e77f0452d3c2875a21a492343da69a30444adaab6fa4c65fb6d44219b20a18ca

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe
Size

62KB
MD5

72d8cade08c0009ca195a1a851476f11
SHA1

37a823eed4d0307664185b0c2417ddff605b66bf
SHA256

e77f0452d3c2875a21a492343da69a30444adaab6fa4c65fb6d44219b20a18ca
SHA512

0d8d78664edb2471bfd7bc0afdd25c39b5b75b85d7ec84cec914381da1136a76aafdb113e44ed29b8d3bb79639ecb3f9eb90b7d379848c881b50c923b450c8ce
SSDEEP

1536:/fUBg4+yrFzPynXP71M6yIU9dqt1puaR3Qw12TxE/m4Y1Sx:/fPQF0JN9YdDof/mZa

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2136	cacAE32.tmp.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3380-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral2/memory/3380-8-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	165.87.201.244
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	165.87.201.244
Destination IP	165.87.201.244
Destination IP	209.166.160.36
Destination IP	168.95.192.1
Destination IP	168.95.192.1
Destination IP	209.166.160.36
Destination IP	208.67.222.222
Destination IP	209.166.160.36

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\del09.bat	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Common.exe	cacAE32.tmp.exe
File opened for modification	C:\Windows\SysWOW64\Common.exe	cacAE32.tmp.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacAE32.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3800	ipconfig.exe
2920	ipconfig.exe
512	ipconfig.exe
3500	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9D3115A0-4B14-11EF-9338-C22FF2BD35B2} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe
3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe
3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe
3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe
Token: SeDebugPrivilege	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4716	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4716	IEXPLORE.EXE
4716	IEXPLORE.EXE
3380	IEXPLORE.EXE
3380	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 3800	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	84
PID 3380 wrote to memory of 3800	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	84
PID 3380 wrote to memory of 3800	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	84
PID 3380 wrote to memory of 2920	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	85
PID 3380 wrote to memory of 2920	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	85
PID 3380 wrote to memory of 2920	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	85
PID 3380 wrote to memory of 2136	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	87
PID 3380 wrote to memory of 2136	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	87
PID 3380 wrote to memory of 2136	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	87
PID 3380 wrote to memory of 512	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	89
PID 3380 wrote to memory of 512	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	89
PID 3380 wrote to memory of 512	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	89
PID 3380 wrote to memory of 4136	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	90
PID 3380 wrote to memory of 4136	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	90
PID 3380 wrote to memory of 4136	3380	72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe	90
PID 2136 wrote to memory of 3500	2136	cacAE32.tmp.exe	93
PID 2136 wrote to memory of 3500	2136	cacAE32.tmp.exe	93
PID 2136 wrote to memory of 3500	2136	cacAE32.tmp.exe	93
PID 2136 wrote to memory of 4716	2136	cacAE32.tmp.exe	109
PID 2136 wrote to memory of 4716	2136	cacAE32.tmp.exe	109
PID 4716 wrote to memory of 3380	4716	IEXPLORE.EXE	110
PID 4716 wrote to memory of 3380	4716	IEXPLORE.EXE	110
PID 4716 wrote to memory of 3380	4716	IEXPLORE.EXE	110
PID 2136 wrote to memory of 4716	2136	cacAE32.tmp.exe	109
PID 2136 wrote to memory of 4976	2136	cacAE32.tmp.exe	111
PID 2136 wrote to memory of 4976	2136	cacAE32.tmp.exe	111
PID 2136 wrote to memory of 4976	2136	cacAE32.tmp.exe	111
PID 4976 wrote to memory of 1084	4976	net.exe	113
PID 4976 wrote to memory of 1084	4976	net.exe	113
PID 4976 wrote to memory of 1084	4976	net.exe	113

C:\Users\Admin\AppData\Local\Temp\72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72d8cade08c0009ca195a1a851476f11_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:3800
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\cacAE32.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\cacAE32.tmp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:3500
- - C:\program files\Internet Explorer\IEXPLORE.EXE
    "C:\program files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4716 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3380
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:1084
- C:\Windows\SysWOW64\ipconfig.exe
  ipconfig.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  PID:512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\del09.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cacAE32.tmp.exe

Filesize
84KB

MD5
65be1f0c690a069b0b91b9f26c37d59c

SHA1
0a5864d67c1539c46b8d24c681bba64be52ecc7d

SHA256
0d2dd1606c2eb38986f2ac729f868bcca11626fd28a69219e622bc8b2cb6a2e0

SHA512
6b6fae8eaf03cf773dc202558a19ba8d7bf7a521874b1517ffedbd0f5f84195636dd08d766fc347756916581b7c1889b1c79f1fcad7a26f3c1e741716f643d76

Download Submit
C:\Windows\SysWOW64\del09.bat

Filesize
218B

MD5
6ade91347b5882d0c6852510227bdade

SHA1
68cc016fae08bc059acdde017812779e2b572b99

SHA256
ce6bebd66d936b5de5bbbc29104cf779b5eb504402ce4e5a66129b169f6be3c7

SHA512
a44ccb870aa3120ff327ff8fb38a28e41646db0dcafd54898cef7043e708cbee3d1e25ee02cb5735a41de459e1daee06a8922189f242b217734c25cc6187866e

Download Submit
memory/3380-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3380-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download