d101e70ecb5b03db2cf21c577ce5b28936bfc06fabc322837057e4d105363c47

Analysis

max time kernel
119s
max time network
133s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a51786faac844290b32ded07fa695d8_JaffaCakes118.exe
Size

80KB
MD5

8a51786faac844290b32ded07fa695d8
SHA1

5f9d2b349b7bc637519b8576a3a25c919378e721
SHA256

d101e70ecb5b03db2cf21c577ce5b28936bfc06fabc322837057e4d105363c47
SHA512

2a3cf08a9542a13a5f87ade91f0a01046ce4550e8f4fc737d895a8d152bc266db079f4d52ac99201db6f28b788aeb1d6510ddbe98a0f34babe6b82d913265d47
SSDEEP

1536:cjr0x2MWwKGrhwN4c4mUCFFdRPbBjwoHCasjSonAf9OnEJXiPX:cXnQfriN4c4mUIFDbBjw3ase0WQnoE

Score

6^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2632	2668	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a51786faac844290b32ded07fa695d8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{32D27B61-57DB-11EF-BDB6-FE3EAF6E2A14} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429540311"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3004	8a51786faac844290b32ded07fa695d8_JaffaCakes118.exe
3004	8a51786faac844290b32ded07fa695d8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	8a51786faac844290b32ded07fa695d8_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2232	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2232	IEXPLORE.EXE
2232	IEXPLORE.EXE
2668	IEXPLORE.EXE
2668	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2552	3004	8a51786faac844290b32ded07fa695d8_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2552	3004	8a51786faac844290b32ded07fa695d8_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2552	3004	8a51786faac844290b32ded07fa695d8_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2552	3004	8a51786faac844290b32ded07fa695d8_JaffaCakes118.exe	30
PID 2552 wrote to memory of 2232	2552	iexplore.exe	31
PID 2552 wrote to memory of 2232	2552	iexplore.exe	31
PID 2552 wrote to memory of 2232	2552	iexplore.exe	31
PID 2552 wrote to memory of 2232	2552	iexplore.exe	31
PID 2232 wrote to memory of 2668	2232	IEXPLORE.EXE	32
PID 2232 wrote to memory of 2668	2232	IEXPLORE.EXE	32
PID 2232 wrote to memory of 2668	2232	IEXPLORE.EXE	32
PID 2232 wrote to memory of 2668	2232	IEXPLORE.EXE	32
PID 3004 wrote to memory of 2668	3004	8a51786faac844290b32ded07fa695d8_JaffaCakes118.exe	32
PID 3004 wrote to memory of 2668	3004	8a51786faac844290b32ded07fa695d8_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2632	2668	IEXPLORE.EXE	33
PID 2668 wrote to memory of 2632	2668	IEXPLORE.EXE	33
PID 2668 wrote to memory of 2632	2668	IEXPLORE.EXE	33
PID 2668 wrote to memory of 2632	2668	IEXPLORE.EXE	33

C:\Users\Admin\AppData\Local\Temp\8a51786faac844290b32ded07fa695d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a51786faac844290b32ded07fa695d8_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1144
        5⤵
        Program crash
        
        PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41c37c5ec7eb7da65e1a744facb00f89

SHA1
5d7da5e0eeabf641cbeb4b8c79ded3cc527559ee

SHA256
ae637cb93277b27a6acb23eafb26d48aa6a7dee4b90a61e7dad565c17960ad70

SHA512
d312ef6479b66d2e86cd24d6c1e1b663ca2e9664fc8966080d510f7cd6f573db1f91ca314b2900c54e38530c0d80d04d48ea8a7ef30e4ec4ee129afbb4658abb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b305c91d4930b8026abcbbfee8b6c80

SHA1
2b26115d81f1a34b6869bd0395437ede7e72d668

SHA256
1512e6444629dad8a484809177b30c03381fe2d17bbe6d19e956fb17e2c8036c

SHA512
fad8cdede6dabab2e1017ca964c663c3ec75a85e8e2a9d193b7bd19130ba9b55afc33f2ffca6b59fdc6343150a985719183935761f5374245ae7166baaea0c0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c5dc6fd940ec65fd0c95f6a69ecd9f2

SHA1
7dcb3262b9f3139690c76fd141522a7ebf736ea2

SHA256
1bd6e578e7e34a41491d4e420d0d4b28df1dbb11db83f710ea1cfef45f4f7bbd

SHA512
340cf420df7dcc3860b925876c7fa666f9cbd155d8fa1e94c6a4ba6b13e863642662453389147c3cce16c831a9d3c34762c7c2df62b1ca638bf302795408cdae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5322103df189d2a748ce124af37ae40

SHA1
a0e6d847215628f6c0f0fac60b3b7ed545656647

SHA256
bc0e05ee8e837b61bff9dde28855f977f1b7e3af3cab7a0432ccd30d0e9a68ce

SHA512
34bffb096f79e353a6adf1361c170fc405ab7e73938398efbea341f982a6ff373878ec4fc2e4eb99a451d27a230455365cb58707665ce5320bccd430978acabf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
973263e645fd35ceaa86d9b35fd89ce9

SHA1
5473d56c77ca1acf4d5d556b71b966d60c31fd4f

SHA256
298d1b8b89623e11f47df1fcefd5a6ac4315e75ad5226555eb4154684b2efdf9

SHA512
4dd0bd14c56c7ff1cdde5522de834e61cd0f34ec45f14039f9656a0b63df57338e1f5694c0880717e94c2f2c7ae6ddc8a8902409ed99ea7ad43a959a218663e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02e4a3a09169df76926c1d644012bb10

SHA1
d22dab4ad2dd416fbbefb2634d5249ff869e4dd6

SHA256
608537ce8983226689ada5cb9dcf89339870f24c3089be71067fcbb69ad8d22d

SHA512
e714e70231d88172ec58676da03f65b607bfbb079daafe9ab3c608fa04fa2d133f4a2b1e71aaa606cff5817e16e799a6630328fbc8b0a0e11f60a8bc8ddeb424

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c45f5301a9cd6b4282dd64068b534d5f

SHA1
c388ab32201cd026e43b3db8e536ddd204b0e836

SHA256
70a94747aef99f7cdca91e8fd6c91fb010f1e715126b72cc7d343a2e1cd06ed0

SHA512
268f152b908ecf2983b3966dfef181b4290f105b2533f664f4597088594d30148f7882b669439b96d6eca47f09b013acbbf37b051316f9262250dda8c9e7bdcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cf86bcaef93035bc84670345135c092

SHA1
5da3b5b6153bbe0affd261355c8ee9524ece3280

SHA256
3b57f60f7c74ce2553d2b16608b7abdabc69ac3c267de46432605b3ffd080f40

SHA512
6bc8614a58734841a3ce5f596cb27dd777c8d7bbcbe41e5387da4ec113b16e05d525e8ecad56f68cbe80a4fb534e43c7ca51dfe742c1518af26837b70c5eb9bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8507b117d3cf0f7f7d7cfc291b21d61d

SHA1
ca268011407dd329aaf65e2454b43c27f4d07d70

SHA256
6c0629bd2f3d2227d299a81a014a94cdb85eb19728a9ce25d0b55cf5936d6df7

SHA512
50c1b4a0ff5b64501eb6c9bd912f9fa7c0355b33d5361cd89fef792530797b0b6f7a8141d150f9963512d2d915251f6e31dbfb4ff7f9406e61fb714961e6c716

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89770676ae88f3f01732b552f7d008a6

SHA1
e8abdd6a98f16d3f35c169ddbfa99082fd422dc5

SHA256
b82843fc4dafd5c24923eda00a3b8e4c2ae78ea0cb5b529082b1912fa04ce77e

SHA512
374364735ea41d0861b6fd5801041b81b7554c411c24785258341e560c20bfaf877e723b29f128644d4362d140ffb4c052c8b02fc63f076ef496d01eb7d61ac8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4d9af0b890c2a46f4eaf799ead52ccd

SHA1
c06bc5463a2731e64f3da0e6ad37eda4033dbcba

SHA256
503d4b1b68950fd528febf78ab3d8b4a93e8166396d51322f8735b7f7e78c4e5

SHA512
f2150bf288ab48c24ce75ddcbe1c67e8e9ef724cd7184f02a559f81f2f780477b6c8ea5008711b9cec8610b18fb00c42c4fce1376eead1cbe7937986e5a500f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab458A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar464A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/3004-3-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/3004-2-0x0000000000C80000-0x0000000000DD0000-memory.dmp

Filesize
1.3MB

Download
memory/3004-0-0x0000000000C80000-0x0000000000DD0000-memory.dmp

Filesize
1.3MB

Download
memory/3004-1-0x0000000000C80000-0x0000000000CCE000-memory.dmp

Filesize
312KB

Download
memory/3004-10-0x0000000000C80000-0x0000000000DD0000-memory.dmp

Filesize
1.3MB

Download
memory/3004-7-0x00000000001F0000-0x000000000023E000-memory.dmp

Filesize
312KB

Download
memory/3004-11-0x0000000000C80000-0x0000000000CCE000-memory.dmp

Filesize
312KB

Download
memory/3004-6-0x00000000001F0000-0x000000000023E000-memory.dmp

Filesize
312KB

Download