1b8e67b0af971a2ab6420bd89266eaf2e63df1404693e925b29654cc6207ffa1

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Size

1.3MB
MD5

e175e8276f1208dcec6a32772ddc0d8a
SHA1

dcc339801d3906cef95eba7a0009874447f64ed2
SHA256

1b8e67b0af971a2ab6420bd89266eaf2e63df1404693e925b29654cc6207ffa1
SHA512

d19f73dda7b6f4954c11a53cdc99f8481fccda33f9bc907120b44cc0935adbf616fc2a62990c665ae912fc24616fec88b99154bb49f04b867683c5c0f40b5c6f
SSDEEP

24576:jzh7ESnEM/iJZMT8v7pNKuQKiOuK2rpfnG0AU0EjOhC0TGbQU9YwIB0/xj:PnB/igTYN3efKMG0rrORTcQdB0pj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2696	TheWorld_3.0_2.exe

Loads dropped DLL 63 IoCs

pid	Process
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
2696	TheWorld_3.0_2.exe
2696	TheWorld_3.0_2.exe
2696	TheWorld_3.0_2.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\newicon.ico	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TheWorld_3.0_2.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}\ShellFolder\Attributes = "10"	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}\ = "Internet Explorer"	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}\Shell\Open(&O)	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}\Shell\Open(&O)\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE http://www.6781.com"	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}\Shell\ÊôÐÔ(&D)	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}\Shell	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}\Shell\Open(&O)\Command	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}\Shell\ÊôÐÔ(&D)\Command	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}\Shell\Open(&O)\ = "Open(&O)"	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}\ShellFolder	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}\DefaultIcon	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}\DefaultIcon\ = "C:\\Windows\\newicon.ico"	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09860117-AE68-60e5-9DBE-C2C2388A068A}\Shell\ÊôÐÔ(&D)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2696	TheWorld_3.0_2.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2696	1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe	30
PID 1616 wrote to memory of 2696	1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe	30
PID 1616 wrote to memory of 2696	1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe	30
PID 1616 wrote to memory of 2696	1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe	30
PID 1616 wrote to memory of 2696	1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe	30
PID 1616 wrote to memory of 2696	1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe	30
PID 1616 wrote to memory of 2696	1616	e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e175e8276f1208dcec6a32772ddc0d8a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\TheWorld_3.0_2.exe
  "C:\Users\Admin\AppData\Local\Temp\TheWorld_3.0_2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

Filesize
1KB

MD5
99250c52384111a9f14d9ae0605d5432

SHA1
585549d6d3afa16b0e9f93f6ec74491cc9c26bae

SHA256
bb3965eaee45730a628c2d8f058cf1864dc6469eddb9035890971190842541bb

SHA512
2daab9dd9b58461db875af98d50511b61344c9772c2eeb8124850863e20f92323204a92fc99f759c7359322c064ad6010c5a3ae1fd2ff4a259ad896dc7ed907e

Download Submit
\Users\Admin\AppData\Local\Temp\TheWorld_3.0_2.exe

Filesize
1.2MB

MD5
d7815749e92423db8d299dcffead2356

SHA1
e6fe7c7f9ca6095d2e5472507c1dce7aea18a149

SHA256
7f4783ca0752a62094ea8461bebd44368de3fbedf97896e74c8aa343dd89ae94

SHA512
18cce28cf2557789153e289e80b73ee1e0822c6b75957d2771eb38657dcabb18528f9ecc748351c1fbc074a2e43e3c78d0172f4e9b57adeb9cb2384db3fe9cb4

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD00C.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit