f3fc5a6c186d05b3ec18fcecaa1bb82f21289dcefd3b7a76f4869228abe93699

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe
Size

686KB
MD5

8803c63616fca6f889c1a452dbc62071
SHA1

fc2fb8acba509783c82958c3153fedbc92923fc8
SHA256

f3fc5a6c186d05b3ec18fcecaa1bb82f21289dcefd3b7a76f4869228abe93699
SHA512

0c3856a34c811afb75fa655e44b7cb02419bb53e8a15d8d8562c03007ae0de8294dcd0da106a6cacd3a3987a4f11ce2f87e627583e0fcdca580dc25ad0c75172
SSDEEP

12288:fvxZIk4S8xZaTlCb5ugTNLX37lWU4+LQb3B0fpf+p0WlRw1mS2GE2W:fvxD4S8egb5ugTNLXLQUNLQDBk0yYRwA

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023448-4.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2232	Fciervcze.exe

Loads dropped DLL 6 IoCs

pid	Process
1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe
2232	Fciervcze.exe
2232	Fciervcze.exe
2232	Fciervcze.exe
1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe
1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023448-4.dat	upx
behavioral2/memory/1552-5-0x0000000010000000-0x0000000010129000-memory.dmp	upx
behavioral2/memory/1552-37-0x0000000010000000-0x0000000010129000-memory.dmp	upx
behavioral2/memory/2232-49-0x0000000010000000-0x0000000010129000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Fciervcze.exe	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Fciervcze.exe	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe
File created	C:\Program Files (x86)\Fciervcze.dll	Fciervcze.exe
File opened for modification	C:\Program Files (x86)\Fciervcze.dll	Fciervcze.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fciervcze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe

Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	Fciervcze.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124344"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124344"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "NO"	Fciervcze.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3734218152"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0A1708E1-576C-11EF-9912-42C951A4D69F} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3749843585"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	Fciervcze.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31124344"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430095678"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3734218152"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe
1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe
1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe
1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe
2232	Fciervcze.exe
2232	Fciervcze.exe
2232	Fciervcze.exe
2232	Fciervcze.exe
2232	Fciervcze.exe
2232	Fciervcze.exe
2232	Fciervcze.exe
2232	Fciervcze.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3636	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe
1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe
2232	Fciervcze.exe
2232	Fciervcze.exe
3636	IEXPLORE.EXE
3636	IEXPLORE.EXE
3804	IEXPLORE.EXE
3804	IEXPLORE.EXE
3804	IEXPLORE.EXE
3804	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2232	1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe	87
PID 1552 wrote to memory of 2232	1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe	87
PID 1552 wrote to memory of 2232	1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe	87
PID 2232 wrote to memory of 3636	2232	Fciervcze.exe	88
PID 2232 wrote to memory of 3636	2232	Fciervcze.exe	88
PID 3636 wrote to memory of 3804	3636	IEXPLORE.EXE	89
PID 3636 wrote to memory of 3804	3636	IEXPLORE.EXE	89
PID 3636 wrote to memory of 3804	3636	IEXPLORE.EXE	89
PID 1552 wrote to memory of 2516	1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe	90
PID 1552 wrote to memory of 2516	1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe	90
PID 1552 wrote to memory of 2516	1552	8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe	90
PID 2232 wrote to memory of 3636	2232	Fciervcze.exe	88

C:\Users\Admin\AppData\Local\Temp\8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Program Files (x86)\Fciervcze.exe
  "C:\Program Files (x86)\Fciervcze.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer Automatic Crash Recovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""c:\8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe_And xMe.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fciervcze.exe

Filesize
42.9MB

MD5
c5cf290d03fc2cacd7bd4f2157b53f88

SHA1
42079dc48cc1415ce4c66e0e8ec97e1911bb0c33

SHA256
3a5cabc7fd646ce706cf8a9f3868ea071038d6ee4dee6588135eee27dee2b919

SHA512
b19f014bcf274b83740d40f69c3b3209be537edc2c70374b0bbace93f643a3ff8e30a6548408c0f23daf2901108e952ab94e678d81dcc973b6a82abf1e4f5e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4329235D\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\Exmlrpc.fne

Filesize
72KB

MD5
f79ee77a4f30401507e6f54a61598f58

SHA1
7f3ef4945f621ed2880ff5a10a126957b2011a17

SHA256
cf8e29720823eb114fbc3018569a7296ed3e6fcd6c4897f50c5c6e0e98d0b3f8

SHA512
26ccde784b06c46f60fb5a105c806c4d9dc1497fd79d39728fbcfa869d470ca2ba018b0665f3cbc05019fb0766dac2eb1084a6fdce2f9aaaae881beb09dd3739

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
409KB

MD5
c3d354bdf277263b13dca264ec2add9d

SHA1
b428dfd7df0f6024e22838823cc702e2293bd314

SHA256
ede1e15bb21655495ea3b3fb6710390d53839abeed944ed7ab1af7403b50aa5f

SHA512
24c8e96b3c07fa4e44fbb31a4e09bea728d90d410352aa9c6b6b6165ff5c038f689b7b58b05abc6513fa4ab953b78edc0f9e8298b2d57fe1c26e80068e7ca68e

Download Submit
\??\c:\8803c63616fca6f889c1a452dbc62071_JaffaCakes118.exe_And xMe.bat

Filesize
210B

MD5
a93ac09976222434a2a74ef643916eab

SHA1
70ed652a5d925a3a9259342380c38fb15d2d6ece

SHA256
02f0e83fcced9349fe1e70bdd98986de93c4513856a07f3347180e8229227a18

SHA512
9fb896b527657c76a78b895bde01f2e6d3c5e50324c9b4e9f0231aca053329b621f840088c4fe54aa8e4522290c74718637bc40b4f693b8de381080fc133a9a4

Download Submit
memory/1552-37-0x0000000010000000-0x0000000010129000-memory.dmp

Filesize
1.2MB

Download
memory/1552-32-0x00000000024B0000-0x00000000024CE000-memory.dmp

Filesize
120KB

Download
memory/1552-36-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1552-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1552-5-0x0000000010000000-0x0000000010129000-memory.dmp

Filesize
1.2MB

Download
memory/2232-23-0x0000000002300000-0x000000000231E000-memory.dmp

Filesize
120KB

Download
memory/2232-49-0x0000000010000000-0x0000000010129000-memory.dmp

Filesize
1.2MB

Download
memory/2232-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download