cd355ae9ec3d3df76ea660679d5415b6e9dfa9d2ab848c30da24a208af8ec3f3

Analysis

max time kernel
121s
max time network
131s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

976cc409b48cd3c8d46323a0d0aaaf22_JaffaCakes118.exe
Size

94KB
MD5

976cc409b48cd3c8d46323a0d0aaaf22
SHA1

7a0563379f9b1e600a6ff2f56d1378380b19e837
SHA256

cd355ae9ec3d3df76ea660679d5415b6e9dfa9d2ab848c30da24a208af8ec3f3
SHA512

9f42c0aca2d19ca47db8101f7429b93468e16619c321bbca17fc421a7e236713f12ac113fcff99114c2a7946260eeba0089bc4b1182c06e555c245d0d1ab7df9
SSDEEP

1536:Zv6QFiwYlh1o0PSqbe3j7d0Yl7TyC9R6z8W3J7PVsuiZae/kx2N4Yj:DFi3h1zaqi3uO7hQJ7PyHZ9/UU

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	976cc409b48cd3c8d46323a0d0aaaf22_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C61C0021-5A75-11EF-BA5F-F62146527E3B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429826603"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1316	976cc409b48cd3c8d46323a0d0aaaf22_JaffaCakes118.exe
1316	976cc409b48cd3c8d46323a0d0aaaf22_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	976cc409b48cd3c8d46323a0d0aaaf22_JaffaCakes118.exe
Token: SeDebugPrivilege	2484	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2024	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE
2484	IEXPLORE.EXE
2484	IEXPLORE.EXE
2484	IEXPLORE.EXE
2484	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1932	1316	976cc409b48cd3c8d46323a0d0aaaf22_JaffaCakes118.exe	30
PID 1316 wrote to memory of 1932	1316	976cc409b48cd3c8d46323a0d0aaaf22_JaffaCakes118.exe	30
PID 1316 wrote to memory of 1932	1316	976cc409b48cd3c8d46323a0d0aaaf22_JaffaCakes118.exe	30
PID 1316 wrote to memory of 1932	1316	976cc409b48cd3c8d46323a0d0aaaf22_JaffaCakes118.exe	30
PID 1932 wrote to memory of 2024	1932	iexplore.exe	31
PID 1932 wrote to memory of 2024	1932	iexplore.exe	31
PID 1932 wrote to memory of 2024	1932	iexplore.exe	31
PID 1932 wrote to memory of 2024	1932	iexplore.exe	31
PID 2024 wrote to memory of 2484	2024	IEXPLORE.EXE	32
PID 2024 wrote to memory of 2484	2024	IEXPLORE.EXE	32
PID 2024 wrote to memory of 2484	2024	IEXPLORE.EXE	32
PID 2024 wrote to memory of 2484	2024	IEXPLORE.EXE	32
PID 1316 wrote to memory of 2484	1316	976cc409b48cd3c8d46323a0d0aaaf22_JaffaCakes118.exe	32
PID 1316 wrote to memory of 2484	1316	976cc409b48cd3c8d46323a0d0aaaf22_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\976cc409b48cd3c8d46323a0d0aaaf22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\976cc409b48cd3c8d46323a0d0aaaf22_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a2d6b2f71f968c54d150ffe83810800

SHA1
d40fd6d892aa1d4d9141211773bc7daaba3eb524

SHA256
6b9c12062bc25638940d451714e3d55c81dcfd6568ef8a39992943325fd622f4

SHA512
8a2137b6e975fa86c0acd2c60410a0094087b45d7558f427a66d2a60b3af0696bbe6cf31c6f58f060454ab945ddbca9986d412000dad99a1f0c61dbc518100ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b05bab50c57c9a96a5b2a84b3bd90f90

SHA1
45279c1eeac2bacb7f263d65392529fca1c9759a

SHA256
0551cae93113acddfcb3fdab1481c7266343d7be1d701d06299b849fdf2cd6f9

SHA512
3a6f198e921d356afd60d86a100a34886a2582a078b247c09b9ecf72df061aaaec620648e4871ad9488c2cd1e4352f71ac9ebe9d937396673c683e0ab6a9caa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e93cebdc16e9ec88410f5f91c318662a

SHA1
bea28a1fcd990533da21e73393eea87b5388013b

SHA256
5e74d7246cd1c53dfead8e5d48c61604f2fd90ca4678ce776489acf33d8b9334

SHA512
0ae3d915dbf975f4f536080e6c1e190cfc24347b4696f45a2bc36fa9a3e797b1a2ec3e22898aa9e178ebfda61a5e20fa646bdce571d7c798411aa95a9382b668

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15b078e78a00eb0f2248750d65a5474f

SHA1
33b7956c10b1ef1f7845c676191bb73cb683868b

SHA256
9938ec819052898b153c978764d69c66186d0ee467a87e303b2ace6282825036

SHA512
c7b1c54a077aee4230dafc3932bb9041cfca520f83bebc75cfebdb6b9e344af5e7a588135d1ec492dacedcae08d1f347b8c778df2ff53d7b9c9c4fcf1ca50d1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
969f57a0b92014b6784b86bdb18f6a29

SHA1
a8a3cabe3413c6dc472817f4f6bc7d4bb46d9713

SHA256
05d901a06fde914b589bc6343dd28d57baf5e397e34f405eef99669835411e69

SHA512
9971476f03d62bf5e44a27bd56fe0b4d1ffe97f4b323e89115dcd010202c03d9766c90387d4e2e4f0df4ee1e28d622bb5d942106eeeae771d2c02f954b55096f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7df52b25a917d416de8836e62470048b

SHA1
f62d27c56c5106fec1ed3afaa6b4a8d9f6c95f39

SHA256
7484debf75eaaaf266f57621828769acfc1a17784f0b20385afa13565e9e0f24

SHA512
5086e3738fb624e1d98d6a8355f64c57048a4212f28132d3f6b3b98a1d6ea2be71133731839b743c0c9c8d2d69a513143ae610138c474e791d8c741949159b08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24ba38840058c49a193fd7d1051d8c5a

SHA1
644ce8e09654e8d02fac0cf062b27ecc54c4f35d

SHA256
8de9e112bac039ddd820b56be4365f3c2fd8033c15aa0c3855ce5af5862e5955

SHA512
31e1849737813486ae4ce6eadc7f3c82874fa7b6ca6b71c304048b9f3543fce8751950dfbe12f1d64bdd7bc560d8370d1cba62fe4a6fa7da8d97e393e308572e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b601fe96971f8d0ab1167a8836f1fe90

SHA1
26cde896c7ce1e03eeb943ae1098cadd9d7e6ec6

SHA256
967b0a5e49ca7e358f3031cfe9abb87de093d497045189f7616cd5edc2abd2c8

SHA512
412354ad9ca60c93ae3fb37c1a3ec1b89e4bddbabf5bc16b5e6a3a84ba7df7e9f32774d0851e21df4381c1bd65dd97cdcae7611af68b127e0cd90d81d23251e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2eb392aa54cb0fa786f2d6a25c7c50be

SHA1
fc0b8f3ff3636e463cfca6407405cec1650c3381

SHA256
107242935b688240540d0235b3a16976680ec6d5d474407f6d2f577bc74a84f9

SHA512
8bc935a78a65cc51433fd3c7b157d4be63803de4b87c9c808bc9efc8c4037d931c0bb620382bb3f6b03739e2a3ac7c95e02d10daa4c8caca52b3812d155a8216

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
045db49c7ccd3812baa42ded7921d89e

SHA1
d6132a411c9d1593177aa8c94beca2ed5c6e8378

SHA256
b83b0c633258a9afac3e7835d556e1ea0e20c5e655cb50cdbbe04f1556a74054

SHA512
b2ff2ff939110adec569654b137930e0597bc2cc7a122e69f519031e58f2ae64c5ebb5c2a895b917ebad28dcc3e93e0f5ad818452de9aac7691ff8ef1e95a9aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06be28f639bd01332f616fa5b194502e

SHA1
0634dc294e27be5a5db636621a70fe9fcc3c89b9

SHA256
8a431a6a7a4e4a8db21db964058c683073fe5029ecb721c65f1bd46fd1d34b43

SHA512
b1d528e56921c67b7a904d84dc09ded2a5fb354cbf3d65e3bfbbc0d8818490acc6671c1bfba7009db1636e81ff1141a19d4b1235881e4e03e0e102506b1c22a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02eed4eaf8284e6e8d5395a28ce29615

SHA1
512fdb0e89312605c3940e462e524942af2fe8e0

SHA256
a711cf74788413a869689d137e23b32d87838e2227aad5620c97c8fe9cb4937c

SHA512
d1016ab1dceece1d48ef6c50df0da118b7c4801e9f9df08993634694f24f0e2487df7273afb28e00aa92af9a20b343a1347daf85636a5c680141b45213a11c6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac9304fb812d061c231dbd8c24fddc81

SHA1
5a1f2ddf6f65fffd8eef82c656fee17fd8ec1415

SHA256
05e873a2ebdd83c33ba01546c95edcf2c15350639107fa2660363a4952b2b972

SHA512
95cb78c9a163c64315fc4235b3ed7bc5215abe3c74753f4a9c0da11504dc14d837431dccb47c243c8e6ee6888448e478d7c08b14f5404c8161719e9fad8ec77b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1434feefc4536b627e233df7b34a16aa

SHA1
9ec0725fd7d61dc70f7d3af9dc2c3002833fc832

SHA256
86121dff1b3b2fee3b687e84010f27fac7089a88f58eac437b0d38db5333ff89

SHA512
b8a18e9ebec33bfe5e72ff7449753fa6d41bf5b92fbbcda826df797b7bc1030562dd0b8bbbabd175ab9f39c2a52c04cc23e10bc90c07ad8d13effa604788d1c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9c4edfa1b621d736e176db00f44be02

SHA1
051b4a172d222f908fc80daf2a32565ae04e2c7f

SHA256
18c13894920cd87a36ec30e48fc6ed58f0a1b42b9f327ba83e9745c9b795f5ca

SHA512
80ae2a75712b9dc00bf1eff1951926f318f76cef67f5f8b5e3246306bcc85ecee3ca4411a86a307576a519be28b279ea0a9dc44c4ac807534db78d8d9375e670

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53b6e6bfc63d7860a813115d3db750c5

SHA1
7694650e72d4f93ac3aa0bd4bb6b9393446e3cd4

SHA256
3f5d54edb4510dd60f6947bb79f2b04533b813057e9adaa2ba637470cf3c7168

SHA512
fb8529be53bf08150e8d767202919b915f5e6405dcf9e4f8015355af12881d6cfa53ce8ad9e08454e5ae2558d3325b16d419c5e303b87490267ff63f6ffd9aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD76C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD82C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1316-4-0x0000000002170000-0x00000000021BE000-memory.dmp

Filesize
312KB

Download
memory/1316-2-0x0000000002170000-0x00000000021BE000-memory.dmp

Filesize
312KB

Download
memory/1316-0-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download