6ea319944dfd23e63280442946b8d9bb3b1630c4b63ddedd4dfcd5a6a1009692

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
Size

188KB
MD5

f5dfba776ee11d6e33fba4af47a1dd8d
SHA1

9710f6ccba7fb5495904487293b551b3361adc02
SHA256

6ea319944dfd23e63280442946b8d9bb3b1630c4b63ddedd4dfcd5a6a1009692
SHA512

9e88642ac6a6ed68a21cae1038558e5646bf3181a56471a83cf2eb84f994790398421f29e8bde0d1a12fb860f0ea3f7a9d6703afd34c58cd121b0abf24e3a1f8
SSDEEP

3072:sqVuvvOqyUlhlXWONEJ3ZvMXZv3mJqout9:3ueqyUnVWOKZAF35oS9

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259429803.DVX	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\realteck\geoidw.pif	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\realteck\geoidw.pif	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\ = "C:\\Windows\\SysWow64\\259429803.DVX"	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
Token: SeDebugPrivilege	1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1864	1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe	30
PID 1044 wrote to memory of 1864	1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe	30
PID 1044 wrote to memory of 1864	1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe	30
PID 1044 wrote to memory of 1864	1044	f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2168	2116	explorer.exe	32
PID 2116 wrote to memory of 2168	2116	explorer.exe	32
PID 2116 wrote to memory of 2168	2116	explorer.exe	32

C:\Users\Admin\AppData\Local\Temp\f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5dfba776ee11d6e33fba4af47a1dd8d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\system32\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\259429803.DVX

Filesize
12.1MB

MD5
94e21839b76ac0a53b8d0809880d7d4b

SHA1
931e072fcfca50d3b4349e32a49fcd9fd56c3dec

SHA256
dde93c99bff7819417299f33c45067b2a21f618346e89677fe1aade25b8bc959

SHA512
88f39f2d2518d6da4a52c99ab436b1cc08bc70c6697ed6c62786d1813f59378427466dedd26935d2d419f7e0a75f53495226cc6e5a19da4dbde62d186581415e

Download Submit
memory/1044-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1044-5-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2116-6-0x0000000003A00000-0x0000000003A10000-memory.dmp

Filesize
64KB

Download