29ad63398b720cfe2368fed8be94624fc836767e80d1f542de432ecd84532d0e

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe
Size

6.1MB
MD5

dc64ef7c28304f513fd2765e8939fecf
SHA1

a67d197f0536c4c1f8894e3cdd4ddf7717522823
SHA256

29ad63398b720cfe2368fed8be94624fc836767e80d1f542de432ecd84532d0e
SHA512

8bf6a611d141250bfe3fa15b907759d0cd44f004c7dea02f03e7dc7f5804024ac10d771e3b277d816e784d702d320e6b473e909c4c95f0eb1a507bfd751e4d59
SSDEEP

98304:NEIa19rSqD4GL7PxJT09myq/kmqxQL+Q4xuORJusakY5eQRUJJle1YQfUtB:tYJJlrT09myqMpxJuU3OeBJyVfUtB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2840	autorun.exe

Loads dropped DLL 1 IoCs

pid	Process
2472	dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autorun.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	autorun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2840	autorun.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2472	dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe
2472	dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe
2840	autorun.exe
2840	autorun.exe
2840	autorun.exe
2840	autorun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2840	2472	dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2840	2472	dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2840	2472	dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2840	2472	dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2840	2472	dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2840	2472	dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2840	2472	dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\dc64ef7c28304f513fd2765e8939fecf_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
dc67cb6957fd9dbcf8dc8ba9b2318b0d

SHA1
3e096dc880704a7be5794bfb443b17c2f90b0a47

SHA256
36d33a3eacc4f69eb1d769864775987d5eedeab230db868a491f1ca875f7ccca

SHA512
2302732fdee6ead83a5839f8a9d153185685421c8c852ce5d110ccd3fc311311dbb40953d82a56461bf74fab39e8fd78789b828a9dc528b2b6642f2e3e62c4e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
097eea1b227d76ac354b53d9b214cc1e

SHA1
ecccd8995681f3e2e24e9ef5160dca88bf3e612f

SHA256
540bb3b7858e0d568753488d5902358e220c6c5a3d9ac0c4f5f164b8781e8d02

SHA512
4c73a88245868eb6826dc759bac830efefe2af1ac98d482eb4cd8cb22826845325454752ce61b2be91c6d76df739ecf1590eac65081b72b1ad22635d9c3979d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_F968CA97A68F4E6D5C104EC7FE3DFDEA

Filesize
402B

MD5
4e1aa5786c04ad3c0feaa5b2aacc3e15

SHA1
cb3038c1139d5190fd1702e0b4dca08bb1d6d20b

SHA256
4db589c30bc7583140a2ed227830a0cad2e32cea9ff32137c7d412b45a483fe9

SHA512
42d04f47587479154f10f4d85eef05c47f9691286c2ac045d1f9503d6ea6d408f746c808682cd11a58ad4a04215a00ff7eb4ee095f6aa4790de35481403666d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Acik Kirmizi.Btn

Filesize
7KB

MD5
6c41af617f4541cd42bdb683fad2f056

SHA1
af615b51079cfe65eefd574b9b300c17c94a4c56

SHA256
48f114847f7ee3a256af7bd423fc953a682e46c60d6f518d27afb1c46bf10be9

SHA512
d507170d38905033ee6ba5aa1c7174e562edf27fe0c3338b35c8dbdf51fbdb2add69e7a7236bc13b26a98611cbc6736364a418a0018e61bbfcc3bb9828f9f6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Fireindir-1.Btn

Filesize
3KB

MD5
c0384f5ba18f1d9de756038be018c971

SHA1
ec43513055a55faa1088a130627d84b2906cdd95

SHA256
d1a28e907ac9f4e69eadd0ed6d518195bbb43a0834a3e4eccc9d7766d0cd1def

SHA512
7f8c95971972b54257b066bd387d6f83e2b40011e50c85bf69417f57a13db6ecb529331d3a4316ea28e286fb57dc57ed6e1bceb00ea79de8983b2db1d4ecbcc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Firekapat-1.Btn

Filesize
3KB

MD5
3c43e0a1f58534c58222a9112c84b6c2

SHA1
c05a960ad42b5d6f175e01ad04f3865dc31bd69a

SHA256
951b7d607cefc4d0bb904cb647d92283507c0bca2036fdcfb999f1d37b96f6d0

SHA512
10d3c33504f023939d7ca3224c788889d236ff907ca58650f3567e0b21368907b8c06042c82e1b6306ffedcd54d3af0c6d90d93af6a20ac0907f5bf195def45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Pause-2.Btn

Filesize
20KB

MD5
dedf08407639247d6bc316bfcf9d64d6

SHA1
b1c9598ba91c85ee3c3590e45803dd65ede5c34b

SHA256
8e138e8b4b8e33a9e1e5be7cafd9448ce6cb861210b4c7662f9cc3f619bf5d21

SHA512
e48cde1d8efa813f054aadba330be74ca842194a21c9b4d77b06e9220be6f1f021013612c665af286e1285da5532c4a10db9c37dde264db37c486b3df4d56382

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Shanex-3.Btn

Filesize
20KB

MD5
16c39f1aa07832551e4bf0d412f674ee

SHA1
5669148f5d913cbc659ff171c0f9bbf1b4a89093

SHA256
829b3d6f748a635680c6f82761266adfbb8e31d8ae6cef049449a8a0e4061f3e

SHA512
4a64d74acd1bad0b16eb38475b5aa4833cfdf3448fee88a5f7863e0207f64eda4988989b37f66a61ad8963f5cc26a33f521341d0d97505c7d361f8ed9956539c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Buttons\Shanex.Btn

Filesize
22KB

MD5
5816462b175f89143de99564ffb20ec8

SHA1
e38b81ccf9704b4c24a4fe5c590a1b15d064919e

SHA256
f9f82111199f370216d811a19d5323c608ad5c5b4d16597956ef06fe07ccb57a

SHA512
84c8d155a2a1e073942f34f08671447aaa8c6101b41020641ab4fdad9c49865019c4b60ec1e0ae5728dcb7dd020fc5449946b8e4cb27003553de35bf0745ea1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\DjPyRaT!.png

Filesize
42KB

MD5
a8da0a8829a473bb6fb6f1c5a033db3b

SHA1
5d8b67ed285b3fd700906812b38654483fb36961

SHA256
c7557177605c0ece65a67193c2f98bc69735147efdc5680262c036d718d954df

SHA512
a69811d20942c4725c8134be9a6d31c1d6905d37c89b03df163f8b2e2e45f73ea1b9dc6040ad30376867d96a41d9a4a2a989362186df5a09323a4bbe3b6f1a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\skull avatar.jpg

Filesize
5KB

MD5
bd995c0c3fa5b43dd30d6ca499952c07

SHA1
c637d3dad4f746a7ec73ede189fd9a64c7d08896

SHA256
f413ffe29b7817c470094b46681369d5525c1379ec03e25dd6aa357f572328fa

SHA512
e2535225ac82358ba94a55a1af9f9aeb494bc999dc568e771060de3eb56bb1808373baaff638c8bb578c6da8b9eac4d240044bcd296557f12ab30e93b3dc3267

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\you are a pirate.png

Filesize
21KB

MD5
cff56ac808d3592706aa3b53f285224e

SHA1
688fc4c327ce649415d333d5477c2d99daa2574a

SHA256
688a6f3207b6a58f266204a99baaaddf567b4177d7d5f0c58df7640c518c1e04

SHA512
4bbc219aa8db3d936d28a1b1de91b7a12ced82fbffb9da5fb324df6e147aabb72d1a24bf2640ce84df84911119f947ae5b09c00443b1a89abd86171262b2acdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\You Are a Pirate.mp3

Filesize
286KB

MD5
2d98f5b31d424c6e55898b781e135b15

SHA1
768999be3cfd4107f24d43b31681f754ae516258

SHA256
4616cbe0d3f0520e6ef36df4b63e9040b203677eb0407b6485568959cf90ae74

SHA512
408c1389cb3cdb120f7d677cec99a1df49b057e9892c479c35c384c699ce942d1e4bb24c5c0538f63f99343571076a0e59e04193c4c69ff412814ce2d9475dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
676KB

MD5
15b31fa63dbd292c586c8431026815e9

SHA1
13a4177c92db5e26f281381c6b5e83cde28f8785

SHA256
9d069470cc491fd2e64eb29833add900cfdd6e7af8a5f389ee414ac5342d7f1c

SHA512
700a24dd05396b9b4d6e70a38067ccc8a6d28cbe589048c9cb67219345815a75d34a979940762c25adf02574a0c30828d0b9c02b444120a2a2f499edd22d85bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\Blank Red.ico

Filesize
264KB

MD5
c85a8ff4654c2d9dca2dc33a22e5b1c2

SHA1
63b3f2a46ff03449dd52b3d817f76751634e354c

SHA256
9fb532d1aea9aa20a5e2685122a846551f68ee8416022189d9d67f0b82ec108a

SHA512
2be570e41b4e73e139121d03b4034941b40028c420a9f79008586c6e071ce45eab58727fe4add995d780787e8ee0800baf05d88d47352ae06c21ea03cac6c1bd

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
2.7MB

MD5
2e5d84f170a33ed44a9eada85f58ed03

SHA1
d7ac11b209b89770fd5460f38c17a3ab5617f5a7

SHA256
f659ca020b97340542c45516fe8c3e97491a8adc769ec13602a3ace462a6e773

SHA512
7a94b0028e09702acd31b01957f73ead93afe03e794175d65452f41853c1055ea6e6fdf299e50e6e7012ae622edf2ebe195b826012a15b79b6967b583e7d76d2

Download Submit