e27a3a7f8a32f3cd4b44719a6857152efbf049a59868eebd70243218f51787d6

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe
Size

696KB
MD5

eacfb08970148a2b303c10f5e772d960
SHA1

915cc0e0c4dd828b848f03c386e1764eb06f3292
SHA256

e27a3a7f8a32f3cd4b44719a6857152efbf049a59868eebd70243218f51787d6
SHA512

3a641fa2390318089a3fd22e1b4e5a93e2ac7f75140bec435a0fc2e02dd5c489b66f6f1de1cda8cf13911264d51b5e50229950a3e035078baa15665ded6e6fcf
SSDEEP

12288:oLlYqyXZusvu48SrxSY2x5U9CVq9+uJ7zk+nG8R5+YIHf8pw5a4EcieT:omqypXrxEACVq3JhG8RobEpcaxc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2308	CheckVer104.exe
2332	regver.exe

Loads dropped DLL 9 IoCs

pid	Process
268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe
268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe
268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe
268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe
2308	CheckVer104.exe
2308	CheckVer104.exe
2308	CheckVer104.exe
2332	regver.exe
2332	regver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckVer104.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	regver.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2308	CheckVer104.exe
2308	CheckVer104.exe
2332	regver.exe
2332	regver.exe
2332	regver.exe
2332	regver.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 268 wrote to memory of 2308	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	31
PID 268 wrote to memory of 2308	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	31
PID 268 wrote to memory of 2308	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	31
PID 268 wrote to memory of 2308	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	31
PID 268 wrote to memory of 2308	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	31
PID 268 wrote to memory of 2308	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	31
PID 268 wrote to memory of 2308	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	31
PID 268 wrote to memory of 2332	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	32
PID 268 wrote to memory of 2332	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	32
PID 268 wrote to memory of 2332	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	32
PID 268 wrote to memory of 2332	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	32
PID 268 wrote to memory of 2332	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	32
PID 268 wrote to memory of 2332	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	32
PID 268 wrote to memory of 2332	268	eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eacfb08970148a2b303c10f5e772d960_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:268
- C:\Users\Admin\AppData\Local\TempImg\CheckVer104.exe
  C:\Users\Admin\AppData\Local\TempImg\CheckVer104.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2308
- C:\Users\Admin\AppData\Local\TempImg\regver.exe
  C:\Users\Admin\AppData\Local\TempImg\regver.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcf8d5ac5bfa85bad666129753e6b1f4

SHA1
4ec18943262838df5367a39388e5536a340b3ac8

SHA256
b26c1c8df369c1fea288970f8b399ec44fef5e4739012fc57586c86432d256de

SHA512
1d5da90a4b091237a7bf6ff8c03179d62eaa22d9a0e41516b5434fef7043b5851508338f5b152041323dd1c9e1f4cdb3397ddc3c98636c30100a2b16e55d70c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
119ef831eaf1f1bbef502642b578b97a

SHA1
1826d9dfa3c9474a8f367ba6fc98428bcf626d67

SHA256
9803990953b6d6636be72bb5663aec260bdc0d739c5de979f24e042c2057f7b7

SHA512
a6237b6d30f5c4eb2cf7fff72c81817f2ce7627158d23bbe35fe6f1b4ffef5f5363fd6f43a1751e2ca907fa9d5415cc4908fe61de7add4c8ecc82889629aa559

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47d7140d3a6817ffd9ff13687de4d43d

SHA1
32d22c5fac044d1cc96917d4d455626b9d3a175b

SHA256
10d4277cd184932d1b11837486bb0c0eaaac73e059d0d5da1000507dcb87b060

SHA512
6b05dfcd010592dd002ef2974cf285c8fdd0284f6168540f31e190ae334dea29dee22b2c7139ede8e6e2b3437cad9809e84712654d51bbac72af111b9cc8b60f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8fc8d82451654349ae898f0bc173488

SHA1
9789847614236e42bb9ba347c318d3fc5840ccf1

SHA256
68c19f660922adc354ff6bc3f3afd32b415343d96645fa7bcb1ed5a7cd31ea72

SHA512
21b7cb1d818a78ed995294b5ea5605c869fed4d2b29a438427e124feffb84f8d5ee44c9335e24ae4008997d362d3e2750d3d30f4835c4545067dc65b5f4cd4c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
087852748f64f7e039dbb639918a802b

SHA1
f6d3b813dcd6ad826bd795648b18b03ed9e9b9c8

SHA256
d4a51ef19a620da25d286b90319663fc10ad76794c95c49ea7f72557cc844dcf

SHA512
a395480ac7fd2dd6ce79c5da22d921233188828b8376d0e4cc574e08a999b971422acd8d74780f3e1705f1d24c76c5ac3719f3f99c3f456630daaff29d05878a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEA22.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEAC1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\TempImg\CheckVer104.exe

Filesize
332KB

MD5
fa199dffc4991a36725e1a2d272e787e

SHA1
68c1db76a8080782e3f450e3f724e4e1564b18f6

SHA256
13c8453cb118d3f9d2dc2a1189633ab10162f902758320487f03daf124c4bb9e

SHA512
8dc6a2369dc87148ac45cd6ae37f33fcb32c4fd863d17f6166a41c7a4ef40edd6a4da0f57536f382e550add791bf678a5116e0f1cb440649be1b924c3a31a520

Download Submit
\Users\Admin\AppData\Local\TempImg\regver.exe

Filesize
290KB

MD5
9181b183dd3096301e7211ed0312de8a

SHA1
0c321747b581ad79da70dc9aab183cc12c3bbefd

SHA256
202fcecc53f1ffd2d1d85cc4cc79a24ae37285ce564e15615b5d13ca69487968

SHA512
5316e0511746c75603ba02eaf79b9aafbb29356f94279f466d3f17e9894082f14cf052ca3b8f52a149815e8c9b58f5d4b02ef1dcc3d677dc27032480f788adf7

Download Submit
\Users\Admin\AppData\Local\Temp\nstD5E6.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
\Users\Admin\AppData\Local\Temp\nstD5E6.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit