Analysis
-
max time kernel
131s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 20:43
Static task
static1
Behavioral task
behavioral1
Sample
bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
-
Size
95KB
-
MD5
bf5e595d5d73e8d2cf28dd4a2c835aab
-
SHA1
ce020548152a7838bde8454bc912b1be02265995
-
SHA256
fbab092e7f035874aa98fae6aa3441573425672f22fd8d6e3cfb524fc69322f3
-
SHA512
6025386318c0e4a8ba086c72e6b64ac257f3cf84e793583ae640f14b6e4b877d3539edc1d81b2b66aa4708ba913bc0a21e32fe4395f58ed6c5741e7a71e31176
-
SSDEEP
1536:EpgpHzb9dZVX9fHMvG0D3XJYwXqf2gUBglcADKd56zAmxFGlbJUcFJVKMgOG9M:ygXdZt9P6D3XJzqOgkjADKd5H+FkFJn1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation cscript.exe -
Executes dropped EXE 1 IoCs
pid Process 4904 installstat.exe -
Loads dropped DLL 4 IoCs
pid Process 632 bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe 632 bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe 632 bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe 4904 installstat.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\EditPlus\kk49.icw bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installstat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ielowutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60739c6566f6da01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1693345948" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31127142" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127142" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431297203" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1693345948" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1695533373" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127142" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60029a6566f6da01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea125702b7698d479b1c3c8e0190d45f0000000002000000000010660000000100002000000089415c1e2269cf30aa8b0324dbd60de768845117fd688fee9bba1da0cc89bd00000000000e80000000020000200000007a574f45b2c923cdda48372d334a21f4a3e36f6acc6b322ada68318f561c359e200000000b71e897e30a705f7c6098d472e9795bd3cc1cd448e0fae4641f67e98de024ed40000000b57d545e795f48f12312ce5a0dd89c6c491765c90f2f1303b32d0750c695bef171572c95fd6223358070276bc35298d2d0b5bfa42ec38138d2ec07c9e6fbf35d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{90932C00-6259-11EF-AC6B-C63D5579F9B2} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea125702b7698d479b1c3c8e0190d45f000000000200000000001066000000010000200000000293e04b210ea68dc4436ab7241b603ba00b7b6d2be1c72f60115ef48cf9f14e000000000e80000000020000200000006ea755a5d043a7f2a5c6bd50ab26dc6e1d627e4a5b607fe8344463de49dc93ee2000000061266268373c23436b93e1af636fa5d5ede7fc7568118164bb920a0b3ce78e3440000000d146d0aae06ecb95674192ad607984873e4a4a8ce89be637a7427f37ea4a08e34c920d5e5c57a6f2bbf068da0f5098a2d2fcffe2d315c43090e711f355d5983a iexplore.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\Shell bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\Shell\Open\ = "´ò¿ª(&O)" bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\Shell\Open\Command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*" bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.icw bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\icwfile bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\ScriptEngine\ = "VBScript" bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\Shell\Open bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\Shell\Open\Command bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.icw\ = "icwfile" bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\ScriptEngine bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2556 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2556 iexplore.exe 2556 iexplore.exe 1680 IEXPLORE.EXE 1680 IEXPLORE.EXE 1680 IEXPLORE.EXE 1680 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 632 wrote to memory of 4120 632 bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe 85 PID 632 wrote to memory of 4120 632 bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe 85 PID 632 wrote to memory of 4120 632 bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe 85 PID 4120 wrote to memory of 2696 4120 cscript.exe 89 PID 4120 wrote to memory of 2696 4120 cscript.exe 89 PID 4120 wrote to memory of 2696 4120 cscript.exe 89 PID 632 wrote to memory of 4904 632 bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe 90 PID 632 wrote to memory of 4904 632 bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe 90 PID 632 wrote to memory of 4904 632 bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe 90 PID 2556 wrote to memory of 1680 2556 iexplore.exe 93 PID 2556 wrote to memory of 1680 2556 iexplore.exe 93 PID 2556 wrote to memory of 1680 2556 iexplore.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk49.icw"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk49.icw"3⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4904
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:1696
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:17410 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132B
MD53fc5639771ac2109b9b785eb798fdf20
SHA11b82d39e7aa2ff1288a4a8307e3a3eefb601d41f
SHA25626ae0538cf98657da39eb016bf34ded3304f429ff03d5e92ee242efbcf892110
SHA512e1faea247e7a38df1f964e9453c2a8eea4733c0bf1fcaca7dc2a007f47d2156fad386fcbfcb3829c9559c487f0915190fbb5d04f459a2998fe3e598a3ebf8671
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5e0bb119b734bd28ccbf31009397367f5
SHA154b097cc98bfe23500e25603d088a6b3eee7c97a
SHA25605dc8c8c93f13fcc388a93f5cf37bc6b3ce00112b91204a8349f6e5c739f3036
SHA51237648d6d957b5ae64cc5a459d144ca693b63a83885b19221c153b0aba0bd7aff392ca75b375bd2d7a7f8be02de0bba804e50f3afd95e73a4357089cc32aba147
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD591c8297a2aa173f21e5ea05303dab8d5
SHA1018ec99dc2786c79ab9b6da2aa82ca7e69778818
SHA25685b2a9ce55a9bb9d9bc60f14302787c21c6afeb9199224e50ea400b3a5200c04
SHA51275dc43426f3cc61d5bb009e094fe116c70acaf4fd551f4bd1670a6d480749d34a450a03a48a3abdb7883dff3f729519b94bdc95ad322d03bb9f55f1bf4c7a55a
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
44KB
MD57c30927884213f4fe91bbe90b591b762
SHA165693828963f6b6a5cbea4c9e595e06f85490f6f
SHA2569032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994
SHA5128aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab
-
Filesize
742B
MD50753d1d0f8471cfe4ce16631eb5dc60f
SHA138417fad21ef6e56bc24b4fb7b6c65967d06bf30
SHA2567c73b3ccdba0a0db983b57527abdb2cf70d1bc588d402d93320248e25ec688e1
SHA512fd3718b45f33e838bc7ed1fcd7221235c45e3a2287272f344b4b1f6262db4cc3162d220d5791872689282671dcfde0d9e7c146800d8de75059cd5cadc38adb79
-
Filesize
80KB
MD5cdadfa1995ac40ecdd51e83c0d67bf4f
SHA1aa076ea83d578e4057ff9fd1e7923a497c133e8a
SHA25656afc62c43b35ede478c5047be22cd8910022baa1d2d18108088009692e6fbd2
SHA51275d44c6f643ba1711d823de2314734b2618df5408c4f2bc153796489452e73b15f9bff531fe23b0c34fc5259e6846bc399e17b50d2ce3e3f0d90bfc412eec5d9