a1748cb47bb049e31b8ef88f62c6

SHA1
d591bb8f797e6ff0b2eccc1ab27728225f8050fb

SHA256
eb9775dbffb8960024ce9d873326d84decb8d6697cb28469c2a60476ec98f9bc

SHA512
b37d6f8e3800e7eda7c36f27e1fdb29bc9f4b2ca56d0738587ca50175c91dc7d7f4e3abefd9c9a8b7b0be00b40c3ab1ca16d26bf41264f918479ba358cb5e346

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dd2f61298590c83a8c680125c3784e17

SHA1
e890f45eba7dae341dfa246b64f43179c18be212

SHA256
9d4419a24c1f12621b77e88d490c3bc918967d6aa2eff11d04e6a9527c9dfe35

SHA512
4fdf07e59404cdf2e3cdab74b00a954bc41c466c8d885ad215261a87e5e7817518ff078abf130f24ab3ca2b51614b0e38185a36c8401f25fc54b56fed436bd91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3bfc07df756290ac976b4ae8ad8c74cc

SHA1
8d50faa7c5d8ef002286baf89e13747522def6d9

SHA256
5f1a491389faa4a6386a92a0f664e5b5d222293f590aaaa473fed0602f5fd1a0

SHA512
39be0c71bfa775c54d41bb9e7b5dff8ff2925e2d1714475bef13a19bd93ea5977ea528bc2d1041af7fbddcc7673e95d74d0147ce2e536a0433782cfbac6c831f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f78993f378f2c9d9db6de8cbbd9f886f

SHA1
be85d662b0abcd7b76bb7b89ad065c92912db3e0

SHA256
4f4e14ab613977e20dcc8314415bd575113ab21e651f149729fcfccc560ac687

SHA512
fdd813b0eaa332df92a63a1ecd8a9be1e81ca9aa2fe5f1511b320f29c711a3ab0a8ceb2ffecd42266a13b1c8f792f952f03e0856048cc2c29cedefa23e2a953a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b8bde50428427453be807eeadeb6327f

SHA1
a28841795841b17624ce9b5321ec34f16fc41da9

SHA256
8bf331c69463f694773a6df45f8ba95e4ce40184b91d22e109d35c68b67ed042

SHA512
2476a95c14ebf576c16fc1c07c1739a31c64dbe79b12d796d82fbedd581a2373e7f9881706302762e486c3e20d3335943bb2d05215ecc73152ffe95f8c2985e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4cf841609f1ee18ea6a815f4fc65ba63

SHA1
364e79a55b3ff34d9ce9d0ae7e1d1d930dc91574

SHA256
ad6582e0a45e6d85fcb182b76fbdd264c060b8a60a0def65c8bfbeb0d03b9717

SHA512
e8c75c514e996d80eb714048b25eb00e5c4419b3a7d43f4f27707a422ff540909d7638ec8380bfcc7b407c7983fccc8f24011dae0a1f648087d038988f665d2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
fef4b3bda97aa1354fc978517e391765

SHA1
e0fb63ad1146f42b6bd75adf3b51f71400f2d558

SHA256
cd850fcb7bd73bda8f5d34b80d9fe88591b0c609ffffb2744cd679a863def72f

SHA512
7f4c6692ac64970059392f37ec9d08ed49f2320d5f429b416d961c412f4c00db153d8bde6f2ed1be3ca4ebd61a631b19fdb70fb08206c83cacca76173e2dd472

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1e853a4b17dfc1671be7e5e1025200e4

SHA1
50fcb89ae4a2232c86f6523656d451a4ba481b62

SHA256
8c63fc796d74bc439b1b4c07c191cabf174a772981a880552e819ed09bcda2a6

SHA512
b56a8c109eeef026b86cb8f250945b16dfd3892229ce2cbed465ae2824ffbf9976f0524bc8a257bd234cff57c565e13cf9c970f001c6d4de8f72fde8729f3915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
fb7b108926d1dfaadb5b25b54605e501

SHA1
d641ad75c6d45faaf58c237f4409c50ee3d36875

SHA256
dc041aa6cad72d25bc91fcc13b6bea93e9a1af9252777a8fef04df593b200f90

SHA512
cebb97fcc9c25e4710dbdda4a98416be9a06989383f2efbb85ae8c54dfa463994929f4dc8b459803113fcc4a7d36da8ccaedc26443dd28d609cbe4b0b4b85c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBD97.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBE45.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eDaB28D.bat

Filesize
188B

MD5
7137ecc399ef8cf0ec4edb16702026dd

SHA1
95fd40de771076f413aa90292eb57159484e8275

SHA256
6e9b68c292c0df91ac264da14dfb9b2d078beb470bfeca9dc1f23026eeb11233

SHA512
9139e2b3dc6b5c093275485b38248884d63989037b6aaa6a91297170ee9dcd1ea761e6e848224125f41f2aacb0c2475d7646eb605fc8f67b45289227804d87e6

Download Submit
\Users\Admin\AppData\Local\Temp\eDaB28D.tmp

Filesize
38KB

MD5
9eec4cbfc7c1c4ffae6cdbfdfa9d7d18

SHA1
9aa66a7ec6ce1c54ea3a4b508fdcf866c9595566

SHA256
0ab9d700fc5c54618bafa8827ca27a937b3dbf1a52114141110b14229e4b5b1a

SHA512
86068d4ebaa3f85763a247dc5a553c9f23eac7efb47e87e813738ce8abbb4308434f0a987c07a461f50de0c9018de169a84a123d4f95d09fd5abd2f8b1981c22

Download Submit
memory/1196-22-0x000000007FFF0000-0x000000007FFF6000-memory.dmp

Filesize
24KB

Download
memory/1196-25-0x000000007FFF0000-0x000000007FFF6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads