Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/08/2024, 07:16
Static task
static1
Behavioral task
behavioral1
Sample
8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe
-
Size
341KB
-
MD5
8dcfdab5597153078156bcbf241b2da3
-
SHA1
40700cdc0388bf79cd0e84360418019f96d67e3a
-
SHA256
651ee7e5a335bd50c322c0f5c1fea2b818da6a6e1ba93545b1ccb60d06823669
-
SHA512
1302afa15ad3e77102e20f7d7bcfbf9399bb03952b526f9133b8b0ae512736fbfa468e9bd3c5629cec70b537854eb456d3894a14a4736e310ffa411a5d008603
-
SSDEEP
6144:CY94NO1xOzb8pDzCBPId9QQfHdlm5zVpGM7y2w0kzmDNwuiqUCuI3YfhHbHn:B9Ogxqb+6ITTvzQzzGM780yzrqd3a7H
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation rinst.exe -
Executes dropped EXE 3 IoCs
pid Process 1720 rinst.exe 636 UniKeyNT.exe 2692 svghost.exe -
Loads dropped DLL 4 IoCs
pid Process 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 4168 8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svghost = "C:\\Windows\\SysWOW64\\svghost.exe" svghost.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" svghost.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\pk.bin rinst.exe File created C:\Windows\SysWOW64\svghost.exe rinst.exe File created C:\Windows\SysWOW64\svghosthk.dll rinst.exe File created C:\Windows\SysWOW64\svghostwb.dll rinst.exe File created C:\Windows\SysWOW64\inst.dat rinst.exe File created C:\Windows\SysWOW64\rinst.exe rinst.exe File opened for modification C:\Windows\SysWOW64\pk.bin svghost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rinst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UniKeyNT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svghost.exe -
Modifies registry class 46 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\svghostwb.dll" svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1" svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class" svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment" svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A} svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32 svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWow64\\svghostwb.dll" svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0" svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE" svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library" svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1 svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib svghost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" svghost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer svghost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2692 svghost.exe 2692 svghost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe 2692 svghost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4168 wrote to memory of 1720 4168 8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe 89 PID 4168 wrote to memory of 1720 4168 8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe 89 PID 4168 wrote to memory of 1720 4168 8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe 89 PID 1720 wrote to memory of 636 1720 rinst.exe 91 PID 1720 wrote to memory of 636 1720 rinst.exe 91 PID 1720 wrote to memory of 636 1720 rinst.exe 91 PID 1720 wrote to memory of 2692 1720 rinst.exe 92 PID 1720 wrote to memory of 2692 1720 rinst.exe 92 PID 1720 wrote to memory of 2692 1720 rinst.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8dcfdab5597153078156bcbf241b2da3_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\UniKeyNT.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\UniKeyNT.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:636
-
-
C:\Windows\SysWOW64\svghost.exeC:\Windows\system32\svghost.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2692
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD5e2878cc39db71606f2f77186a0fd16de
SHA101caeb20b5b39f14ecd9fd9486d6ae70e188a877
SHA25659d4e7d2160a63714a5a9dfe201b7eb4bda81cc13db3c7678e5e58661e1704c8
SHA51230c4d53b2b727e2c6b4c4cedb180cdc17289841c8f0c99715cdb711cd9a149002ea08445ab3a9343f40c40be4a93c863b9e98f89c8348c7fe6b483b77f55fb3a
-
Filesize
996B
MD57d1fcfc93a76b433293ed2c0296445e4
SHA10f5834a7f6e21414e47099194d3115475caf1e94
SHA256710a8a7100371059bba1af89ce1c932028ffda0cc28fb067f3cfe199e49a4da2
SHA5123f4d88d359d87e34b3370e77f13c656d6b4459d330d83d30dc4a0f81704693ea76afe0e4d7b6aff980efee2504d5bd4609b2ccafc228d39347e7a7b5a5ce3e67
-
Filesize
4KB
MD59b4a0a5d74e2b803bc0a07914734a0ae
SHA14ea85e55a59a05e7f343bb37c3a3f4e05492316a
SHA2567e12bf1eb36c6cc5c87f0dcf30b11b243173f47c142d19b42dfa4880326c8900
SHA512662e7227dd81b7f3c59ccd0961bba1d8ba2d23ca42ea11f9421e668b579f99d65300f6adc7283d952ac579b05a52f3e0be0e691354464e7967d7c120e16462d2
-
Filesize
7KB
MD5a455ca431e66975d886f1a8cfee8cb9f
SHA195868529973c77199b76ec593a686d9b324dee8b
SHA2566bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056
SHA51253e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531
-
Filesize
428KB
MD57788e7d2bf36d02c2366a96ae00a382a
SHA1a003bcc0145724c9122c8bd796b14d1a788ba400
SHA2568a0e3acfbd5c01c08838bf4d197e36d4932c2af29a0f302c1b2c33872956b851
SHA5125ca731541e8d661b25024b70efec8f567bc0b9cf77de3ebb110899991bc1f64aca189a899a9d070ecc323b66b0c3e09d77671d10982b0717fc36329fefa3a30b
-
Filesize
24KB
MD59c62df1b2775adf5d266c8fdabe74693
SHA11e014e07f1adb6e33cf0e8e999c334abe38ab3d2
SHA2565699265a4266bb9c5c99d0eb32ee48b1d1915a55f76e5073d602855599617cb8
SHA512700261cd72811f1e0f632207decbfdd03410ef7ca3121f7daf06da326949c9869f485a935330eb5fddbe7df6feec0d7dc590b9288af08aa24c7eeb08ee02b313
-
Filesize
40KB
MD5ac4573c526930a1b7f7a093b6e5f5ee2
SHA149be4355a2b938e82eecb5bda9387d15b983d79e
SHA2567cca36c0510671ea4f4c10135c107e31250b0a55691d0fd7e7e67023859ef96c
SHA5128865f7b1cfeb495fe2ea853ea6c602ced28227f64f7796f510d4933fe58f20c5eadefab682350ca7fed8e3ddc808bbee751cba57750d741efd397ddb8f3c90d0
-
Filesize
4KB
MD511b1d5e5b5a4fc5ad1d7dd59cfeb1b00
SHA1e5e772a114af2c4316baed04eab084f28ac93435
SHA25619b241940ac0e25ffedc49070d0ee8e0ef375ec50956dcbfacb4a975f578f404
SHA512b654b1deac1a4db1b19a7c6d96fc800fd2b6c96f829413685f9d87726e9d50da8e020182978f8d5737d14d6a7737e4c4cd9ac7651ad1535f2007c06bab2f8550
-
Filesize
428KB
MD5bae0fb25bcf05a5da7fde8dce759ee0d
SHA1bc74b07d14a63ce572755c70ceb796136d129e20
SHA256b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d
SHA51274a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929
-
Filesize
24KB
MD558129986fa29f6dacd99ab45f60bcb3c
SHA17f21995794a060fc8629e0d113cf568de14c509e
SHA256525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a
SHA51262ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a
-
Filesize
40KB
MD52e6016325548ab79e2d636640c6ec473
SHA1586e2b84d46ef00e26c1686033def28e8a9995a5
SHA25662e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e
SHA5121dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86