7df493835e0fa27073bd325b2a034a16326c23f13e60bf14b5a725489be8dd42

Analysis

max time kernel
71s
max time network
138s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe
Size

45KB
MD5

ac1b77610a7d9e326ca721f9c9a8487d
SHA1

87207383992c8fada190f223c58bf449abc32ce7
SHA256

7df493835e0fa27073bd325b2a034a16326c23f13e60bf14b5a725489be8dd42
SHA512

ec60f7934dac1220269ea12731e5c57b9f044920e7521de65cbb7738c8f3fbc273a7a0a92d8acea585d5fcb6710f7a0b97dd5aac8da39db5e15a74d47fb7efa7
SSDEEP

768:+zQs4poKzpo2Ge1Hn4A1f/rkfYvj6dlZgBBZuXEjgMQ/nNCp0:+zYpoKz6q1H4AR/hyl0BZQhMQ/nNo0

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2672	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{773D8EF1-5E59-11EF-B3C2-F67F0CB12BFA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430254253"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe
Token: 33	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2820	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2820	iexplore.exe
2820	iexplore.exe
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2376	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2376	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2376	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	30
PID 2544 wrote to memory of 2376	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	30
PID 2376 wrote to memory of 2820	2376	cmd.exe	32
PID 2376 wrote to memory of 2820	2376	cmd.exe	32
PID 2376 wrote to memory of 2820	2376	cmd.exe	32
PID 2376 wrote to memory of 2820	2376	cmd.exe	32
PID 2820 wrote to memory of 2100	2820	iexplore.exe	33
PID 2820 wrote to memory of 2100	2820	iexplore.exe	33
PID 2820 wrote to memory of 2100	2820	iexplore.exe	33
PID 2820 wrote to memory of 2100	2820	iexplore.exe	33
PID 2544 wrote to memory of 2820	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	32
PID 2544 wrote to memory of 2820	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	32
PID 2544 wrote to memory of 2840	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	34
PID 2544 wrote to memory of 2840	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	34
PID 2544 wrote to memory of 2840	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	34
PID 2544 wrote to memory of 2840	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	34
PID 2544 wrote to memory of 2672	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	36
PID 2544 wrote to memory of 2672	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	36
PID 2544 wrote to memory of 2672	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	36
PID 2544 wrote to memory of 2672	2544	ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start iexplore -embedding
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\gosE8C9.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.bat"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f277ffb438193b8eea66cc6e5a531cf

SHA1
72e3b0960775370aec0c25ab814ad46c97aef2c6

SHA256
e82e7ad717d634f8479e0c27a783205d2f2c821a07ccc229fa7c75fdff99e770

SHA512
21f7d1610c6dce4f4c539fa58a2cc9d1fee4ca4681eb0d6c0ebabc0eb68d64e6c661548814186557c8c3f8faa6bace15bff414e601cd1f8a06297cbc6c0053a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b89c03be44792eff4d22b6da4c0e0ee7

SHA1
57e2fecdfa50d595b269f96eb9519cebbb9211b8

SHA256
b59c09722f43ee6ddd090a3c743aad64ca08ac8f6e26785a01115e455e62ce0a

SHA512
a66ffe7b312d7c6272e6a5339ea4fc7ad60d4bed6ba52e9d0987a9152b0dab776ca965b73fa26cb2f3a070613ac52197030f9ccf71db6e389670e416f404dc3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01b3d6b68aa02d098bc4a9828404999f

SHA1
46a6b1274e7a3eb0f064eec9c960647530b282b9

SHA256
4ab4ae0f861c696a3c3a181be686ca999a717947156383a86f3456ea19f64da4

SHA512
cf9d50c3b5510924b9ba58d7b2f0973a09a0f8df403b29c59c43218881524566ab2edf454be5605797102f154543cfcd5e8c926da92f5130d105aec885a0fca6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e8334a09cece5a94a057cf7b3d46d41

SHA1
b7fa1ed00f497df5952905eeea7e26b031ec5669

SHA256
98cfa394251e6cdcd2bb481c1ebb7782b3305974acaeb4979d9fcb1ad35f0c45

SHA512
e33b97d73bff4f7d19be204cbfe08924caa5196882c893b46d75abe47dce4770b57073a0948b822a9f2d6b9db5fbd37a89eeabaf1ec45946466386f3d2f34de7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f61efd44d5ec78dfaa29d7dcad03ef4b

SHA1
3277ea9000a8b244e9c3ef57040dd3e876cbe10a

SHA256
a6b6cab18ea821797f7ac5efbd8fa7863d6a8a8ed7e27756a4a4e65f7ae0611c

SHA512
5b9de9e9c3d2c96e3a1e317f5885910d13f73598a0c5c1ac5bfc5a575bfc00439f41bbd4a883629226cbe37ed27e6ac3ca56acc32e6f882dbca3affc8687bfa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7005916f18aea85e8225485664d96afc

SHA1
69dd8a500472a56ec5c279069b75ffc97cfb2155

SHA256
63206bd0ea6aecfb8adc8abb7c0f2707156536f4848dad3eab0b0976e17069c8

SHA512
ef416496fa61fbe3f184ed3d1056237c01dab4d3f830a84e4a85bed13dfe5be76b4941493bfd29da8b0c8cc014e5060df15c830681effbf5618ad0ba86934d5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d32ccdba55592a0eb2d4d5d0750530b

SHA1
ec571f5887264054481fae5e457de1407818befa

SHA256
25fe7944f496176f4e852b63a36d6fd0f7232e1eb3dc4592a083caaffdad6433

SHA512
0f06c0fa51c156c748cb68f5c32af8dd00739965f1e817203f512ca2eb34a9ec992abc3086860b8507465b465e94a8b8055900bbb6e34acf946533942eaf898c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afc364b41a664bd4f9283c97536af42e

SHA1
2eb001e16098cb61b51d5d2be1cf627869c0a3e2

SHA256
9f967ce3a2d0172fb011360e679921d8540e81a9f986afcfa75886c146901f54

SHA512
df2bdaa42ad98c28455befb5c56062f26e38df23b6d8881556d703679c02cc7ab6701548d0c19929e90b397a90b7b599b5aea3efcf2e23d6fc1ded7ac5e5660c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d9ee0a8fd773b96b7367523298c5fbb

SHA1
8be9b68e1ec1c672fb4470b62f7dd318e48b2f3f

SHA256
15870b46c60a00b75b87f81df5a084030ff3d46c3702a8a37bc65c58585473c1

SHA512
728e5fbfea50905f334515c47db6ebf7ede89053fc105a0b8cfcb5ccf5fa5ae3af33afaa85796f84c3211dfbd3440bf481fcd87204412f343a1531a70b321cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB2B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEC09.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac1b77610a7d9e326ca721f9c9a8487d_JaffaCakes118.bat

Filesize
307B

MD5
314da93a84b86f299c762d5005f760be

SHA1
6b0f10b19f3420619fd2bc41ce4efec13ebab169

SHA256
4250cd9f9ff7ddf264ea240ec431a03f591118f9e1db834a1a2d0ca2d3f1429f

SHA512
66228d70fa095ae1c60596134b0324b88741d8daa6239e2332e8dda2a040fd37f135e545990e33cf6a3ed3da7578998d16e076193a025eaf5c594435ae9467bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gosE8C9.bat

Filesize
190B

MD5
6380c78118834c89591207a5965c832b

SHA1
6dc5a5baba99b428821540f25573f87e73b1ee70

SHA256
ece7984066c8566862f17132522deeb6783cc5b84d092f69c4d5f6e08212b08a

SHA512
196f56e5a4fe827267d88bd44114979ed242143426b6126ab176bb09c8508179ff8804929e1996894324789b99e9790a0097c72b361abbcf69540c593330cbb9

Download Submit
\Users\Admin\AppData\Local\Temp\gosE8C9.tmp

Filesize
25KB

MD5
a0d121b52cea6142e1d6bd3c7cee7b8f

SHA1
fec666c6ef8fe2eb9d188a10a7c129e650cf3893

SHA256
d74105ed59c727150f90b68bf6c557cc810aff2cfa47094a8f83963b1bc90dcb

SHA512
3a92ea2a235894edbe6327bba91c7dd990bea23789ac61371157d26590db3e97291e73c231ac3a94a86421c0122814577141e7e9ff740695eecb6d90e0477542

Download Submit
memory/2544-0-0x0000000000400000-0x0000000000411200-memory.dmp

Filesize
68KB

Download
memory/2544-40-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2544-39-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/2544-37-0x0000000000400000-0x0000000000411200-memory.dmp

Filesize
68KB

Download
memory/2544-6-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/2544-5-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2544-1-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download