644b201e7da7805fe3904b596854c6dd07a3dd63b7aa5a29aea60cec7173089f

Analysis

max time kernel
144s
max time network
138s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe
Size

196KB
MD5

aea5272fc4c10b674809d1109f154c6f
SHA1

5d802bbbed8e2db0711243588d266bc49917b7e2
SHA256

644b201e7da7805fe3904b596854c6dd07a3dd63b7aa5a29aea60cec7173089f
SHA512

de317a152dca50b5658eaae375571cbdac6b647f1fe4eba4c153c91e0b86bf8fd169d6de74d5c94be3536c3a511c399c343c3fa1dfdf72c0d4d0f716a3d43ad0
SSDEEP

3072:UNfi7UDetE5KDMTN4khREkgMPcDNWt73c0/nZOZU8MeLBAkhVeiDWH:UNo85kkAkgMEDYCCn9PaD+

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 2532	2384	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0E1927B1-5ED4-11EF-9403-6ED7993C8D5B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430306910"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2532	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe
2532	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe
Token: SeDebugPrivilege	2752	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2928	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2928	IEXPLORE.EXE
2928	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2532	2384	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2532	2384	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2532	2384	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2532	2384	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2532	2384	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2532	2384	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2532	2384	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2532	2384	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2532	2384	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2532	2384	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2332	2532	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	31
PID 2532 wrote to memory of 2332	2532	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	31
PID 2532 wrote to memory of 2332	2532	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	31
PID 2532 wrote to memory of 2332	2532	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	31
PID 2332 wrote to memory of 2928	2332	iexplore.exe	32
PID 2332 wrote to memory of 2928	2332	iexplore.exe	32
PID 2332 wrote to memory of 2928	2332	iexplore.exe	32
PID 2332 wrote to memory of 2928	2332	iexplore.exe	32
PID 2928 wrote to memory of 2752	2928	IEXPLORE.EXE	33
PID 2928 wrote to memory of 2752	2928	IEXPLORE.EXE	33
PID 2928 wrote to memory of 2752	2928	IEXPLORE.EXE	33
PID 2928 wrote to memory of 2752	2928	IEXPLORE.EXE	33
PID 2532 wrote to memory of 2752	2532	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	33
PID 2532 wrote to memory of 2752	2532	aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\aea5272fc4c10b674809d1109f154c6f_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
699f9340d24060c8a1973311d53f54dc

SHA1
743030eddc1145ebc664fc467bf2a3542095f94f

SHA256
c7598a9ce26aaca31921c6f360617ffee077b23ef3728e2cfd96e0d964c61153

SHA512
d5c4bbe20a9916259350ba8467cedc44112d6bacd060b1ef1b9ee7f011b02bcaa2e3ab79c5a655a89e3cb3275eba93f0861b7c07b1131a67682a6a92fecbb59d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2106ff2308f3ca5e71b7b1a8b9dd4155

SHA1
6dcef43a8bf3e1190abe65425b03ec86fc5a2728

SHA256
410edc275fbff3143941e2592239f4c8e6046128bfeba3e7e52c0b489068b4c5

SHA512
428fb2b97be35624ae319e7693f8fb34cd60db438583cae933bee3c30fe1e28220710fa636656404307970d1eedd13c832f5928869ec3891dc27152f455ea106

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a7695ed6f013f22558692fa2684621e

SHA1
a9d78df99dbb36205880b2adb272c3278589dff3

SHA256
59c0c30ff94cc491dae5661fc14893875188585d2b292d627103206a39d058ee

SHA512
847018a89ba109896a7402afdf6e82b356d945f1d1524707f05e60ae6b1f20ae250f815b4b8f8dcf427835c4f995bd5262aaf01c5a69291462ccb123db2ccb3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cebbd87e4116f016bc26b3fa33a59680

SHA1
ccc7b998aac44320c66560c9a1426517f7eeecf5

SHA256
cba08b47abe1ff4a7d9e55f42e29443022370017c2a902bb2715a0e1b1ca4ce3

SHA512
5adbbeaa154fe6c70bb77c5f30b608b8d5a493a82d745d5138d24d3b28153a78422b60e428ca79515ec17e662d0af3d065431fa70f43673226d1aaad98f8fe49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0ecda0e4cb252de1145c3fc189c844b

SHA1
06d6e0ee60b9780aba5fad1960a8f4717157032e

SHA256
b93f1ed41aa9fe29032087578436dda7f0edb17b1ab8639f0faad1d31681f360

SHA512
11f253dc6a2161ab0b5cd5f0cfc24f2c3d88ab7b6ec8570401ab7543980d415683010c773831ca412ea07bd9709729f167462b78744abb8f31a2bf36556458b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c61731c359b230144250c135d659908e

SHA1
50b2adeefd8244c7d266d327b53f5ad90c4074d7

SHA256
b56f320af79a82292ef5fcf5e1bd5063ee9f923bf7b59970eeace11be915fb4f

SHA512
0cb87da0ee15e5588670cc9b39ca2baacc26d0c2a1dea3bdfc344ad65d5a66cf8a179bc0d54cb43397de2363910bce9db481bbd6b48c0b4750754a4a8c0c5bdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
518e7783f4f4d30eb3fcdbca1d6cf2b5

SHA1
7f2546ac2b01c1bc34b1d14f9240dd1ba8d07f3d

SHA256
80eb37f036341025cd9155b0fe8bfcf41efb2f722803a031c1e0e2bbccaf0e61

SHA512
86ba9a81c2b1dcef11257b40f0ad557fa22a0298c1f98ce021c4429deb1e3215644197dcb4acdcff30d9f6e47b223cfa5607928237c26aac9d3b502b98472945

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7b3e143aa7e7053fe05797499c5752d

SHA1
c191acaccc3cb7fee289028d6131a5be3d3c4913

SHA256
6779ab09764a827a9e16c4132dd0d5c8267d8a24697c9bc753e0f47cbeeefe29

SHA512
73c0ee784fde67794f84bfb9eee522bc645a3dc6af85aa999101d91647cc83a33156f850ccdf8ada1eb728b03fd0b1c6e90c2cf7e1cd428b31a30870449a9d13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efa7f8756792d922323617d463863b07

SHA1
a0c83dfbb355fac463ea8e9a3002f1e84a4bc4fe

SHA256
8c93cdea352a7b528a82f6d8863dad9187db9684c5d7c772f865bd5ad1d64437

SHA512
d431f440badfee2ad3be1cbc884b6d7197e8c2045f9dec2c29ede81f17996ef4b21a0c436f5b812f6204ab37e45ec22e9612ae502c65ce4e82705f85897a7b14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3051a4d7522c8e71e15e20dbdbc8c17b

SHA1
985f2cf73c57916fed29ff82f1c6114e2e1bab1a

SHA256
2798dca6bffedf2757206068ca6a32e0deb46790125fe8a37103b55d77ea44a2

SHA512
2479809a4366b4d774a262e0cd9f1c6cf23d27d6632fc099be83006d7ef0ece217b1e0346693e3658b64ca03b03098cf0a3540aa8d050fc6ed1dab581e374cb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fac3d08150806abf4d6d2aad86e7017b

SHA1
56e5faa85fddb5396a52dd8641f84f4108d8bf2b

SHA256
6637ccb7a3cf348c9bf5a94a40648103c0a71d002ce4f08eb45208356f5568fb

SHA512
0d454a056bb4cee34512126b98b9589fdcd42c4f50db80ca8ef9949bb7f2e934fab6fbd8d4f571ec5e93f5b5e478363622b29932f0344ed1234b9b22cf066845

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b07d9f497646f9106193eab626339b4d

SHA1
f7fb6ae08ab5e139935f3101c5d31189c11a7848

SHA256
c8e39dc418a68ef5ac0291357a4191b4ad037bb56db03e27ffb770c22e8ffab4

SHA512
58d75ea3e411bf4dd20d2b956eaee864ed7ae97cee80ac272d039a8d2d513884b66315307e0dfb28c1a315d37f812cdb44b242107ccfd9a14cc2d5da64624f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD185.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD233.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2532-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2532-24-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2532-20-0x0000000000910000-0x000000000095F000-memory.dmp

Filesize
316KB

Download
memory/2532-16-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2532-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2532-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2532-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2532-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2532-8-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2532-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2532-12-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2532-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download