9b6247e71ab6026c5622b3b27627205072ce2bc6ac7043fc1d27d13261faa9cd

Analysis

max time kernel
91s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe
Size

89KB
MD5

eb1f0d66d83d6c92aca7f5488487c606
SHA1

1eb75c48fabbb85894ded839e6a6da73a702d594
SHA256

9b6247e71ab6026c5622b3b27627205072ce2bc6ac7043fc1d27d13261faa9cd
SHA512

6de9c5d7fbd28f51682c72ef40178a3a8beda48ec165cae2a0d4510d28335dac979265d449d8e3a397b881f2d9c714fe5de18d9832e449edce6e517128180cd2
SSDEEP

1536:20sq3eLAW97ti/usXNuAdQgYK/qlhvnNTslSAg75FShpRrufceK+ZCl:gd97ti/39UR6q/NTsleHSnVhV+ZCl

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
4860	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winlta32.rom,IlmXkq"	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winlta32.rom	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winlta32.rom	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4836	4860	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132285"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132285"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "311640413"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3E2E7991-7670-11EF-9A03-76E8F1516C8A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132285"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "311640413"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433505967"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "313827794"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4788	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4788	iexplore.exe
4788	iexplore.exe
3764	IEXPLORE.EXE
3764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 372	4860	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	82
PID 4860 wrote to memory of 372	4860	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	82
PID 4860 wrote to memory of 372	4860	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	82
PID 372 wrote to memory of 4788	372	cmd.exe	84
PID 372 wrote to memory of 4788	372	cmd.exe	84
PID 4788 wrote to memory of 3764	4788	iexplore.exe	88
PID 4788 wrote to memory of 3764	4788	iexplore.exe	88
PID 4788 wrote to memory of 3764	4788	iexplore.exe	88
PID 4860 wrote to memory of 4788	4860	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	84
PID 4860 wrote to memory of 4788	4860	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	84
PID 4860 wrote to memory of 3512	4860	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	56
PID 4860 wrote to memory of 3512	4860	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	56
PID 4860 wrote to memory of 3500	4860	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	92
PID 4860 wrote to memory of 3500	4860	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	92
PID 4860 wrote to memory of 3500	4860	eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3512
- C:\Users\Admin\AppData\Local\Temp\eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eb1f0d66d83d6c92aca7f5488487c606_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start iexplore -embedding
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4788 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\kFs8ADB.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 492
    3⤵
    - Program crash
    PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4860 -ip 4860
1⤵
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
d05db975cf07282910d2eeaf4d1d6e0a

SHA1
ee43161120259ffd9a634c71ad97a786a228c559

SHA256
3198a8f5168605583124b415310f2b135b6233cd3ff9d3bec9b064d609f86e5e

SHA512
c0aeba576a2b4baa4c38b4b4176137c3c72a426e222cf16424e333cbeb16e559499fa9c70d200adcd71bb012c35e65478772879071c80f7f9a2b945c9f6c0f3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
472ac3476fdd9e1ced1386b9e125428c

SHA1
66a41c70294cd13e7c34f21506359ff222744e0a

SHA256
6acc82923fb8a4cefc073c3e6febb97f02c57a97acf4cec47d662ffa086bf06d

SHA512
f4049ad6526f76f26f9ad91d84a0a734e8fa21935d46ad1a98a837d4eae9ee4107cbd32fab415ed7071459d5bd262f6c6b1aaf400f1a38847d68b2944e7e0c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGWUB7UN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\kFs8ADB.bat

Filesize
188B

MD5
4c082fdc68956688cab9363e60ac86df

SHA1
cad522857fa64020901b6e84f5b195a51a3bfa8d

SHA256
142c9d831ed1898122f06cb68eea9d2340e595ab83f11b2eacad8e8497af59f7

SHA512
e4fa8f0356896440158917bfebed8f76938f1c8a6f5f6dc76ecea4d3f8cc66d364f6626261da0cda6c5ff937e8a9d2b00b93cbe4631c7eb8c005ddb3a50d7140

Download Submit
C:\Users\Admin\AppData\Local\Temp\kFs8ADB.tmp

Filesize
63KB

MD5
55b54e591c35c961f68f88b4b326f48d

SHA1
bcca3e3cf819cc0b80ee2f774a7840bd1e13ac39

SHA256
09c7d875331a698ccf9011f7d9f38c3ce970a9af2ae43d81b2cb4c314a9a16e2

SHA512
6644a19e632d1f08634cf07e589daf7a6e6e5b61a6a5015c02b6f145a98770f8fa25ea6b68f7a2f2349b223844981f60979a89c2abd011354a4f55127cf59dec

Download Submit
memory/3512-8-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads