9b6247e71ab6026c5622b3b27627205072ce2bc6ac7043fc1d27d13261faa9cd

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe
Size

89KB
MD5

eb1f0d66d83d6c92aca7f5488487c606
SHA1

1eb75c48fabbb85894ded839e6a6da73a702d594
SHA256

9b6247e71ab6026c5622b3b27627205072ce2bc6ac7043fc1d27d13261faa9cd
SHA512

6de9c5d7fbd28f51682c72ef40178a3a8beda48ec165cae2a0d4510d28335dac979265d449d8e3a397b881f2d9c714fe5de18d9832e449edce6e517128180cd2
SSDEEP

1536:20sq3eLAW97ti/usXNuAdQgYK/qlhvnNTslSAg75FShpRrufceK+ZCl:gd97ti/39UR6q/NTsleHSnVhV+ZCl

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe wintms32.rom,IlmXkq"	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wintms32.rom	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wintms32.rom	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2552	2668	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3B3F0FD1-7670-11EF-B729-F2BBDB1F0DCB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432902857"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2260	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2260	iexplore.exe
2260	iexplore.exe
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2396	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2396	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2396	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2396	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2260	2396	cmd.exe	32
PID 2396 wrote to memory of 2260	2396	cmd.exe	32
PID 2396 wrote to memory of 2260	2396	cmd.exe	32
PID 2396 wrote to memory of 2260	2396	cmd.exe	32
PID 2260 wrote to memory of 2680	2260	iexplore.exe	33
PID 2260 wrote to memory of 2680	2260	iexplore.exe	33
PID 2260 wrote to memory of 2680	2260	iexplore.exe	33
PID 2260 wrote to memory of 2680	2260	iexplore.exe	33
PID 2668 wrote to memory of 2260	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2260	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	32
PID 2668 wrote to memory of 1240	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	21
PID 2668 wrote to memory of 1240	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	21
PID 2668 wrote to memory of 2924	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2924	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2924	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2924	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2552	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	35
PID 2668 wrote to memory of 2552	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	35
PID 2668 wrote to memory of 2552	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	35
PID 2668 wrote to memory of 2552	2668	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start iexplore -embedding
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\kFsA479.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 124
    3⤵
    - Program crash
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea726e647a0461bdc7123b00546307d9

SHA1
28d9142816964f67c58695d7aca4279e4a9dae01

SHA256
4e8ed9463b1255880a1fe876f13308c43ed056a23d54e07b982d15682c713f7a

SHA512
de5a3084f2f6f9083e942ae022f17ec2442f70ab6f981455f1b5ce196e28bdd2e2e6b5288d85518c4970573b3b6aa4a2a023c522e4444c9cf60b56aabbb57d2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c5a73ba517ed2a9641b5824bcb47c48

SHA1
7ab0bb72b6cf47a110004dbc09537e7d1877d785

SHA256
0a9255053aeeb61f145800238ba4478bc2c9f9be80a6b1de5f56e60aabf9ac71

SHA512
fa5e45f23fde0b988228667fc6d1546cf7cd98e0e5ae20c4e6b40161378fce522adcadcc8568471cda3e4c5e8460cec520d34ed3e18bda821825206c1e6cd56d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30b9e9e297b238ae073ea235595820d4

SHA1
cacdb4e1544dcc685edbdda5b6d950741406790b

SHA256
f93e94d400123b6b4a8e6720756fbfc2f32d806549a219b6c81b245cd2627bb7

SHA512
a3833570f2a9c328ebb8f3cba76a793a82729752248809cc06c942db0ea2da941be53764cba024213afd7198dc2852a518c2028c76b011331dfc2c70b3947b25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82f36da9e55b784fbe6b0c77369e1f1f

SHA1
fb03215ad70a79fc78848ca9c47f060216fe7391

SHA256
ba7993a338645523645c91b81359126a7be19b203165cd101adb9c3db52a35da

SHA512
e17800bd5cc7a621fdff692a5ff2f87fba814366d8d9d3d4f93961ecd70ae21d57cfffc0d712a16c680254e2a470b335df5f1a93786332e7cbfa341c18a1735d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d960786ab558feaf8d97fabd7a814a5

SHA1
f3d0fb96d7fa907a44c94e05026b89225141617b

SHA256
8b7f859a13c4c8212eca43e1b2a279f6880ef2a2574b6d34c601d8ca6d3858a7

SHA512
636a5ccc71589c3cd92b3816d3f95170254781340d3971778dc2905f150fa000e97e5ee1b8676df74de414062160262837d697368550f4c21d3ee63adc7aee2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14b418ddb6598d95b59c8e0f40a09dfc

SHA1
8f41c42add6b2acd499c0b0ee16e28c9121c2c1e

SHA256
ba7780217d1f1529a7e91d86fe92ad5298a4ae686248ec04d3678d0c53d06e3a

SHA512
57b0083de31dd95f0b19fcd1901a4ec3b3d85ea86bee54ed5ca391cbbc528fb94bb1e0e8fc88afd982369a3cc7aac71a1d920018a97561c74aa06e70099bd114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b5b4ffcabd1e26ecccb0e37c7244264

SHA1
ad68449ea12f5619dccf14b972c76dffec4c8042

SHA256
bc69805fa7c08acf654c35040acd1484adfcd4c2ee402d4f36675beefe04bfef

SHA512
9f3cd290f210e00bad0cb4982b54d90e2c851f43f274be44a5b84adf101f35f86cb12217da4b718700a6df14547b0e3b227adafd114d1b62e57c0abf64460cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b35237d1e287ed80c0b0ec9f77c0f410

SHA1
677d3af7c7f1f8dbdcf24910e387b23d553cd4c2

SHA256
b3d63c9a392d927d08b023f06a83003060ff686e7cbb973979ff510d46ba804e

SHA512
9e1046682e63edfc00e6698c28e575bd582ff9555142c01c5c2e6dede7d375e9be893a4f29838f209e697429ea45a78939d5696a46a41edb4ce159b95213ff41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a7471b509d89a8766b84693c6180ac4

SHA1
7998bcf2c4137eb24907472457cd8ecafe43b748

SHA256
ba6bb8ab9e8261e40c402344f9e5fd746dbc61fd7c285831e7c189ffd6e2c0bd

SHA512
14959b0ce5c35dc093f12f51bfd3bcb4ce7591ffb1f60ad4ca95e3ba3e1fba164274b81ebd5951bbd8b68343607c4a605c3d562f349b1e929135608536fc4362

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE98.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAF38.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kFsA479.bat

Filesize
188B

MD5
8b95afbc8281f247939b1be6acaa45ea

SHA1
f0ef3bdf117a1a2a93f355f86a99e9f1a606bdac

SHA256
7f7165b04c7da7eb305241163ffa2472d2894b549b36f1980e70af37681f651f

SHA512
0127cb92f88b296d662b4935c466a127c1809a08068686e5c7586a544f4b76d62e3b8e355c83b865e1af9e6c30b4a1a901486b5cc8c777ee67eb946aa548f50f

Download Submit
\Users\Admin\AppData\Local\Temp\kFsA479.tmp

Filesize
63KB

MD5
55b54e591c35c961f68f88b4b326f48d

SHA1
bcca3e3cf819cc0b80ee2f774a7840bd1e13ac39

SHA256
09c7d875331a698ccf9011f7d9f38c3ce970a9af2ae43d81b2cb4c314a9a16e2

SHA512
6644a19e632d1f08634cf07e589daf7a6e6e5b61a6a5015c02b6f145a98770f8fa25ea6b68f7a2f2349b223844981f60979a89c2abd011354a4f55127cf59dec

Download Submit
memory/1240-22-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1240-25-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads