914d91f1a9fef5b0fd9f3620e0e8c9c049af55a7e3a4cf26f350daddae62b419

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 17:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe
Size

157KB
MD5

dadf7d6c9c4d577f4a87eed53a0105ec
SHA1

6c7d3b479bc515d93cb0d3aa137762ef0ab186a3
SHA256

914d91f1a9fef5b0fd9f3620e0e8c9c049af55a7e3a4cf26f350daddae62b419
SHA512

5969956ff8956c0b1e95b8f3d36ef858491568cba22d136d3db4a47b1d31c614628dd5e7ad3bc7587c1b4eeb82c24c5dfdc40991181f80d3a76add27f67653fa
SSDEEP

3072:h5HStQcl5cn1cbKWhT/ABoSOyi6wbPNP2KGq1ix5uBqJf0aC:hBSmc0nUNyoYq0qL3aC

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
3600	dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winkep32.rom,tadTlh"	dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winkep32.rom	dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winkep32.rom	dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4900	3600	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31130736"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31130736"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4005141605"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31130736"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432841044"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4004047802"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4004047802"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31130736"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4005141605"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{198569C7-7064-11EF-AC6B-FA5B96DB06CB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1572	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1572	iexplore.exe
1572	iexplore.exe
100	IEXPLORE.EXE
100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 3248	3600	dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe	83
PID 3600 wrote to memory of 3248	3600	dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe	83
PID 3600 wrote to memory of 3248	3600	dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe	83
PID 3248 wrote to memory of 1572	3248	cmd.exe	87
PID 3248 wrote to memory of 1572	3248	cmd.exe	87
PID 1572 wrote to memory of 100	1572	iexplore.exe	90
PID 1572 wrote to memory of 100	1572	iexplore.exe	90
PID 1572 wrote to memory of 100	1572	iexplore.exe	90
PID 3600 wrote to memory of 1572	3600	dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe	87
PID 3600 wrote to memory of 1572	3600	dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe	87
PID 3600 wrote to memory of 3520	3600	dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe	95
PID 3600 wrote to memory of 3520	3600	dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe	95
PID 3600 wrote to memory of 3520	3600	dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe	95

C:\Users\Admin\AppData\Local\Temp\dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dadf7d6c9c4d577f4a87eed53a0105ec_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start iexplore -embedding
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1572 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\mjKC2A4.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 520
  2⤵
  - Program crash
  PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3600 -ip 3600
1⤵
PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
5f81c2f0e32c339ad20a7b38cb5b684b

SHA1
4196d08225494b3da7819301cac57f3618ef8aa7

SHA256
f1465c392ed09e095c9ed94934a546cd13bcf3c2f5fcd669bb58fb1475fc3b39

SHA512
fff25d77166243ec1c5e029ca5c51b605228e6faebbc08834c3bc9c1042f14596c062e9ab9f9cc6567f5ba3bb0679a4fc833704fbef0c91a1461bc005d4bf19b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
0c97843c35ebf29c6abd8cf1025bd070

SHA1
03af84446f09568f584254254503eacac03f214f

SHA256
1ffb37d03d52e5ae79bcf9e317a8416addb93fc05f15001c7a9c2082cfe2afe1

SHA512
1f28692155f2561e740ce29696a1f709626fc816098847f7b4ee86a87e5417deeaaab419290935b83f2c34f19eb1390b5b5cf0615dee03f00e8716533a1d6b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver409E.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BRZNMQLE\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjKC2A4.bat

Filesize
188B

MD5
995915b54544ac766a7764e4a5f90662

SHA1
131b4084f9d40a1692036fc89f5a411e171809ae

SHA256
6107be02ad40d2d7fc7198ff3f43a8e02e57f271ead460eb93fd5ffa08b3b465

SHA512
b3dda29920d570f46e5d62449fb4c02f9338f349d126fcc8973f494514cda45cc112b616c5a0268568648d03cfc7a68400b09bc09dc0bc8d46aa99360f93e85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjKC2A4.tmp

Filesize
106KB

MD5
15aec5fc6c55f338f4944f9feb6050fb

SHA1
ec06815c7b466aa8dccd11b7aaa091a00e35cd3e

SHA256
af936598dba562b3adb44352356444a52395b5285fceaee5223dc0d301f21ea0

SHA512
0335cf7d0814da19ab0d572aad885af2c1fe0314bac14aa81d0dd0977653e30671b042ac5d4de0fc7346d5adf5a045c62d4c6ac18d295d9112e4976a36ad2308

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads