c7184b75f05d389d8287753f1114a24ac0764418de664799f39fdadfa23106c9

Analysis

max time kernel
140s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Size

1.6MB
MD5

b368675913c4dbf5a8617480ff3b2015
SHA1

0e494d0afa8e3ae90cc70295b7181d4d83e5fafc
SHA256

c7184b75f05d389d8287753f1114a24ac0764418de664799f39fdadfa23106c9
SHA512

c3d7bb36598aaa864624e040e4c9ba32c92c3b7c6d7dcc3fcce7146910546afc88ef5aeb04802c554391d6597c70ad9a028dbf14a27e5cd18be77cbaa577e23c
SSDEEP

24576:IF/YubwScA6rnAStxj7ZWL6D8d7DbQgmKN8f21KVKK2mEmV/hhU7:VubHcA6zxxj7FmwkUVK7mE7

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "mIRC"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "mIRC"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe\""	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe\""	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe\" -noconnect"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe\" -noconnect"	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
832	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
832	b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b368675913c4dbf5a8617480ff3b2015_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
867B

MD5
001fb1af41eec97c72eb1694b9daa101

SHA1
861cc7f0e0a51c7340e8424e8e047fb8ef5d072f

SHA256
ba85749b9b1229424caa4eecd8597a71d6cde60ac93609daf7036da5e92b2895

SHA512
637df817cfe184935557b66310af99f65ec78212e117f6124035d1dcc793f9f8c272d2f6a1849ccc353ff1553b8a25e5d52cce64f2261e3715a44e74e10e90d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
907B

MD5
aa295078d0e96d12b40f93df85a99433

SHA1
4863c74ae4aa7ee51115ed4610be47cf8f873fd8

SHA256
f6c00f2b99b025ec8ebbd2f84e6944ea67c62070ea40d266d557a612f1cdd21a

SHA512
9520dafdbdf325b793b33302a449a19b6382405c7288751f0dac152c0f7046e706aa7fa843084b01f286c4dccbb9d9ccd46e22f735e9d4264879c06785a4ad34

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
1KB

MD5
9c0577d712385be4e502db74db3bc6a6

SHA1
02ab4e55303b85ef5d25b99ea2b7788cfa260576

SHA256
14bf5cf16b50c04a7a84029ba48863f7cdaae613379e0be085c11e4a0e255697

SHA512
074bce206bba33b16777f7b6928f1b27fe5b6ad8ffff648ed1b3d0637f49a8b0ad4b5e732f49d75a09367484c4237a114849a74b0380f3c74ef92285e15d6f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
1KB

MD5
74ce345822b845945dee1a18f9990d7d

SHA1
31e0f19ff87d81a2ec833b71fcfd8daa3b87d6f0

SHA256
195768239000be57eeb2422727eb176f65ab7979144c37a34ccf8167ca71dec4

SHA512
9bf2f5e646de8633b46bdfba3d5abf546a7ee5afab71d1b383639b7f3896057175630bae5292aee91aeb76bf529f3ca5a7892f87b9b8d0375d7fbb9b6d0ed059

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
1KB

MD5
e67c32d379328e263b9241fed858ae48

SHA1
669fbb21b47feff46b6cc9bb708d199383565311

SHA256
44d381601e978f9e9ecaf98d39586ba36e984cfd0e5af0f6eb78a3d722ff67f8

SHA512
644cf0f7c4af1256b639e92dbd2cf17fe7cf058c8800eb405db5f3edb4bb845db5b9828f8c35b2d98cd6ad1ca7b3a21d398974bd1807c352a23d6c2ac4278653

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
725B

MD5
85f043d4e468c531e384b8a15a8f25f2

SHA1
10bcbcadbfe6d841ea642cd64aaffb1b77d65aa4

SHA256
4a1c308b14227981ad20d8133c975f42ebf9a6ac751d8078327c9a4c3be6dda7

SHA512
ffa03785336274ea1686d95019764baa008348d7305af3f82b6f17c6ce55c23ca7748939b6f43603065fc1837b5ddabc5ca05db166f9ba4c27a235f7fd440c36

Download Submit
memory/832-282-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/832-285-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/832-280-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/832-281-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/832-278-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/832-283-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/832-284-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/832-279-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/832-286-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/832-287-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/832-288-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/832-289-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/832-290-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download
memory/832-291-0x0000000000400000-0x00000000005BD000-memory.dmp

Filesize
1.7MB

Download