64be09d71902d1337fd8f734faf37d501b75b269a0af3ada0da3bad59b8a5349

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe
Size

100KB
MD5

d57c713b81a6271f6384385d7d146bf9
SHA1

26389af4c0747902c9035f2d153a214870f89f7f
SHA256

64be09d71902d1337fd8f734faf37d501b75b269a0af3ada0da3bad59b8a5349
SHA512

517bdc6d31f3f23dc0f96b1f76a6ae524ba4fa137e9c48cede835deb4f17975cfb340decc8164c9bf7ef4999efe4a71f04062ba14c67376a2a11b0412e3980ff
SSDEEP

1536:/OxAisOOG+U/Yog91wDJaBel5eoafhjkTs5XRb:wjsOOH/wFrl5eoKhYTsH

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Update = "C:\\Windows\\OLEUpdate.EXE"	regedit.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	regedit.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\f:\Autorun.inf	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe
File opened for modification	\??\f:\Autorun.inf	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\$$$1.reg	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe
File created	C:\Windows\OLEUpdate.EXE	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe
File opened for modification	C:\Windows\OLEUpdate.EXE	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe
File created	C:\Windows\$$$9.reg	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000025980631100557365727300640009000400efbe874f7748295985102e000000c70500000000010000000000000000003a00000000004b9dfd0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 84003100000000000259e96e1100444f43554d457e3100006c0009000400efbe02598063295985102e0000007fe101000000010000000000000000004200000000001e53e60044006f00630075006d0065006e0074007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370037003000000018000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 60003100000000000259806316244d59504943547e310000480009000400efbe02598063025980632e000000e5e101000000010000000000030000a0000000000000334fef004d007900200050006900630074007500720065007300000018000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000002590b70100041646d696e003c0009000400efbe02598063295985102e00000076e101000000010000000000000000000000000000001b452301410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3948	regedit.exe
1048	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
452	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe
452	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
452	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
452	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe
2740	explorer.exe
2740	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 1048	452	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe	83
PID 452 wrote to memory of 1048	452	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe	83
PID 452 wrote to memory of 1048	452	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe	83
PID 452 wrote to memory of 3416	452	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe	84
PID 452 wrote to memory of 3416	452	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe	84
PID 452 wrote to memory of 3948	452	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe	86
PID 452 wrote to memory of 3948	452	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe	86
PID 452 wrote to memory of 3948	452	d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d57c713b81a6271f6384385d7d146bf9_JaffaCakes118.exe"
1⤵
- Drops autorun.inf file
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\regedit.exe
  C:\Windows\regedit.exe /s C:\Windows\$$$1.reg
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Runs .reg file with regedit
  PID:1048
- C:\Windows\Explorer.exe
  C:\Windows\Explorer.exe C:\Users\Admin\Documents\My Pictures
  2⤵
  PID:3416
- C:\Windows\SysWOW64\regedit.exe
  C:\Windows\regedit.exe /s C:\Windows\$$$9.reg
  2⤵
  - Adds policy Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3948

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\$$$1.reg

Filesize
200B

MD5
299ab9362ca5106ae0c72eb4ac2adda7

SHA1
6ad0ae383434486a1fe42ccf0453c53c5c1b1320

SHA256
9c39c959f6963f95df88f8fcc1d6651a940615e0ee2faeb422c3bfd5ddfd0b1d

SHA512
1d4a6689d1389e521b3827cae88c5a175a157af92a3e667cbfcb4d1a92c60dab7fc9faeebc3f7da5b8542b19fa126fbc05770bcd34238249d15df3fa08e7c02c

Download Submit
C:\Windows\$$$9.reg

Filesize
174B

MD5
82b20cf76f7ea5e316bef622002ed9ba

SHA1
c037fe53a55f4e98af0b2dbd496d88587c62cea4

SHA256
0c41603de2c858b5749741255a5e50aca1e7f7dde6cd042660c71ebdc9439c88

SHA512
4956d42603eb3ce58aeb885444b29083a1e11b9786e4930b80d32e69a47753ac5f7044ebeda9fe1b8c93aa0dd4b880d35f3286cf62fec7d9877374382e3d4d08

Download Submit
C:\Windows\OLEUpdate.EXE

Filesize
100KB

MD5
d57c713b81a6271f6384385d7d146bf9

SHA1
26389af4c0747902c9035f2d153a214870f89f7f

SHA256
64be09d71902d1337fd8f734faf37d501b75b269a0af3ada0da3bad59b8a5349

SHA512
517bdc6d31f3f23dc0f96b1f76a6ae524ba4fa137e9c48cede835deb4f17975cfb340decc8164c9bf7ef4999efe4a71f04062ba14c67376a2a11b0412e3980ff

Download Submit
F:\Autorun.inf

Filesize
157B

MD5
524e0d91fc238c32eff75837dcebf7d2

SHA1
596cc0c5fb80463c4fbc1aa1c58ba701b81d4ccc

SHA256
7dbb2534e6b77c87b8ae7ec5ad67b276858d58a931f3bca410b378f9fd0bba89

SHA512
d7e226550346f26e571c85aa877829d49a42d4dd12919375d29470e62fcf8f424396de3248ab6401e4a00b916b8534331951f276f737553df9c8c8f30a8895c5

Download Submit
memory/452-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/452-20280-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download