Analysis
-
max time kernel
94s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/09/2024, 09:32
Static task
static1
Behavioral task
behavioral1
Sample
e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe
-
Size
228KB
-
MD5
e22db59e72bdbb53cdcff5ef7a4b23ff
-
SHA1
e1fecf9f8e9c5b96b36c3017b06469da0dc283f6
-
SHA256
13c0507b58fe2048b52f5161351ff9af22580f5c11e7105af52082b328a43597
-
SHA512
6d5a03700ae8c80642f97253073d0af8d6b87f1e65a67ebafc45013ba90e352482185474d25ceb818ded294d4cb531d2742c380afda852802980df3985bd1db3
-
SSDEEP
3072:QpKDbhozl9HXpKl7XIF3Uak/gkgZAszPw:8sho/54X69nHE
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4392 set thread context of 1356 4392 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1513102393" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1510289715" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433157765" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31131474" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31131474" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{85A2CEDC-7345-11EF-AC6B-D20DFB866B4D} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1510289715" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31131474" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1356 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 1356 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 1356 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1356 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe Token: SeDebugPrivilege 4480 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2364 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4392 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 2364 IEXPLORE.EXE 2364 IEXPLORE.EXE 4480 IEXPLORE.EXE 4480 IEXPLORE.EXE 4480 IEXPLORE.EXE 4480 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4392 wrote to memory of 1356 4392 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 86 PID 4392 wrote to memory of 1356 4392 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 86 PID 4392 wrote to memory of 1356 4392 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 86 PID 4392 wrote to memory of 1356 4392 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 86 PID 4392 wrote to memory of 1356 4392 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 86 PID 4392 wrote to memory of 1356 4392 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 86 PID 4392 wrote to memory of 1356 4392 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 86 PID 4392 wrote to memory of 1356 4392 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 86 PID 4392 wrote to memory of 1356 4392 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 86 PID 1356 wrote to memory of 4596 1356 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 93 PID 1356 wrote to memory of 4596 1356 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 93 PID 1356 wrote to memory of 4596 1356 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 93 PID 4596 wrote to memory of 2364 4596 iexplore.exe 94 PID 4596 wrote to memory of 2364 4596 iexplore.exe 94 PID 2364 wrote to memory of 4480 2364 IEXPLORE.EXE 95 PID 2364 wrote to memory of 4480 2364 IEXPLORE.EXE 95 PID 2364 wrote to memory of 4480 2364 IEXPLORE.EXE 95 PID 1356 wrote to memory of 4480 1356 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 95 PID 1356 wrote to memory of 4480 1356 e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e22db59e72bdbb53cdcff5ef7a4b23ff_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4480
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5b846b882719e09ee4996593fe9ce2fdb
SHA168f64b77cab775e1b90b563325c0bf42c60e30bf
SHA256bec22a671cf77d0beb4395abc6ceb14a9c02822997bce4b9f4b79ef54effaeb7
SHA512b1eec5f0ad9ff3142ef1c66ce9f615d9a5ff3dfef05693fe860defebd231b706a7c4fc05f591760762b600b1a386ac6474713c94f37e57667a20873267f20190
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5d0ce7b631afa1b9a876278d467300f34
SHA13d0949d8f2c240c2a0d48b6e800fee5c89434485
SHA25671073da32ee626f5898a4a212fbd53433cc080c99be03a4509a8fac1570ef071
SHA512f9ec55afd6204b6b957be90a4189f96c753194228019a368b4f1dc77b3f4f3dbcaa86e44fcaf5281f802db12cf3718c0d861da94077b33185ffc72a588cf8a20
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee