Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:52
Static task
static1
Behavioral task
behavioral1
Sample
c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe
-
Size
48KB
-
MD5
c07a9d36565dc06adb68f6113746d801
-
SHA1
c5815d5b8c4963aa05e1c63d5df777000998a7ab
-
SHA256
b35a6e5a21b4bf295d8faa039e60ae0f25383c13078bf04ccea4503d806ea592
-
SHA512
214e07c3c75e31fbb9c1d1feb6dc93e6f821f41bf68dbc14c960c19f32f5ae158024d36576224d9c2dfaafeb8a060c073c233e7794d148c497ab68c4ac875477
-
SSDEEP
768:vUs685mAlVrTDOqbDBFZbhZGwBwX3gxVR8dhwbY2lBd49PsS8ffQNMyG6Slu:MsHbrnvjZbrwX3KqeLj49PsS4OMyG6wu
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = ",C:\\Windows\\system32\\cfg.exe" c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
pid Process 4112 IEXPLORE.EXE 4112 IEXPLORE.EXE -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\0065.DLL c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe File created C:\Windows\SysWOW64\cfg.exe c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cfg.exe c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe File created C:\Windows\SysWOW64\0065.DLL c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B6DF164B-62C7-11EF-818E-F2CBF1DCE4A5} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2342887062" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2336480481" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127252" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431344512" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31127252" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127252" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2336480481" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4488 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4488 iexplore.exe 4488 iexplore.exe 4112 IEXPLORE.EXE 4112 IEXPLORE.EXE 4112 IEXPLORE.EXE 4112 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3216 wrote to memory of 4488 3216 c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe 87 PID 3216 wrote to memory of 4488 3216 c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe 87 PID 4488 wrote to memory of 4112 4488 iexplore.exe 88 PID 4488 wrote to memory of 4112 4488 iexplore.exe 88 PID 4488 wrote to memory of 4112 4488 iexplore.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c07a9d36565dc06adb68f6113746d801_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4488 CREDAT:17410 /prefetch:23⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4112
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
37KB
MD577c69e31dd552f257074dfa267c59c79
SHA128a769edeea0781f313d7c3ec3f7003519c7ec6c
SHA256b4484947b07aaadb90c3a31f07e019bcd72469db3ec83a21cbe8770314f0fe0d
SHA512844bb44d603dff7469410e47a962e7eaebef3d49fff7dce9fe89a27171b649823f7d8b2cbe336c9647d67e07bd3a614b2fec7683b311afe5440036c1753ccad2