Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 11:49
Static task
static1
Behavioral task
behavioral1
Sample
e01ef79a1cb863bf492e6fc897e082b1_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e01ef79a1cb863bf492e6fc897e082b1_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e01ef79a1cb863bf492e6fc897e082b1_JaffaCakes118.exe
-
Size
407KB
-
MD5
e01ef79a1cb863bf492e6fc897e082b1
-
SHA1
a8ca9c96b3d302a6745bb3b750618c47ca363791
-
SHA256
982463319365a4631fadffa71c9c2e3e09960ebf63fa6d2a12ad7b266f8f0a94
-
SHA512
c3a14e80ffc8a56b815081de54101b4427ca577dc1e9411192e754690b077fc96d97a8721a2347f4927b572f4409f7a262d7212669af8f0484239986b7ffc675
-
SSDEEP
6144:ZlAaufhEKFswx+w9IhSs/gRiz4mGQJmhYAS24Ec1+HkvVqUU/sID5NSMXfNM:OmAsw8ANs/WiMTQpJ24EccHkdqrU45J
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xiaoyutimer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e01ef79a1cb863bf492e6fc897e082b1_JaffaCakes118.exe" e01ef79a1cb863bf492e6fc897e082b1_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e01ef79a1cb863bf492e6fc897e082b1_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main e01ef79a1cb863bf492e6fc897e082b1_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\default_page_url = "http://www.on45.com" e01ef79a1cb863bf492e6fc897e082b1_JaffaCakes118.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\start page = "http://www.on45.com" e01ef79a1cb863bf492e6fc897e082b1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2368 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2368 AUDIODG.EXE Token: 33 2368 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2368 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2720 e01ef79a1cb863bf492e6fc897e082b1_JaffaCakes118.exe 2720 e01ef79a1cb863bf492e6fc897e082b1_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e01ef79a1cb863bf492e6fc897e082b1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e01ef79a1cb863bf492e6fc897e082b1_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
PID:2720
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\db124[1].css
Filesize2KB
MD5c98a40408763e2954aaccfdd814c62f7
SHA1a7d8ec87749864eb8f4bcc80b29b68f314dcbe5c
SHA256a4638592d8f7845d59747164bf096e34fede3f8688a11fa3e707735ec432937a
SHA512a8472e46cd89d9406e2751b9b7c938a61a4f72718d489b96634ad29dbbaa1e35fc843326c245ae8df80dd6068a078a79c94424763d1b7b516a14bac05f1b9ad0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\1615d[1].js
Filesize6KB
MD5c0dc04a574108028bf6bde0c0e6d8e88
SHA161237ccd1f8af2ae508382ded36af62bd54cb6c2
SHA2561a54a1907a6443e3c81608130bfed4546eb0ce5d0c8897e1d7a3b43d89ecc367
SHA5125af5a1bad28c27553659e5579a9a151c7f30a898430fb0e5a1e4c96bda5a79b97ed4938e747e74da18ddf2e4e0856c8424346d91f96f3cf6a894364c848ae55f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\4155f[1].js
Filesize8KB
MD5769bcfabf7db07b899b8d717b5e9579d
SHA17a1b3201597f903d0141385322ad446a9e35d609
SHA256f9f5d857f086299bfc4aaa2a8cf726455725726915d38b01ff46d310cfa109a3
SHA5123e83cc83a87cb66d0c68129b69687042f751b379c96b65ef9fbcff48c5295f6de62d352f012b28a5eb135e5c3defa22fbaf9f16744929d2088c3a2bdb20431ca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\0679a[1].css
Filesize15KB
MD59a7d09a200c637f66b3e7ad0f9cf7f0c
SHA1c00c45658197434e4065b143b9dbf7e261ae42bb
SHA2568bc38a3ba348b745e3267b8354828f3fd3a91ba2b479331567344e33bb574580
SHA512514ab0d44f53e6ff9a4e8a0cfd638a9f554ae4bb2f710d421e94925db5b4a4251de2d4d01be2ecc94348481aa64e5db92893a305ea5b0a029c0d0fd56e0180d3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\js[1].js
Filesize291KB
MD58ab883befc53b590aa92693ae00a6d3d
SHA17ef72a2dddca11f1259245bfcb2ed607cd28ad1e
SHA256f35912d7d8d9f8d6b5406e8506f9a126dd2be9a81ccc45da022d1ee6e8d4cd60
SHA51212b2b0b69f15825a1533877ae7aa768edfe92ce9781de959e73ee1991afe3b02f71fab57d66119045cce666874ec96bbc4bbc33688fed75fb98607487dab2030