89cc11f08c9cf6d41f66e828f58916f2eff32ed825f318fb5fca9e9ee623aeee

Analysis

max time kernel
150s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe
Size

214KB
MD5

f6e74f4a2087959df8df56b7769e2c00
SHA1

443ad2c374e7380d7a8249b1986b5351a69b5a9d
SHA256

89cc11f08c9cf6d41f66e828f58916f2eff32ed825f318fb5fca9e9ee623aeee
SHA512

e3b22cde6fdec815046c5b9e148b85395cc10edcafca50285e8c6cd9f19a2087824e9c065bc8b185625acc39a9d129e6d08439e4423f9c85d4d3c3cce8440670
SSDEEP

6144:PvlQ/iMSvz+4Cs8NxQex8CEECL+UVi/yYv9i5hyiqSh8:PvlQ/iMSvz+4Cbtp/QvmyiQynSh

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2240	50BE4DF05C4.exe
4828	EJF885A.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1U0X5B0U8H9B0H8JRFHJMVNLOSM = "C:\\jau38uj.bin\\50BE4DF05C4.exe /q"	EJF885A.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50BE4DF05C4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EJF885A.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\PhishingFilter	EJF885A.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	EJF885A.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0"	EJF885A.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery	EJF885A.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0"	EJF885A.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4192	f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe
4192	f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe
4192	f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe
4192	f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe
2240	50BE4DF05C4.exe
2240	50BE4DF05C4.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe
4828	EJF885A.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe
Token: SeDebugPrivilege	4192	f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe
Token: SeDebugPrivilege	4192	f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe
Token: SeDebugPrivilege	4192	f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe
Token: SeDebugPrivilege	2240	50BE4DF05C4.exe
Token: SeDebugPrivilege	2240	50BE4DF05C4.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe
Token: SeDebugPrivilege	4828	EJF885A.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2240	4192	f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe	82
PID 4192 wrote to memory of 2240	4192	f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe	82
PID 4192 wrote to memory of 2240	4192	f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe	82
PID 2240 wrote to memory of 4828	2240	50BE4DF05C4.exe	83
PID 2240 wrote to memory of 4828	2240	50BE4DF05C4.exe	83
PID 2240 wrote to memory of 4828	2240	50BE4DF05C4.exe	83
PID 2240 wrote to memory of 4828	2240	50BE4DF05C4.exe	83
PID 2240 wrote to memory of 4828	2240	50BE4DF05C4.exe	83
PID 4828 wrote to memory of 4192	4828	EJF885A.exe	81
PID 4828 wrote to memory of 4192	4828	EJF885A.exe	81
PID 4828 wrote to memory of 4192	4828	EJF885A.exe	81
PID 4828 wrote to memory of 4192	4828	EJF885A.exe	81

C:\Users\Admin\AppData\Local\Temp\f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6e74f4a2087959df8df56b7769e2c00_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192
- C:\jau38uj.bin\50BE4DF05C4.exe
  "C:\jau38uj.bin\50BE4DF05C4.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\EJF885A.exe
    "C:\Users\Admin\AppData\Local\Temp\EJF885A.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EJF885A.exe

Filesize
3KB

MD5
29090b6b4d6605a97ac760d06436ac2d

SHA1
d929d3389642e52bae5ad8512293c9c4d3e4fab5

SHA256
98a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272

SHA512
9121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be

Download Submit
C:\jau38uj.bin\1CCFB506E591274

Filesize
5KB

MD5
a312b44287e9e5212bc95dbbd827f1ef

SHA1
a17620d2781321367a95e9cb192cd57e61b7a7b8

SHA256
9f6bce037a9561610ac0921a8d8ac7f598cae5a5847ef65d456efc0927e3977f

SHA512
8dfbde7d38f5f05c771f03fa12b0215bb059b736ca66b1ee4944bad8b0276749a39ccdf7b10a1af2164714e0dcb16b08e9b1ceae36b5fc786335f24a0d285466

Download Submit
C:\jau38uj.bin\50BE4DF05C4.exe

Filesize
214KB

MD5
f6e74f4a2087959df8df56b7769e2c00

SHA1
443ad2c374e7380d7a8249b1986b5351a69b5a9d

SHA256
89cc11f08c9cf6d41f66e828f58916f2eff32ed825f318fb5fca9e9ee623aeee

SHA512
e3b22cde6fdec815046c5b9e148b85395cc10edcafca50285e8c6cd9f19a2087824e9c065bc8b185625acc39a9d129e6d08439e4423f9c85d4d3c3cce8440670

Download Submit
memory/2240-13-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2240-17-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2240-16-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2240-14-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2240-12-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4192-75-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-79-0x0000000077312000-0x0000000077314000-memory.dmp

Filesize
8KB

Download
memory/4192-4-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/4192-3-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/4192-15-0x0000000000405000-0x0000000000408000-memory.dmp

Filesize
12KB

Download
memory/4192-1-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4192-76-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-71-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-72-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-73-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-67-0x0000000077312000-0x0000000077314000-memory.dmp

Filesize
8KB

Download
memory/4192-0-0x0000000000405000-0x0000000000408000-memory.dmp

Filesize
12KB

Download
memory/4192-77-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-78-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-2-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4192-8-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4192-80-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-81-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-82-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-83-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-84-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-85-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-86-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-87-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-88-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-89-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-91-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-90-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-74-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4192-66-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4192-68-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4828-33-0x0000000001001000-0x0000000001002000-memory.dmp

Filesize
4KB

Download
memory/4828-52-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-51-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-50-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-49-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-48-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-47-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-42-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-41-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-40-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-39-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-28-0x0000000000710000-0x000000000075E000-memory.dmp

Filesize
312KB

Download
memory/4828-53-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-54-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-55-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-56-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-57-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-58-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-59-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-60-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-62-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-64-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-65-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-61-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-43-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-44-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-45-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-46-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-29-0x0000000000710000-0x000000000075E000-memory.dmp

Filesize
312KB

Download
memory/4828-31-0x0000000000710000-0x000000000075E000-memory.dmp

Filesize
312KB

Download
memory/4828-32-0x0000000000710000-0x000000000075E000-memory.dmp

Filesize
312KB

Download
memory/4828-35-0x00000000006E0000-0x00000000006E6000-memory.dmp

Filesize
24KB

Download
memory/4828-36-0x0000000000710000-0x000000000075E000-memory.dmp

Filesize
312KB

Download
memory/4828-34-0x0000000001000000-0x0000000001004000-memory.dmp

Filesize
16KB

Download
memory/4828-27-0x0000000000710000-0x000000000075E000-memory.dmp

Filesize
312KB

Download
memory/4828-22-0x0000000000710000-0x000000000075E000-memory.dmp

Filesize
312KB

Download
memory/4828-97-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/4828-98-0x0000000074DBB000-0x0000000074DBD000-memory.dmp

Filesize
8KB

Download
memory/4828-104-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download