2a4177aa98bafa0257423834e09e63610c9bd94ea91744d9eb5ddf15419ff8f2

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe
Size

105KB
MD5

81c8bbc5dc675e57296b79bcc3acda1b
SHA1

a898ade3d40c959c45ce3562b501b03692776162
SHA256

2a4177aa98bafa0257423834e09e63610c9bd94ea91744d9eb5ddf15419ff8f2
SHA512

a778c41017a505074311a3b9dc1037eb025eea3597d26f9c41007049be3c05ffdf6c3fcd468a7672788053a8fc82d41dcb3da9640564f853d9920f3fb7e11dbc
SSDEEP

3072:Nt+gWOZ4xwvUFr79i+g6Sra21WnkLV0Qap7+0vl:Nt+NBrSZcnkLV0QYN

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winmhc32.rom,SeMplzOr"	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winmhc32.rom	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winmhc32.rom	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2964	3052	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428709507"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D529F501-504C-11EF-8CC8-424588269AE0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3048	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3048	iexplore.exe
3048	iexplore.exe
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2752	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2752	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2752	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2752	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	30
PID 2752 wrote to memory of 3048	2752	cmd.exe	32
PID 2752 wrote to memory of 3048	2752	cmd.exe	32
PID 2752 wrote to memory of 3048	2752	cmd.exe	32
PID 2752 wrote to memory of 3048	2752	cmd.exe	32
PID 3048 wrote to memory of 2580	3048	iexplore.exe	33
PID 3048 wrote to memory of 2580	3048	iexplore.exe	33
PID 3048 wrote to memory of 2580	3048	iexplore.exe	33
PID 3048 wrote to memory of 2580	3048	iexplore.exe	33
PID 3052 wrote to memory of 3048	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	32
PID 3052 wrote to memory of 3048	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	32
PID 3052 wrote to memory of 2968	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2968	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2968	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2968	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2964	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	35
PID 3052 wrote to memory of 2964	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	35
PID 3052 wrote to memory of 2964	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	35
PID 3052 wrote to memory of 2964	3052	81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c8bbc5dc675e57296b79bcc3acda1b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start iexplore -embedding
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\vkp4E9D.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 108
  2⤵
  - Program crash
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a4a757977d14fbc87e812d7f234d2dc

SHA1
b752f53ea302542a7333c104e28932658dfd638a

SHA256
311830874b170623a2e4e585aeff8b049028bd9615febdef34f4e7a545b695ce

SHA512
8eb1ce3d1c12c6e542d68822b8d8c8b2a15285675fb484bf4c85d6fdbac0691cf5ceaab3c9ac4dcc2083cc0251c676009a37d62c6a70faa1835a848cb063f3a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b2bcce937c8e6dfcb13398278b04846

SHA1
88b784a85e318dc7425b3825c7a04436eb526406

SHA256
1b1328a5f1001f6fb671bf55e292c1d23ee64c92f8e204fe641ee5da60e0f699

SHA512
264ac0205e4c387dbc7ed1a7d40ab0e42108f64b752440aed350f6f1f553a31ae015caadcef15a5d4eec9618d9209d5eafcf00b236942584d0e9a8a8ee9fdc94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64d028e63acb7a5fef9f1ac6b2789827

SHA1
dcf0aef305d0994be59c51c2c162923c9319148e

SHA256
53903da205ea9fdd4edccd940615a6c5fde8a4d2e37491052701bdf3e8b23e06

SHA512
a00c59907d98523907bf9a7932a8551866ece9cf2f0ed54390a500728ffa65d5de27208fd9679f7f1a3edff987b6f37176006152a75e7a19acfa44c65b3e75e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99c2cc4a148f1bd439df5d68fcaecb4d

SHA1
8eb521b95a1688501724113d4d0d0b81eef3ba59

SHA256
3a169b28bbeef17cc26cd50d5240dbb6a33704303be04a8b22cc725bbbd2b03e

SHA512
1d7cdd8c89119e3f78212ba889afff9f43fd3c0f003de08bb94ad2f26fbe2e5e4d41fc275a580a888252410181100c7564e36ae4135ba4bfd238e5543aed9867

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f5383d5ca3ca6170495b2917e80d16c

SHA1
0f0d43a91c1154bc4d89512b3afc889d0fa8750e

SHA256
2b235422ab74b5be8f276cc7831f2b56352d1675afdd1e604f89be1eb2739791

SHA512
754d8ab070cdbdbfc4d1117bff7ea24e5393bbe917d49c965612fc7d399b57306a547b894bcc9a14f20639a0ca6eb4d5b3ee6c22e3aca1c16c8cde984da0bddc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a890b1ed11e858d12cda88016b66476e

SHA1
a3ca55a92977dae142ad98214ee65c4e578ea86a

SHA256
753c0ca3e611607a5ae004cc229e9f7805236ba79dec8118c94634f783c0fa37

SHA512
4d4d1948524430b6adeb4a572f30505e1ecd4ae4a5ba76e36e6f62ece4335d808cd64eb2cfa3406b831d074a6603388a92fc9d9ea12a0c724381b09c773bb870

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0d1da8c57e1d278c43dffc24177a6d5

SHA1
9f1f4537802477b9ca95c2a6cc82b3ecd1c6ad1f

SHA256
8c890ea61e6747b9cbc0469ac74942db1a611d418916651951a11c184f3a9bfb

SHA512
5978c0c889e0b61ef5bd6fcb2af5a21c3b5b21f59070fbe763afb94455613a0ba39429f4e349a05cb33dc69c984ed27840be8c271a0acf8097d9fed979151f34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9f3369ae2d7243f713448778f8c7ae9

SHA1
15fa43cc1871e811ace2bc8666df0224e70a1021

SHA256
38f3105f806de765c4351f591e79bb0cf9aff32026c1417373499d5f8fbb6dc8

SHA512
1313c4b7feb0cd1dbcdea1a33ff2e44b9afaca81522744d7af9aa199675cd5be5ff31e84ec7308baa955a1ed08de8f1349c8d0a524026704b4ca542667d582a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9534ee059d7abdc7890cb5a8628048aa

SHA1
7042ba2812315124562bd0800fff0e88a32edcdc

SHA256
6139574d9a8e91372103ac88d95a3e58b5c5d9818aae748409255fe0419a81f0

SHA512
516ffd5826a4ca3b723f119cc2a225dd2b11715b63fb8e0158b718359544c5b4e6659544888ce10cad1bc3f63f461dcf2fec5d180da7d59b4bfc2193a46f133b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4EAD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F5D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkp4E9D.bat

Filesize
188B

MD5
38b81516846c7fc65c2280e125c99f5b

SHA1
ca620401d97b2bcc89de4742a485f9beef60d104

SHA256
215a6109a42fc24c19affa743ef5a0cdff77f74a59b54b97b777eb7d132e113a

SHA512
1867deaf8d0554de451ff5d3d62627d2d7a64b0ac63492a56c71aae9888c0768461d8e049e594e1354959f022b4921ce47efd9d93db3e2e6b41fa42ad9527030

Download Submit
\Users\Admin\AppData\Local\Temp\vkp4E9D.tmp

Filesize
79KB

MD5
3803e4ca20bbc7c15a8190d7f93cc35f

SHA1
87d43a91ef0f6e8e7ef9e39a1a1e8c81951df870

SHA256
ca73b364f289a944f983d324bb467fc273d54bce31e638c3097255cbb008ebec

SHA512
a36205014b0f563a18539847303162672063d99831818be2e7893d4d1527b2e404dbc1ea733e0229091cdcb654469b0abd1f724dcf4f79daac06df50a6ee427e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads