c17572f318753dcec5825456fe75a6463a304b1e411b4c263d705f8a5f491723

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9408dc1999f7980fb0e889d65e92544d_JaffaCakes118.exe
Size

515KB
MD5

9408dc1999f7980fb0e889d65e92544d
SHA1

6d16fc25b4ebef9ed8660e572cea9439d9d92515
SHA256

c17572f318753dcec5825456fe75a6463a304b1e411b4c263d705f8a5f491723
SHA512

628f861356bc95d51f8a83e7ce6576a2a2d6c427e0c5e6458209663e8b68021ce58ba824819db40bed1e49f68b6cdf15cf36fba84d4418b56c6480f3b345e4ed
SSDEEP

12288:CDe2pFt9uCD+9xvBtljk0PHfuLh0MkDP+LLS:CDe2ntH+9xrlI0B+K

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2604	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
3008	9408dc1999f7980fb0e889d65e92544d_JaffaCakes118.exe
2604	setup.exe
2604	setup.exe
2604	setup.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9408dc1999f7980fb0e889d65e92544d_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2604	setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2604	setup.exe
2604	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2604	3008	9408dc1999f7980fb0e889d65e92544d_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2604	3008	9408dc1999f7980fb0e889d65e92544d_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2604	3008	9408dc1999f7980fb0e889d65e92544d_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2604	3008	9408dc1999f7980fb0e889d65e92544d_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2604	3008	9408dc1999f7980fb0e889d65e92544d_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2604	3008	9408dc1999f7980fb0e889d65e92544d_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2604	3008	9408dc1999f7980fb0e889d65e92544d_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\9408dc1999f7980fb0e889d65e92544d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9408dc1999f7980fb0e889d65e92544d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dif1FE0.tmp

Filesize
689B

MD5
a591855823e431bf9189e73c8678c22c

SHA1
e17d837257d8da09bd9005e5779ed4e24e23d5e2

SHA256
f46097c87d463a05fc9dd00aaafc1e6abe8b976d2245cb2d2373f60d37c5f4ab

SHA512
d88078d880ebc3c2c54a28a7d792724549595124278540b8ac367074162d144e5380bbd5d03cc5caac060a7193e2594a361b5d5750f18175fb0058168dfb4d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\banner.htm

Filesize
322B

MD5
536258d9e4de213b4ec2208b87bcd00d

SHA1
fa2e6d637c4984cebf3bb3a9d2dbd65059c12e1b

SHA256
85b3380e196550323afe743e077be5f47c5c7db95acc688db93bd1d805978ddb

SHA512
32eb30a8fabf86cd752db29e3d177c73d7ab93bf940dad0c941888291d0e760491b4a285bb576d3e2d8ef3eea300921d1955824f3ae492c5ac12bb3fd400f7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\banner.jpg

Filesize
224KB

MD5
33ebcd3aef9a9ecaa502c7dc384d7625

SHA1
efce525fbde154bc7ec7d6b49771ebb3461a7346

SHA256
6e19cbf88cbc3a8e9566ce14e7a763b40760f7f9074f16b27d9423a8fdb4d308

SHA512
4ba55eef588bbd9ea7286cfc79afaf0380e59aaa723ffa24bedf43618979debaa724ca7afcc4bc575a46e30c1dc2d4844d9c36f648fe468bf9cbb1cc9cf52925

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\data.pck

Filesize
345KB

MD5
e89c46072737e55ca7428c9172f145bc

SHA1
f6e3c79842d9f8ae2928d08ef7e86f0ff22b7b79

SHA256
3f08bf6a7b14b388d115bbafcdc1c2acbdb7159e3098ad02d5d0cb73da0f81af

SHA512
85a8727387b43485431c601de143e82dc4af14ce8e1eff1640d5a64122f64b9514320b4610629fab27570e3e2d601a526c7f144c6bdea55effdcb88144810818

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\index.htm

Filesize
212B

MD5
c05ec68667acd74532fe51cf8d0b38d5

SHA1
97dd8de4b70fe407f6283eaa89d9d7f0de95c3c7

SHA256
de9e239ec45e22562a32d70f2b3997f1d212510035fced586761aac896e2baf3

SHA512
b73efd9e3530bd9615306265bb39da1f1a09c2d041c206824f4dbb6718823b17cbf861c9dbfd199543f389e6c30b5a7a84bc820e9f473e9f5c23a8b41c345f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\index.scr

Filesize
689B

MD5
3ae887dc73cb3658191146845f4bd7a3

SHA1
a14552816c101a5b3bb8a29d0f64f0d073f81dcc

SHA256
e80c18e6d2660024d9a072a1c017161d09eff70003c5c529c50cd9d7b81349f7

SHA512
90a9893a9d049663c6a35f9fc453d8c1f6dc45bfd979a746bdd3c128e93cb7c24e3ada5fd7c8b5858ad3b2885cd1e559d5d68ea538ce29a54cb50babab2b2c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\pbin.da_

Filesize
173KB

MD5
e6b36036c1995d8723bd35ebcd286162

SHA1
f96164e12d45c088f531206a69525a1a47317cae

SHA256
990e854ee9edebb769f6f46ef8d7ba41ebec1834c937f73d39a40b01927948c2

SHA512
f8bb49884013311b43b5c28853704dfd66a3d0c5fb0e8a9760ad8b566d5ba256c337e1888716aa447684744064c03af47fc8b8e7c201a9abb6084421714acae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\puzzle.pzl

Filesize
40KB

MD5
a6fbba6b751d03cd89711f3e21d64ea8

SHA1
b6af050160e9bd1ad39af5195746a0deec5a7d9c

SHA256
de33f54e538e8a951c7938381377289942b0be521a64d3027cf57e926e39009c

SHA512
215865a874d96c8c4a7e8006b58626f63ef2ab928601d107486556f5a1c9b167bc0f6241c9508ab29cfbcf5b26b233f5f694c686171e75643f3373305e207a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\sfiles\lang.ini

Filesize
10KB

MD5
cedfd1c79c51b026a3f87794150a5039

SHA1
d373440a1f2fd8581861d7b7090085c5484b6087

SHA256
ba5ef58a17d91c7f8f39d2da9e841a162c806269e6f2bb4b689a8e9b1d0a9a80

SHA512
f48718440741fbcd80cf5b764c20629f82a527e260cb31297d40cdce22e7c3ceaac69077dc54a87767a7eac2bc826fb8f9743273049d52b0891819a089808ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\sfiles\skin.ini

Filesize
1KB

MD5
393a22419b84a1219194cd6542a23c93

SHA1
f480bbfb8009844782366a3dec2ad23266dc48bc

SHA256
c46fe077a9206c75b2a6068dd6929c09df9bc616adb3caf7f1443a90f0276468

SHA512
beadbda583bf63e31a247ddcea59d7033f6cfd385e6d6bf3fc3884855ddf4b04d05f1d739f36a19319263951605bdfc00a4cc11380d978ffe2b28d4c3d35bee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tsldrl6660\sp.gif

Filesize
45B

MD5
0d7e884ebabf67ec615b88f717911ecd

SHA1
e6ce835319efebe7c9b7cd00f77cc79b0aee98ca

SHA256
c96ea2e9b2fc43017a6f0ace4406245effd5d28379811afed08095759b952ee0

SHA512
6fb3216bb717b1ca8fdd626f7eb0b203310fa448fa88f32e53b3c3c85e634164fcce45cbbac495a85913585e4c5b1236eff8ae814bf6d32984fc98ed8c44993e

Download Submit
\Users\Admin\AppData\Local\Temp\tsldrl6660\setup.exe

Filesize
229KB

MD5
232579dbab70b373dabab8c9459d1fc6

SHA1
00b5d02ea437a3d3e395ab328b366457fb4ef4b9

SHA256
afc8e8d74f34e039fa982fd7537d3055bd9e5b65e44dc07c41818ce040c2b826

SHA512
e1e0c1baf875c4236fbf7150c619bac944d26e199df851dca8ecdc19e629a749b540cc76cbec9fb13eead079957e94b7f1ef0b11a59b84e55c5940ce80a16326

Download Submit