ca34ae2c05e708d668058dbc4b0dadb7ad6a532e45dc63075002a9bcaa3717cd

Analysis

max time kernel
118s
max time network
133s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe
Size

44KB
MD5

db10a272f6a234ccc6021ff2b2444e34
SHA1

4791b97d12871a03bbb3cd19aa913cd4b9405c67
SHA256

ca34ae2c05e708d668058dbc4b0dadb7ad6a532e45dc63075002a9bcaa3717cd
SHA512

038e24360acb880a9f5bdb2c2a8c142254dfb41c38b4a4c6a2952048a84187982b7323a2f5b2d2465fd8565450631573765e977d307a7b88aef087d0a5ce2c05
SSDEEP

768:83n3G3j3qrJFTQTz/BoBrlKLXZ1ufT1LTRPYF2KvNdVSNode:83n3G3j3sqB6lKXufhLNYbvNbDe

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2104	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winbhg32.rom,WtBRun"	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winbhg32.rom	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winbhg32.rom	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF2CDE71-7073-11EF-B578-7A9F8CACAEA3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432244635"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1500	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1500	iexplore.exe
1500	iexplore.exe
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3004	2104	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe	30
PID 2104 wrote to memory of 3004	2104	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe	30
PID 2104 wrote to memory of 3004	2104	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe	30
PID 2104 wrote to memory of 3004	2104	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe	30
PID 3004 wrote to memory of 1500	3004	cmd.exe	32
PID 3004 wrote to memory of 1500	3004	cmd.exe	32
PID 3004 wrote to memory of 1500	3004	cmd.exe	32
PID 3004 wrote to memory of 1500	3004	cmd.exe	32
PID 1500 wrote to memory of 2764	1500	iexplore.exe	33
PID 1500 wrote to memory of 2764	1500	iexplore.exe	33
PID 1500 wrote to memory of 2764	1500	iexplore.exe	33
PID 1500 wrote to memory of 2764	1500	iexplore.exe	33
PID 2104 wrote to memory of 1500	2104	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe	32
PID 2104 wrote to memory of 1500	2104	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe	32
PID 2104 wrote to memory of 2912	2104	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe	35
PID 2104 wrote to memory of 2912	2104	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe	35
PID 2104 wrote to memory of 2912	2104	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe	35
PID 2104 wrote to memory of 2912	2104	db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db10a272f6a234ccc6021ff2b2444e34_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start iexplore -embedding
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\tweC800.cmd"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
504bca8c29518b7c1834537a1a3e1ea0

SHA1
d5fda1b5c6fcf896a801f0e8d4a27d6956324c65

SHA256
db68afaf3220d80096a761a4a0c362294b01f4bb3847b7299e1b27501c4a6b8a

SHA512
40533f8513f9712e22f4f224acada75e0d72261c6b76869dd07e20bbea3119955bdafd1a54439eb43599b7e91c91e1711170dad1be8678c5f8bdf5078fd90aee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d3edc8932ec0b17ff8a766f536411ef

SHA1
3a7153f3640955b1f52ba9c12111e5f118f7dec6

SHA256
7696de71d473a6b5ff8804fe9a9706492daa7b1c0ec800cc1c6d8e3ad39d35cd

SHA512
52e480e5ed7be582e9d07190963676b7f3679b7cc51314dcb1220b5837aceceae397e3f64465501f8cfd32ee5653b1b33dc13a5a11584c27fd7222b9157482cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d99c3a3cd36eb148227d427bf61e128

SHA1
4c3f31bd17a26bd0ae7569f1580ef01d8e433803

SHA256
9069a7279ca45bbf61e18fb57d3c406d45bcd9ac1e512b8a6ba6f2754b3a3052

SHA512
bba9d93e7209083e131f58c956d576fd74396fdb19ea3709f117509a1ac54ccdf3422bc351e2fac9d77cddb532c2818f45d4e4d9648cf7c662beb3e440588d9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b9720b290ede53eb8c8ca97b8305b81

SHA1
ecae3a35720001cd981ab7ca1eda2aa1a90ff1c6

SHA256
bf723017a28ad0ca4ca7dd0efa0193a1d9f2b91430de8fd490bbdd751c3b1df4

SHA512
5381840ab5a55104f3f480599e87e45da2f1ac71b4d1a45c2c91aa7826233f45804035654086d131653d0425c9a309e6e24b11775b6b6cf1c270845702f48d4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04f340a841f69d44cb070130c3038c6f

SHA1
b118830f4bfc6fc59a3b6020bf3c21de5a9eda95

SHA256
698f6645e2166d22ce3d34039e50028f00984beb9a6526d739757b86e25ece82

SHA512
7060f0f257d988ee34842f85b9d792918b9b51df905754341ad57a1fd28b26bbb0cfd52077871cb24c291360727b99cb13bea9a904f86e16c8ded53c6401631c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec5fc19a1da2fc3994cec6352e3308af

SHA1
946d5305103e82807e319f9bd4b1cf9f8d326a20

SHA256
204cf9af056ed142a5a684add70fdac9cd6e5d21cb8e2e43c6ac2a26a819df5f

SHA512
345f7c37d0f5e8da5cb61029000a83ebf3cd2ff27dcd0b7be8059483459d5999f3d4cfa7f00913f16eb1b2b7514ea8d1bece7ee6e9ef8382abbc11e509bdb99d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f5c52a440d7861f2e4819432e01a533

SHA1
76632363e3cfdb174f988ed19832fcdb907492bb

SHA256
9007787791055d6e26e1b71bc0eba941ee51051b815c29ad7e381aba79b24e8e

SHA512
bfcb11dcb4d2183e1667d3fc3416b28a233ce666712707bfd1abe32b319e3422b1fccf11e87c91fcfb4f7af5bac2008c8a55fdb0cf418a3210ac1ea81bf593b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f443f5ecafaf7d1d314f6945bd6ad820

SHA1
ca0ff092b45a70c3b8d4130374155a3031c52cb2

SHA256
96e964111852640ef3e5aa60481f525aef56d79e79a89cee411da3930084a92b

SHA512
a869c79d9e73fc15612443017fe4af520e932e3a3dca72aa0af1084a0888394d51dfef2eb7d2d0d4776190e3154908fc8bb2b1f96b1f9ddec8ab59874c88e030

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c0489a7b174a505b6aedd4bb0f689d0

SHA1
bf9dce126ee097f167e109266bb11c3512bfb09c

SHA256
9933db9f95beff9509b2e5056deea583260dd70ae0931432f27471ab9935d777

SHA512
f97c6b3e8bb0deddc4983e2fe87f2923f7f66d467af9080d55b6d212abb5a4007ef00c254f6574b834553e8c986173a709c0945e11e2c8ba5939fd2c1353c70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD3A5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD455.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tweC800.cmd

Filesize
188B

MD5
716517794d1a22790b2ed18933ca2dc3

SHA1
86c4fc95d686bd537d570cf3a4ad4cc585e1d719

SHA256
e843b722c259dbb0c6a4dc854c354d0dcb92703e9903b008e76e6a46a6581dc5

SHA512
fbf9f386be19f5f4914b4a19dc0b714807bdf3f10b5848d743ba44201e3a9a8391df379a1604e9e2aa6dd53c79f458346ce575f7f66400459c6cc933c2bab969

Download Submit
C:\Windows\SysWOW64\winbhg32.rom

Filesize
31KB

MD5
6a5797f2564e461b1e929bf74ffe69f4

SHA1
6ff1b9bafc9d6f687f4d1617fc327735f1864164

SHA256
f5b2c50c698781d74924cbfe2f33f18eb7f106d914f109d524c91abce163ff1e

SHA512
f65324e9c01a07b2147f06ca6b1f7f32110d5f184708799882664ff194196fd86a9cd0b22639f7466189baf62fc68bd54a9e1a67e373e4a2da8fab79739c0cb2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads