6b047714e64c6db00b11e7653105e6d955c31d2296c914643a7052f1c18f9eb2

Analysis

max time kernel
67s
max time network
128s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe
Size

85KB
MD5

d56ec8655d8e4d7ae729380edd0150ac
SHA1

cb801c082c22a0e76ebe10e6567ad09007be8530
SHA256

6b047714e64c6db00b11e7653105e6d955c31d2296c914643a7052f1c18f9eb2
SHA512

92786651e5cd221fc32fb841e549f614b4783f4d403a9587569d10332b6577e55316482d3657ccdff2c40be9e353aacea01e4fd3dcccccb78a39d1ccf800a934
SSDEEP

1536:syv0dkekEhJPpB1lnJW4sCHjCqN2vAf2aWSX8l9FdKypq9:syv0Ws3/JbsCHjCqci2aWG8VUypq9

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1332	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Kugoo = "C:\\Program Files\\KWMUSIC\\KwMusic.exe"	d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000e177388026eb51fbdc702da31c2961c74ae9f407d86f76df2afaf510cfdff25c000000000e8000000002000020000000aeed201db9f0727c695a8f81ccef1329fab0d5eaf8dcedea69c63130f7925a23200000007ea3fd8a82eadbf9f6ebc042f1e7cbba100bfd4fbe80637c3b2c6d0b3eb99ee34000000093eb73cf4fc881fba8d3c13279f7d90540a7fb4c90f5a68dae0e8bf1d3b9d5180a0a84bf69cfbc5c1c63f84cb6955ec8723201d4841b0fd8ccb8823170f253a7	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 208028ac5602db01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432006729"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000c97725a85e2decf49dc34b0a3822afb261284595077a4ff24affb229d03e2cf5000000000e8000000002000020000000ca22fe2a61daf35e0740829fae6df6fb56eefa63bb8ff5e78738f48d5c51b00d90000000096d195f710e5cf7817a0490446426ca4f58de013079f83e4a6a0c463d12dea9a8776c5c041d113b07930306f8a5714125df3b3a70f9be2ccfaf15b5b19ec26fee0d80534e4970e082d01a5ebbe307143ceacc9fdb6923549d7fdbfae07ba1adec75c649368814071934efc87b0a72543ea0a20330f3163145b655efeb36bba25c788e429e40c3522603030cd7ef2c10400000000c249ad22f83e558d87741357989949a8c9362378ec96f205dbf4d6ae58d670d76e8e33fcffc73c1549139a22cea1f24f846d56456500b77d9ea407627903816	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C67F8A91-6E49-11EF-A641-5E10E05FA61A} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1156	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1156	IEXPLORE.EXE
1156	IEXPLORE.EXE
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1156	1096	d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe	30
PID 1096 wrote to memory of 1156	1096	d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe	30
PID 1096 wrote to memory of 1156	1096	d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe	30
PID 1096 wrote to memory of 1156	1096	d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe	30
PID 1156 wrote to memory of 2000	1156	IEXPLORE.EXE	31
PID 1156 wrote to memory of 2000	1156	IEXPLORE.EXE	31
PID 1156 wrote to memory of 2000	1156	IEXPLORE.EXE	31
PID 1156 wrote to memory of 2000	1156	IEXPLORE.EXE	31
PID 1096 wrote to memory of 1332	1096	d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe	34
PID 1096 wrote to memory of 1332	1096	d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe	34
PID 1096 wrote to memory of 1332	1096	d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe	34
PID 1096 wrote to memory of 1332	1096	d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d56ec8655d8e4d7ae729380edd0150ac_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.koowo.com/mbox.down2?src=kwun0570
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ed933b07b7ebafb43cf96304f253cd5

SHA1
5b9fa5881153ac84a473cae81aebbacf900a599a

SHA256
9fa51939aba52682e0be1eeba16c99e823703ca9339a1ec5b53a8fe44ca74456

SHA512
d40cb822f42c3dd1b7004344a15da0673f0d596104596bde6139b5da07d9a0bce17836a859804984611d9718702cb2d3d281c28bd2eec0695b000af8c1e6d520

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52be60cb33947c84a8c8fe6c18f8b1d1

SHA1
fca92747f0806b83dd8151cbb5d31a9670b98218

SHA256
cc214f747c81a3de4acfd3453bee6c54c53db04a1992d1f96331c9540273a2ea

SHA512
b2110b449f1a270ce490b5368f1e26557943d38f82b1b2a6dcbc59c2e323bf2b0822fc048ad3fbed00fe62feb92efd0cc8ccce58380c5376a01e3e81a360f9a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e32c200811fbdf19d2da0e86a6db523

SHA1
edb8cd49cb23cfbd04cd615600b66a0773d96c75

SHA256
e3f00ea82f0db5a4de9ec78fcd84e5e14b2833b4d8928fcec2cc3881c73a4b25

SHA512
c6c19487f1e9af54a90b4014727cc488e3d5a7b17a5f27cbe04b8af8b88f9d4306a96a6addc5953703b803d0dfb75605bebb7fe1c61dca3cc21d9d51d8cd48cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d31baf3ed35c6c8b6715d20e45eae0f8

SHA1
b2e951865878054efd8eedb5485ea56680d9d985

SHA256
46281ba3209990c61018b1199adad9c1edd223be39b4e381aecb067fd013f65c

SHA512
4e4302fe209e60bbae4ac7bdd87e9f721e7f78e71743e59a0fd4b828d8f4b97ac519b3d3a2ccd404f2ceeb6fd46e000ffd6f77583883ed832630533da9989806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bacf2a80ea9ff5b219d1b7e70103b442

SHA1
f4d357dccd04895fed44b8ebc3ed90aa6430464e

SHA256
b1e8cac606ff83901e4bd8f184f24e2758789b9f9659a53bad66e22291366db9

SHA512
af365208a0e1fd8ad107e976474341b268ad1237411726fac71ba7ff477b3b15f9c8ddbbbd98b73adb30434c09bbdd8e880943845bcc8575ba329a1df3504a65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e97cb0af0b9f8e5e3de2e92bae7ab63a

SHA1
376f78bc7525c6d4e58ed2fdf617ecf61301baf3

SHA256
72c1bedf453e1e05cb98e224c1f1d7ef928c5363ec97e24714ce4e622f805acf

SHA512
2bf7c330a32463709e4c5d1023fdcd667e3ebace15476bdbbab4cd399561517fe4ee8004698a8ea4bebfaef49d0dcb3254fc1c0cc99aa790af2fe5cd5f66bae5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a36e068009ad400f823292fc877a7a26

SHA1
0b7b4873ee668693c2b7750fd48d4f21e3fe999e

SHA256
9524239437a2a11fbfa373f80c68c3bce0f2ea9a8de9fe4e9bf9fef2a0b17c1c

SHA512
c1d15f7d620feb1fb0557a5490634a3b31b6b6dc58f20de9da7334c6591e4869c236c86b72046bf249d25af230fe020f4c38f748567ef61bbb47c56d92502744

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0649762ffac25dc96b8a0528a74db6fb

SHA1
81d650000991c4a4eb41487986325e5956575e42

SHA256
35d268cac7b6c280429e8ce791f44b273b4693ccc536d0c49b0d76914d5b780c

SHA512
2eb8de9142b239d1e4d46f49d5f6e507e4b67b617c2d3aeb68e8795e266ae701e6c0ad9a124c1f0c7f767dda2e48e97440230d34019665bd4a7a22761c915c0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d6ae8b9c20116bb91a949f03bd310bf

SHA1
6feba2a33e26c66db36aeebdab3a19b66243537d

SHA256
7ae2986e3467b1ee21817340cf0aa6bad0fe8458b573bd7e159980dd7b9ee686

SHA512
ca8d415ba4935b2a34da6fc654dcf007ddd2deb1671180f9102e41349416abacfa1785b33568779ab160bfb974481b25cadcef51d03325558d01a6160fd2bced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
176ae995e381f1fae513d78544f2581b

SHA1
e5f546f11abbb7563c77ae21ed6d21bd56c1b313

SHA256
ccd00331ca6d0054037bb4dfdc940f1bb3d9b6396dc7833808a8e894b964009c

SHA512
aed0a55c13e195cefded23546fcf661cb33d88960f8e53b555af8438ab946197abb2b0b1115d21360eb96e30c14cb4729a8e0893f0ab658f6e1484017fa09b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7CB0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7D31.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\Deleteme.bat

Filesize
212B

MD5
c5983d6efff4f61cd35d0d82e44957f4

SHA1
9d1b29ce43425bc388fb949f0eefe7fa6592afc4

SHA256
a964e9c3f894cd64905146413bb2c92642bc466cc0c1561bf5b3729f1f6d42d5

SHA512
1095de0918ff13633b2bad696f114836cb2df524e0dd95c33e069df0e16d8acafe54768c6b3165d591c216d6fdb07611465ab2955a641c5b7ae4a5f5c8f14ac2

Download Submit
memory/1096-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1096-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1096-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1096-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads