de5507c8083f9f6cbaec5767c3e4fdb015dabdffef1a3c10a370e82360933602

Analysis

max time kernel
140s
max time network
142s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c27ae04461eee999d2983d4a1665e358_JaffaCakes118.exe
Size

1016KB
MD5

c27ae04461eee999d2983d4a1665e358
SHA1

a5413d5d464d7fc8f47a4c5945c882902bd621fa
SHA256

de5507c8083f9f6cbaec5767c3e4fdb015dabdffef1a3c10a370e82360933602
SHA512

f76ecf1af1df70f4f29ada4d7f9cf51375c5f459d9516380a6cb48214d037bf7ef8d05bbba9b9479aa87f0123e70ecdf427b39416cd3b9e9e0d8f5b8b380f69d
SSDEEP

24576:2YUqxGoIfEY9AhcFTqNtEehif0V0oqLwEak4U6mB:2YJhIfEY6hcRIMW0lWk4U

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
480	c27ae04461eee999d2983d4a1665e358_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c27ae04461eee999d2983d4a1665e358_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	c27ae04461eee999d2983d4a1665e358_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	c27ae04461eee999d2983d4a1665e358_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	c27ae04461eee999d2983d4a1665e358_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
480	c27ae04461eee999d2983d4a1665e358_JaffaCakes118.exe
480	c27ae04461eee999d2983d4a1665e358_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
480	c27ae04461eee999d2983d4a1665e358_JaffaCakes118.exe
480	c27ae04461eee999d2983d4a1665e358_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\c27ae04461eee999d2983d4a1665e358_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c27ae04461eee999d2983d4a1665e358_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ish259442454\bootstrap_47126.html

Filesize
156B

MD5
1ea9e5b417811379e874ad4870d5c51a

SHA1
a4bd01f828454f3619a815dbe5423b181ec4051c

SHA256
f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a

SHA512
965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\css\main.css

Filesize
5KB

MD5
59212618aab64b1b9b21f7bc23aec90a

SHA1
44df32b25a75005d300878b742f4d3c1153dbac4

SHA256
e76248e40e5f664a219764707191989e3c231589b3c72e1f81baab1c7ce7c584

SHA512
6e0ba9ce06bd384a244ece154a8a6101827d7c5e355a91a722823a680843bfb0b8ab380d1642a47955dc8b663b6fa33b6f45a334788053225c5f0eecaaa6d0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\css\sdk-ui\progress-bar.css

Filesize
506B

MD5
5335f1c12201b5f7cf5f8b4f5692e3d1

SHA1
13807a10369f7ff9ab3f9aba18135bccb98bec2d

SHA256
974cd89e64bdaa85bf36ed2a50af266d245d781a8139f5b45d7c55a0b0841dda

SHA512
0d4e54d2ffe96ccf548097f7812e3608537b4dae9687816983fddfb73223c196159cc6a39fcdc000784c79b2ced878efbc7a5b5f6e057973bf25b128124510df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\images\Lightning.png

Filesize
1KB

MD5
e930d95e5e4c2eff0870697d1376b660

SHA1
b7f53be0e26e90296ba53eb27d65ddf86d829d53

SHA256
6c3485cea35d4c9a999bb5b6c75b46f9376f1203e37ee1cf0d488293e0c967e4

SHA512
451cad74246f777d20d0d34276faaa91b56aec93564339e8eeea00e2b2fe4ae366f28aa5af5bdae9a8556d8c8a90512d7f207243699517aca03efc5aafc86264

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\images\Lock.png

Filesize
1KB

MD5
f743f45b919b7552854bb394f032224b

SHA1
cd9f7f827269c40f7ae5634c9a93ff34d18ef259

SHA256
6d22757ab8ed8bb5213185a58464b50abad98e45404888ff4b8d7111f0dcfb5c

SHA512
231bdc9d2c9814fd5db9204b17b39c66263e1b44b835fbb5a3fb6bfb705a8860b27aa4e54eb07cb784cb2bb35eb1d39bb7f65c5d6f4aad21144857143945c6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\images\Next_butt.png

Filesize
1KB

MD5
573e4c3eebb98067cf9b779929eeb0f8

SHA1
ff0ef6f78362f4238243a0d1347b9175cb0ec153

SHA256
592e96106fe336ac6d8f789aed867165ce0c0760713167a5c7bb9997bb661e8f

SHA512
52dd3fde599312f0aae71ff7fc64b776d91a67ce097e7a865815af0a0fc4e86d314b0565de1e495e9a32e9f44cb599e107bbad49c3b95fc8b448e822234e69e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\images\back_butt.png

Filesize
1KB

MD5
55dab03359fcc0a763c04e5a8a2e5320

SHA1
355af27721b76ddb1155754456c1218f395133b3

SHA256
b088d3acb05f8abd81f50167619e3600f16acf16f15c56d5d269d073478d33d3

SHA512
29a0c36452431cb5b7809f02f53851a6cc63e9e21a88645d1f9ec5be606cc79fbfe20b12728e369083a59b8df7c5c98a5d7f0b08bd07d807d9a846bbb3df59b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\images\bg.png

Filesize
4KB

MD5
1cecd54e3826d1670e4f9ded9790b033

SHA1
2cab81e2e8174ae85d31c1394c3779704e63265c

SHA256
6f96c82331cb9029a698aa09eef259647b7a45593d37662819540f62fc58daa9

SHA512
1e711c8286f762944613671ed90f471193a655308c1555ca0290d27f80d63fe2fd70d8cc7c9a257495cd2e8a6e1df7e17c4b84cfbb96e3737c18d047c20f640e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\images\close.png

Filesize
1KB

MD5
49d7c7d120857d03229b6dee84340610

SHA1
2c8f3992ae822e99141c6972918c71d13bc894ed

SHA256
e777ab1397949c6f2dfb0f65f214ffbfafb5600c9bd363f585b17772af12065a

SHA512
b8f2a2987722a490a2c79923299129dc250db935f80bb59b841cc18b4efa8c28d91c85c53eccaadc12b50841d359cf647a68341b6e2205c05943e6406c1a95d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\images\icon_generic.png

Filesize
4KB

MD5
ef430c7cb8dad930f9e51941593b2af2

SHA1
03ca0848fd18014781b7c1da5064a761e1f317f8

SHA256
9c415fa469ac502e77be55a889d6ec61a1bd44299b176370b6047ffa73e1991e

SHA512
89ad143d6577452e16b83b65ecbfe2db17e8bd027e49e5cafb3e062511d6acbe20c908956c4db083a6509f924df4c5566e2df601f8551292c597fabe5e6b4d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\images\loader.gif

Filesize
10KB

MD5
57ca1a2085d82f0574e3ef740b9a5ead

SHA1
2974f4bf37231205a256f2648189a461e74869c0

SHA256
476a7b1085cc64de1c0eb74a6776fa8385d57eb18774f199df83fc4d7bbcc24e

SHA512
2d50b9095d06ffd15eeeccf0eb438026ca8d09ba57141fed87a60edd2384e2139320fb5539144a2f16de885c49b0919a93690974f32b73654debca01d9d7d55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\images\pause.png

Filesize
550B

MD5
c9e0cfd6f98defd493246b31ac1cae46

SHA1
3e36ac0f53c61d3828465ee1770f37414a8c7bef

SHA256
21cb7ce3071912e06ee9b06b94b580996b094ea5a34393ad409891778c3c51c9

SHA512
0eb00ffa74749a897394ea731bb9aba3e72fe3865e8020e99dd199c7a4047192d31874c82c57dcda12c6b4f7a354b5a2df58adece283040ae38bc808e1cb3aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\images\play_butt.png

Filesize
722B

MD5
efaea38121b9473bac8fc94d3c944698

SHA1
5bac1621a834b553e7795cdabea8450548709724

SHA256
6d464e18f2dded878d20d11a47958bab3ef952f94e160ff3753adfa1af14d68b

SHA512
de13d83e3673f8a21b553281096e0b2cea95c7eced769d704b943a838bf37826370116035c6f0437590d08dbc01922bdf5afd2d43af8d0ec2c3248a96cedce3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\images\progress-bg.png

Filesize
853B

MD5
6c4399fef0d921a5997019ea484317e7

SHA1
a267a7a444b7fad6573f171424350936383eaf70

SHA256
f0e89d6f68ba2fc9a00ad0e973db13b6b8b46aedd811fb69e73e4d891634b824

SHA512
a4dc1b30a97e05828e4dae20dde024cc856391866bc67094c59a7e6dddf7069e23dde89849c68954954c1c3c698dc5c52c0d305411a4dba52ff64b5ab4339d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\images\progress.png

Filesize
148B

MD5
817e2e5cf2119d681efbae7267de740d

SHA1
1f30ecc0758cafd215cf089ba4da13cb6d12cbbc

SHA256
cdd9512ac8b5f5da8e6350d5ceaae925ac401b12cdec7ca7370a55742f521e6e

SHA512
a8d6e31ce0640bcfa00d0df58d341c7dbbb31935a9f8c579d5d48e4f6622817606ae35532752d6d41f8ba0b003351f38d21f2377819ac2b215a13b66fcdba9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish259442454\locale\FR.locale

Filesize
1KB

MD5
3647aa1b8d44cb783f1538c14d800425

SHA1
7972df6ed91f23052fe0fb81b60f112656553ac6

SHA256
f84dceb74a37d3f143f559d1c120b50c9cd665d81b663fa2d0609343a84d6b62

SHA512
10fb954862be34338ae97303f47b993fb4ecdbfcb87093b0be4b7a631348c72e0634ea02690350a049f6b8434d273da02a0fc69a77873708c02ca340eaf5052a

Download Submit
\Users\Admin\AppData\Local\Temp\ICReinstall_c27ae04461eee999d2983d4a1665e358_JaffaCakes118.exe

Filesize
1016KB

MD5
c27ae04461eee999d2983d4a1665e358

SHA1
a5413d5d464d7fc8f47a4c5945c882902bd621fa

SHA256
de5507c8083f9f6cbaec5767c3e4fdb015dabdffef1a3c10a370e82360933602

SHA512
f76ecf1af1df70f4f29ada4d7f9cf51375c5f459d9516380a6cb48214d037bf7ef8d05bbba9b9479aa87f0123e70ecdf427b39416cd3b9e9e0d8f5b8b380f69d

Download Submit
memory/480-43-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/480-0-0x0000000000401000-0x00000000004C6000-memory.dmp

Filesize
788KB

Download
memory/480-158-0x0000000000401000-0x00000000004C6000-memory.dmp

Filesize
788KB

Download
memory/480-160-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download