5a8557d341b9ebcf16c8689a0508ab0d3ea9be3e04dbb3287ccb451db286ffb2

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1e121fa57685c18e9c687fa97e3a7d6_JaffaCakes118.dll
Size

66KB
MD5

e1e121fa57685c18e9c687fa97e3a7d6
SHA1

d0c556deb0266fe4163a591df972fcfb4abe0c72
SHA256

5a8557d341b9ebcf16c8689a0508ab0d3ea9be3e04dbb3287ccb451db286ffb2
SHA512

80739412ed6355e8dc002cad84e0eee8455bb256c51972ef362fb2e6dbc8fd0fc17ce645dfb00135776b0cdb9241e4e5be62238699165968dfef826057fe7a8f
SSDEEP

1536:oKaouK0rof8925RMehGW4a6cHfP35uqshuqRbWhi:oKaouK99MqB4ab356nKs

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 2792	2768	rundll32.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{00ACC7B1-732B-11EF-8DAE-C28ADB222BBA} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432543267"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2792	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
780	IEXPLORE.EXE
780	IEXPLORE.EXE
780	IEXPLORE.EXE
780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2768	2756	rundll32.exe	30
PID 2756 wrote to memory of 2768	2756	rundll32.exe	30
PID 2756 wrote to memory of 2768	2756	rundll32.exe	30
PID 2756 wrote to memory of 2768	2756	rundll32.exe	30
PID 2756 wrote to memory of 2768	2756	rundll32.exe	30
PID 2756 wrote to memory of 2768	2756	rundll32.exe	30
PID 2756 wrote to memory of 2768	2756	rundll32.exe	30
PID 2768 wrote to memory of 2792	2768	rundll32.exe	31
PID 2768 wrote to memory of 2792	2768	rundll32.exe	31
PID 2768 wrote to memory of 2792	2768	rundll32.exe	31
PID 2768 wrote to memory of 2792	2768	rundll32.exe	31
PID 2768 wrote to memory of 2792	2768	rundll32.exe	31
PID 2792 wrote to memory of 780	2792	IEXPLORE.EXE	32
PID 2792 wrote to memory of 780	2792	IEXPLORE.EXE	32
PID 2792 wrote to memory of 780	2792	IEXPLORE.EXE	32
PID 2792 wrote to memory of 780	2792	IEXPLORE.EXE	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1e121fa57685c18e9c687fa97e3a7d6_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1e121fa57685c18e9c687fa97e3a7d6_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2792 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60312c280f6d603b60b889133da39ddf

SHA1
1719016d21c7b84afab4ad09b6c14d9f1e6b2e82

SHA256
1aa285637579dcd304c1360fd4b7ef90a9ce058f36910e8e3637352a4097f4c5

SHA512
887d5ed35f1b905a201924aea445669cb2f9b543a5fe7e23894165215414c4647daf0a405598322035f08ceabef95b926553b5f08480cd897a65b74a8d56dfd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
071a9eacef662846d1e3a38ebaeb3b91

SHA1
6ce4778d63218e22da6115052b3e344c97179e2d

SHA256
8753ce20ebc538af3c982b5f5c14c8b8e7cbd7b6b9376ba99e0a10d525752297

SHA512
9ea9d7b58c5dfe9ebbb8eef4ba16f579dc71d893ecc1e4359ecd6e628c787628ebdac838c43f6c79e1ddcf583a520aa6f82fb87fcbedae604a6f6686b0bbdf30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
544185ccb7d54ba3d753a23941ab8673

SHA1
cbd2003324522b0fb10824bb5e1f00a194d81a1a

SHA256
3e83f4e6271f1dcc84a065e0a0eadbcf7f3f1f93291d312c4d6c3e91d7dd8e54

SHA512
b63805e35a8c1848e7d9361e9f0c97b70bfe627f09ddef60fc8b9bdfaae656e21c7618012055cafe6e59fb335c07c81153faa873a96b5a79fe69e1a958ae65cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4584d9499741a68f28402e416b55c40d

SHA1
ab801cebd58573118f18efb9a45fb0a66a6c457c

SHA256
ef9c5af659f10dba568e5feea559ffe0216199a058521577db09445f542a9d60

SHA512
6bda7b2b35ea8ad42ad12b5e300b21f794a0a0ceef52cbef0275cbd957f3609467281ae0f4c3b7f4ce0dfdfacebc8294f62052dec42feed8ae50e7d04bca20b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32e619cb46a340c1154ac63286e3bb28

SHA1
244f0ef5509a17306247bf8fb4617fc5e29adef0

SHA256
37881128a93b21703bb5d20f73708ea6170ca791831b59608232d2cfdc0cd668

SHA512
285799a68f0a2d13df00a7996093d57fc39d2195f078010dab25a7296ef79686c302338fbbedfee32b9465e5c194500ba38252b622dbd57addc45578aa2882b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
997a86a9b479354af043372fa4a87bb4

SHA1
3e54bb7ddbfee6825bf2105338219f89a2a7f9df

SHA256
dc7df352df4b6a13db7008d9a1c7a53d859b9125289febeb7e2f02e5f94bf0ef

SHA512
8d3befd4959b543f1882080df267918cc2169de1561aaa5206d12d828a3738a9649a94911620e766ae062382352f39daac929cdb57b60c7e5145ed42587ed72e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c13ebe2f340e5d1e1696b0a0ae0301a

SHA1
4a11f1d0ccb97d0c6972de2f42b54762ca59bd15

SHA256
d521124160cb51ce82a9baa1a6d1b956d72ab193f4200ba46be03d3b2d2a5103

SHA512
e11262eb83d514cca98b1b9d2f4f5c01307f5b74ae4772e0cdbc5e01a7bb5a7ffcbcc5127cef6a053e980f06b7c3ceb37563c0819b90e1ac850e398a61e510c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f815cdcf3f76eb34edf028077bc3d959

SHA1
57215a4b480fc0ceae06679631154e5b14837c3c

SHA256
c3316f8950a3fca05236bd6d4922c60bc71f34f402e6a50ef16f555a5024b119

SHA512
4ccb512aa4dd92bda261a51aa1d0ea2a9282cdf543ba30d0cc96d23bc14fd4825ddca4be9eeb1ba99637351b3098d371a019912e809d6649d32fc039a20fca6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59b998ae41543add9affa7d1c2cf0183

SHA1
974ba1db0cd1bbc9e4686775051852af290e3588

SHA256
a1d59cee6043f24716397e02714bf214e82004eca9275baf1d68707621ec8d6c

SHA512
f7cddbbc0669eab5e84d37f10f3d10cba7011f7e77176f448adc1de226ddbdb37d769cba6247c8f2a2a10183ae9055ea769a8e871729cd4826ceb904a100400e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b35671f6de4507e736613e0401fb77d3

SHA1
9ea685efc6ba1333f6974ee8ea03da60004f6764

SHA256
5631fa916ba01cb2a0e4eea96a020fb0f02ec80e560311c357b899a4030eb4e9

SHA512
8d5832d207d3411b046b630116329ca3894b9d48419fe0fc1c0642082d953c577dd9ffcc43db934c0747991af3dd7ce0fda85fcdd8d6bc889ae779c9d681e33d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e61abcffa56deb90b2438c91366022d1

SHA1
f5ce892ae822889a182cf081239d4c8af576e25f

SHA256
d1c34b1d88dd6c161998c7973d03e54a5682ff8dd8204cb1c7851781a97c163d

SHA512
13c65586a45e418e40192a488d16c5f1e9db84407da27d34c36ae396bbfb4bce86b4ec0b278e9f46074004479fec53dbc211d70d0abb00a81fb05671be0ca827

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03dcfdeee5dabfb9c907e877613f0c57

SHA1
cfa227a184f1df49af6a87911a52ed0e777e7568

SHA256
eed0c33645d86990af87be37bd983f36894d2c6a2aa65f60aa89ea36915299ba

SHA512
163dc563369fcba6605ab03a9787308092c3a9898c5b54d97c1239635444a691a138472a7af1b229aa4838ecdead764e8f53c1ac2060fe99c0074d89d1103be5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a19d3cca1b23eeade45c889d000f1b6

SHA1
279b24a1a6df6ff4b184a2dd65fcaf368d94f31a

SHA256
488ad615309666acee378ba7fd580f653ba1044f5076df372e266dd51d1793bd

SHA512
056de2a8f90c2e638986d3224152da95eb57e4bb933de3e9d78cf6a2a4595bd603f77390a7bfc1b66ece377374cef70120b163979b4d96eea66705396fb0b59f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c90bf89abb356b7d822cd4aae39d8ca

SHA1
f22ee86f77d7054c918a2005d8e8b67910e6641b

SHA256
66d99152aa058a43fe48b1659562fb1c0a61a0951af6881756e4f20f1ce1fd0d

SHA512
dda76ef464ab56799eb0353fe5af3746bb84929465b68165c643bba24bfb678fab4fb3ba37c1866988275976ffdb696bdadce0cb05e1b06f545a52067fa340e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91f6b7099bea091bfaee8dda449380c0

SHA1
310785bffd4e9571bb0284be295463c3d630fd4f

SHA256
f44e102b0c16d50207846e27a1fe1082772272836a09051c994536582459b476

SHA512
9f92bf6caeff53cb1016ef6d72eefa6f3bf7dc3e45d5424b2ef19a0b305136077149d7b42c622650142e5d20bccbda1b2358f976377d0a5987711de151239036

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd074104c637f43312c1defa433a24bb

SHA1
4be3c6b90f3a3d6533ea448475543938ee9df210

SHA256
31628e4fba6476f89a3fdc257fc46c1ea7284a2192d47ed2a42f78dec4827a7f

SHA512
b067acc60c0fecaa381e0ddb18eb9f07a9b38429f2e7772b170feb3d1e013c9d6d89eaf8ba6ac20c4710e1dff5e898d52e79da62d6abf4fe526fac446ae3687d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f096417ca80281cef5917e48821d5ed4

SHA1
ade58ef4aad62fb2914133556cb58599e8774c9f

SHA256
68525e652931d95015830b965001ca9eac6ebc899327fec13900f68e6bb12120

SHA512
f335f88f41f36857d301cf10357ffea7535ca08dd3b4ef04dc8f643ed149c363691215949c5994c6766572e69a59e07f5e14240dbb2d8e9814e8f556142a03f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
127079c8954a034da16db0278d2813af

SHA1
19f6867f6e89e232f7962d36dcdfe19b283eb9ae

SHA256
cc4771491e18638bfd751b303b0989ef09912fc082066d12e3e5ee80d51b4739

SHA512
c661f747a5afd93a319f5de7734e8779de7be622918c4be9fbafeedc81713f5e791acf240cd6a470c825b9e7fbd5e886a1ec19cb259c0aeece2fa2569826c48c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0a4d4b19bcecdf3a4b443c36d1e19ec

SHA1
0d0974fc4497776603141085f4c2f4e437b5e314

SHA256
dcdc62622e607ae820cdb94262234e5f516e441e3f27e166b454a3b42bc720a9

SHA512
67907228f9b4fc8ac8818161ffe960aa9331c25c12a3ce6535254e19a766a9ef884d5afc49444e09084ff898547109ed1f521b284f5612082af200f0c3307083

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab592B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar599B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit