f05732d37fb3260f2c5d5848912045bb1e957a87fa5cdc6a7894b6c57b939693

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 01:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Size

72KB
MD5

db984eeab2b1938d42e36af3866465df
SHA1

7b010b5a108218886e75ff25bd0af5d82aa90d4b
SHA256

f05732d37fb3260f2c5d5848912045bb1e957a87fa5cdc6a7894b6c57b939693
SHA512

a9541a765aa73cbc75b864b04fd1e283d41eceb0f6e2f2443a02cdc49b3a4f40fd6559e8fbe416a3202745509da41b85b0f3e76ad349870c3f44bbbf0dcd0292
SSDEEP

1536:olfYR5Y/RG3JT5L2dwvmdrBGofxmpMTui+9MXELP8bRrytGj7tVhkseRaCOMd5nf:n5wGZF8COM/

Score

7^/10

discovery persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://hao.meiyingie.com/?0003"	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "????(&0)"	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Internat Explorer.url	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 44 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "????(&0)"	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\ = "??(&D)"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder\Attributes = "10"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ = "Internet Explorer"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\ = "??(&D)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command\ = "Rundll32.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\ = "????(&H)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://hao.meiyingie.com/?0003"	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" %1 http://hao.meiyingie.com/?0003"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" %1 http://hao.meiyingie.com/?0003"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command\ = "Rundll32.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\ = "????(&H)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder\Attributes = "10"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2796	regedit.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Token: SeBackupPrivilege	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Token: SeRestorePrivilege	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Token: SeBackupPrivilege	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Token: SeDebugPrivilege	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Token: SeRestorePrivilege	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Token: SeBackupPrivilege	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2464	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2464	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2464	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2464	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2464	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2464	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2464	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2780	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2780	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2780	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2780	2888	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	31
PID 2780 wrote to memory of 2796	2780	cmd.exe	33
PID 2780 wrote to memory of 2796	2780	cmd.exe	33
PID 2780 wrote to memory of 2796	2780	cmd.exe	33
PID 2780 wrote to memory of 2796	2780	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe advpack.dll,DelNodeRunDLL32 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Runs .reg file with regedit
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TempIE.reg

Filesize
2KB

MD5
a4866b9363434ee7c0ebe95ffca7f081

SHA1
b2a7c0ab99bed10f05db6549414644531e9c74d6

SHA256
07d7ddfc0526fda0116c96222a522c1f64f2c0516d3cba8d9ae3c5bb4eb0788d

SHA512
9969fae7ad2ef5260410ce95bcd015a6bbbe792e7157f11e940dc205c777a88bc05f66fb63fb2138d06f62afc8610943f965e1dd47597d0b63810d2a622f48dd

Download Submit
C:\Users\Admin\Desktop\Internat Explorer.dll

Filesize
91B

MD5
b11c0621838245efacf36414b2cc0cde

SHA1
77ac5a02290dbf2693c4c736e155d32f370148dc

SHA256
c1fbb7ce9a3ab335cba372eada1b2559e2beb002aff10bcd46d869e085900969

SHA512
39d4b2d3224961478f0594b506218bea3a8ddafade2a94e6d1ebb864b75bf9babf3d0ac402c2fc1d81e468bc785ca241b530510612a6123764c7f480ba2450a0

Download Submit
memory/2888-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2888-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads