f05732d37fb3260f2c5d5848912045bb1e957a87fa5cdc6a7894b6c57b939693

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Size

72KB
MD5

db984eeab2b1938d42e36af3866465df
SHA1

7b010b5a108218886e75ff25bd0af5d82aa90d4b
SHA256

f05732d37fb3260f2c5d5848912045bb1e957a87fa5cdc6a7894b6c57b939693
SHA512

a9541a765aa73cbc75b864b04fd1e283d41eceb0f6e2f2443a02cdc49b3a4f40fd6559e8fbe416a3202745509da41b85b0f3e76ad349870c3f44bbbf0dcd0292
SSDEEP

1536:olfYR5Y/RG3JT5L2dwvmdrBGofxmpMTui+9MXELP8bRrytGj7tVhkseRaCOMd5nf:n5wGZF8COM/

Score

7^/10

discovery persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "????(&0)"	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://hao.meiyingie.com/?0003"	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Internat Explorer.url	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder\Attributes = "10"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\ = "????(&H)"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "????(&0)"	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://hao.meiyingie.com/?0003"	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\ = "??(&D)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder\Attributes = "10"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" %1 http://hao.meiyingie.com/?0003"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command\ = "Rundll32.exe"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\ = "??(&D)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\ = "????(&H)"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" %1 http://hao.meiyingie.com/?0003"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command\ = "Rundll32.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1256	regedit.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1336	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Token: SeBackupPrivilege	1336	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Token: SeRestorePrivilege	1336	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Token: SeBackupPrivilege	1336	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Token: SeDebugPrivilege	1336	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Token: SeRestorePrivilege	1336	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
Token: SeBackupPrivilege	1336	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1336	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1816	1336	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	84
PID 1336 wrote to memory of 1816	1336	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	84
PID 1336 wrote to memory of 1816	1336	db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe	84
PID 1816 wrote to memory of 1256	1816	cmd.exe	86
PID 1816 wrote to memory of 1256	1816	cmd.exe	86
PID 1816 wrote to memory of 1256	1816	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db984eeab2b1938d42e36af3866465df_JaffaCakes118.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Runs .reg file with regedit
    PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TempIE.reg

Filesize
2KB

MD5
a4866b9363434ee7c0ebe95ffca7f081

SHA1
b2a7c0ab99bed10f05db6549414644531e9c74d6

SHA256
07d7ddfc0526fda0116c96222a522c1f64f2c0516d3cba8d9ae3c5bb4eb0788d

SHA512
9969fae7ad2ef5260410ce95bcd015a6bbbe792e7157f11e940dc205c777a88bc05f66fb63fb2138d06f62afc8610943f965e1dd47597d0b63810d2a622f48dd

Download Submit
C:\Users\Admin\Desktop\Internat Explorer.dll

Filesize
91B

MD5
b11c0621838245efacf36414b2cc0cde

SHA1
77ac5a02290dbf2693c4c736e155d32f370148dc

SHA256
c1fbb7ce9a3ab335cba372eada1b2559e2beb002aff10bcd46d869e085900969

SHA512
39d4b2d3224961478f0594b506218bea3a8ddafade2a94e6d1ebb864b75bf9babf3d0ac402c2fc1d81e468bc785ca241b530510612a6123764c7f480ba2450a0

Download Submit
memory/1336-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1336-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads