c9f4849f8b70986d0f03fce0441f14a8d54e27d666badfb5a6cab5efb195a4dc

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9bd806953086c0d428873de7019a868_JaffaCakes118.exe
Size

177KB
MD5

d9bd806953086c0d428873de7019a868
SHA1

e23aeaf11af47377609acd0128b2466490957829
SHA256

c9f4849f8b70986d0f03fce0441f14a8d54e27d666badfb5a6cab5efb195a4dc
SHA512

e08cc78b652ae155a53c6f3c14fb06cccb7bbcea1e75ec406be67bce2a0cb6239b5ed85175b51bec2d6aad6493aacd17e608382783505efa914b70ad4988ade7
SSDEEP

3072:Pvij3Ri/nciZaAOwECVWienO2LRtMo/fPi/Mvf9ybZH6GG59e0LFRsRAnBvHqrOJ:XcIG97V4taGfVR0tHFrYJbNEVM05

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1672	Fjywaa.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Fjywaa.exe	d9bd806953086c0d428873de7019a868_JaffaCakes118.exe
File opened for modification	C:\Windows\Fjywaa.exe	d9bd806953086c0d428873de7019a868_JaffaCakes118.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Fjywaa.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Fjywaa.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	d9bd806953086c0d428873de7019a868_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	d9bd806953086c0d428873de7019a868_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9bd806953086c0d428873de7019a868_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjywaa.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	Fjywaa.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\International	Fjywaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe
1672	Fjywaa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1656	d9bd806953086c0d428873de7019a868_JaffaCakes118.exe
1672	Fjywaa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1672	1656	d9bd806953086c0d428873de7019a868_JaffaCakes118.exe	96
PID 1656 wrote to memory of 1672	1656	d9bd806953086c0d428873de7019a868_JaffaCakes118.exe	96
PID 1656 wrote to memory of 1672	1656	d9bd806953086c0d428873de7019a868_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\d9bd806953086c0d428873de7019a868_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9bd806953086c0d428873de7019a868_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\Fjywaa.exe
  C:\Windows\Fjywaa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2820,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fjywaa.exe

Filesize
177KB

MD5
d9bd806953086c0d428873de7019a868

SHA1
e23aeaf11af47377609acd0128b2466490957829

SHA256
c9f4849f8b70986d0f03fce0441f14a8d54e27d666badfb5a6cab5efb195a4dc

SHA512
e08cc78b652ae155a53c6f3c14fb06cccb7bbcea1e75ec406be67bce2a0cb6239b5ed85175b51bec2d6aad6493aacd17e608382783505efa914b70ad4988ade7

Download Submit
C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
390B

MD5
56bb9896cc1f556da60f16b2608570a2

SHA1
7c34c07c78994069f1aef91a2d57bb86b10bfbc2

SHA256
dcb0967d6dd798ef26cccc2c96cfecac92bea7941e3823e2cd1001f793319e78

SHA512
683021800ea2c1c17d5a3b28bdbd933ff08f678491ea41473be633f7709ee2add8d41ecaddc16b0a5fd1f4d6e19b3adba074e55703df1f90c8cbc875d0bb6785

Download Submit
memory/1656-14-0x0000000000408000-0x000000000040A000-memory.dmp

Filesize
8KB

Download
memory/1656-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1656-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1656-63171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1656-0-0x0000000000408000-0x000000000040A000-memory.dmp

Filesize
8KB

Download
memory/1656-2814-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-23172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-62827-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-109882-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-109881-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-62796-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-62766-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-109883-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-109884-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-109886-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-109890-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download