5d6c0a2496fa26999029bc9da666c0c82f37e536ff0691eb1e7cb73e96089a8c

Analysis

max time kernel
148s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
Size

334KB
MD5

75d4456e2e7477cd65770ff2bcc5a231
SHA1

fe7a2f38f41dc4d76ee98ce884250e157f3a3b75
SHA256

5d6c0a2496fa26999029bc9da666c0c82f37e536ff0691eb1e7cb73e96089a8c
SHA512

15ad0a9c9342862eb5f25d9f7f379f7367dd02dacbd100409b0f34e170d6555ac7cdbba8c498de31cf01fa64ed270d7d69996256295677151ef830fdfee59829
SSDEEP

6144:4e34CNXd75+ZPPfnE2Qyn20US3iDuz4S/LMKmf/nHVcgt75+ZPPfnE2Qyn20U98:dNXdF+ZPPfnEUnriDEMrHVcgtF+ZPPfd

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4216	IETab.exe

Executes dropped EXE 1 IoCs

pid	Process
4216	IETab.exe

Loads dropped DLL 9 IoCs

pid	Process
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IETab = "\"C:\\Program Files (x86)\\IETab\\IETab.exe\""	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IETab = "C:\\Program Files (x86)\\IETab\\IETab.exe"	IETab.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IETab\Uninstall.exe	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
File created	C:\Program Files (x86)\IETab\IETabHelper.dll	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
File created	C:\Program Files (x86)\IETab\IETab.exe	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IETab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
4216	IETab.exe
4216	IETab.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4216	IETab.exe
4216	IETab.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 3972	1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe	87
PID 1088 wrote to memory of 3972	1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe	87
PID 1088 wrote to memory of 3972	1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe	87
PID 1088 wrote to memory of 2112	1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe	88
PID 1088 wrote to memory of 2112	1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe	88
PID 1088 wrote to memory of 2112	1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe	88
PID 1088 wrote to memory of 3532	1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe	89
PID 1088 wrote to memory of 3532	1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe	89
PID 1088 wrote to memory of 3532	1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe	89
PID 1088 wrote to memory of 4216	1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe	90
PID 1088 wrote to memory of 4216	1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe	90
PID 1088 wrote to memory of 4216	1088	75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe	90
PID 4216 wrote to memory of 2008	4216	IETab.exe	92
PID 4216 wrote to memory of 2008	4216	IETab.exe	92
PID 4216 wrote to memory of 2008	4216	IETab.exe	92

C:\Users\Admin\AppData\Local\Temp\75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75d4456e2e7477cd65770ff2bcc5a231_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\WallTab\WallTab.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3972
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\SideTab\SideTab.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Program Files (x86)\PostTip\PostTip.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3532
- C:\Program Files (x86)\IETab\IETab.exe
  "C:\Program Files (x86)\IETab\IETab.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\IETab\IETab.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IETab\IETab.exe

Filesize
130KB

MD5
22add2b7ef97a0b55ec38725e4c11949

SHA1
74798d34a4dcb36a47a92beeeed39c17d9ac41b8

SHA256
523272e8b73598374556d0ac3cd2d58f84e54e3c6253b976a3e72776a4a99151

SHA512
0aa8c90b70ef4d6297cb4a89f89f65b0813e236587ab5b92ae279bf526535f68610e4f8159351303e90243da5d551f80c6fe23c91b2b4a67b6550597d300ee22

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCD24.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCD24.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCD24.tmp\UAC.dll

Filesize
13KB

MD5
29858669d7da388d1e62b4fd5337af12

SHA1
756b94898429a9025a04ae227f060952f1149a5f

SHA256
c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62

SHA512
6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCD24.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssCD24.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit