809eeb0e1f6c1604fd20e30acbf69b556b3802d7c5b194bdcd7f4bf5c0c9e04f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe
Size

151KB
MD5

fa2474397919ae01d38f8415ceff20ef
SHA1

3101871f765441903f767a8c7ab5b7b624d21ffa
SHA256

809eeb0e1f6c1604fd20e30acbf69b556b3802d7c5b194bdcd7f4bf5c0c9e04f
SHA512

d29a1620a192b27bd8b5730bba6fccd0d61925d6c52066606ad653695504d7b4bf4d1cede181eb44af200eb2ae907e801a197aab549a9a0f88f0cbe10b33a83d
SSDEEP

3072:wc9vbZWYfocQeXT1AmHnYm55ePz5BXrLTVA8yTJqx9c:J9vdecAcnYmTAXTVfGJqx9

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 5 IoCs

pid	Process
2520	fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe
2988	rundll32.exe
2988	rundll32.exe
2988	rundll32.exe
2988	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mlstno = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\mlstno.dll\",FIsEmptyW"	fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433590841"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1147B631-7CB2-11EF-A7C1-EA7747D117E6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2328	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2520	fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe
2328	iexplore.exe
2328	iexplore.exe
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2520	fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe
2988	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2744	2328	iexplore.exe	31
PID 2328 wrote to memory of 2744	2328	iexplore.exe	31
PID 2328 wrote to memory of 2744	2328	iexplore.exe	31
PID 2328 wrote to memory of 2744	2328	iexplore.exe	31
PID 2520 wrote to memory of 2988	2520	fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe	33
PID 2520 wrote to memory of 2988	2520	fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe	33
PID 2520 wrote to memory of 2988	2520	fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe	33
PID 2520 wrote to memory of 2988	2520	fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe	33
PID 2520 wrote to memory of 2988	2520	fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe	33
PID 2520 wrote to memory of 2988	2520	fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe	33
PID 2520 wrote to memory of 2988	2520	fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa2474397919ae01d38f8415ceff20ef_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Roaming\mlstno.dll",FInitializeRichEdit
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2328 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28d45d3ec144c5e8ec8f8af1e252d6eb

SHA1
8e742349c9f2a4e854224f21267d34acad69a16d

SHA256
f2037a4a69890974f310e3044d34ddf6e544b2232f10f5e581229991fa96ff3f

SHA512
9b12ee945c5ee575c4c953db5a3bd7cfef8c61df2ede8be2daed75c9e91e43b291f7cbd3b5f0d83f6d9adc27a468f1516ba6ec27f5971f095f48e3e246304e7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7900dfab60ed98d6bcc72f7315a8c7ac

SHA1
2c89eab271aacd49e123e0e3b15b1e1a4205c1e3

SHA256
805f90158f562c8a44ed16dada0a93cf79aed5f9990051dec4b3728a6374c335

SHA512
2086713c676dd6c838123b23891cf1de8c5cc9d866f962e5b8ef3c844c2cc7a4af10be950976f08b4dcc44c2292ff771e450d8b6abba3a3d03625ddd30c5ad93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5805694a11c4902427cef4866b3ffe9

SHA1
cd237296295c92cafd95221efb8954177080f292

SHA256
260f4d21bad1791a937649f30ee8024be4a8a8b77799f00f74a5c3a667920d21

SHA512
713d52e701c419ebc905af7f6304d3928c929f958994a4071deee1a98b6223f808d30aa0996a81cc97487028fb654911ebc2a3398d04eff38d21635cf9d637a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16890b10522114de4da5d1ba3e2d16b6

SHA1
b09c0e19803c684fb45ea244b9f07332d2170ef2

SHA256
f0b776789dac67aa66f8ac0a93565ee2407fb75f818bd114dd71351475dd7788

SHA512
e3ee3d75a847dda710422350480886a072bd39bf08f8c42e3f6472213bba13c71d2fadf12d5a69634b80579d16bbca97af44c14319ba1cb58b6e546139648ab3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48c09bd93bba165b8158271376f46aa6

SHA1
157eded337d457bac02aa374c3adcd2e54a88fdd

SHA256
5ec5ac3fc300c822ba6fc722a270329e6a5993a434204e295b420721c899fdc9

SHA512
c74f7d51da9a3e897c45f85e4cd16e2438ec02934edf4659610cc8679727cd2cbbba706cd499659ed2c6be19096849284d502aeb4aced5a502ff9cde128381ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f2e4df8d1382a200d89aed314f9356d

SHA1
05ec002b2364bc0fe147b123f9ccc6ca30f99ed1

SHA256
46b9e3470d57315b8f4ee012a8156870ab45aa62ca9466b982013c6b0a2bef0d

SHA512
8d4f11f6f0d016372367ca12c90f06d2bb524bd724865782bd8d0a3ea0c2b21bbd614238b589f09cd1dcaff8d63baa102b96103990b60ab1e266e59bba26c6d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c857e1ae856c5e5a6419ca23afe0c716

SHA1
cec843183596a65d65e6523cdaace7e2ab8c6f28

SHA256
b6dd1d471976cfb52b27d9a23e6edaf84b78f1068d4e2882b415964c030d2646

SHA512
d4de3fa78f7e743e0bcd5ff2981ebbf4fbd3d6506c4da3fe076356eae795a36e97d74049f30fb432260e80895d9ea47ec0ca8bd37f56cf837893dc07462e3ebe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe5b01c6edb32ed166c00cb52be8a55d

SHA1
9791ba7bfbba1255522f4f29f87a4e0a4875696c

SHA256
01c8429c67d6317ed5d87edfe929d6fe121628034fc932f12176f1cd9362cf8c

SHA512
385b822a58239e968666721c67170583fd073a5b9ebe7139a14ff1165ab81ca14bbbd3eaa58735faa47a06ca8fc4cc3cf171137ee02c0251d8ae04eb8222421f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fa51c83935b11be3bf50a8e45878b43

SHA1
b7acb26428b4ebe834f9256fc8f69068c1a13dd1

SHA256
f582c7258f0eb4d67ae6caf0570cc0abf69299c24a9f17ed47179c92c039c475

SHA512
e448036a43f958926a3d3f56876658468a225376d986db198dc47640433b880e4f8beb76648129370b047de62b9b8fae8bebe9f73f708370703a4a8c8f00ec32

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCFB0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD001.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\mlstno.dll

Filesize
151KB

MD5
0abf7fc9649109dad1b7d6591570dd46

SHA1
97fba52aeba95143fe1f4a65b8fb812267b61ad6

SHA256
2d8b3bfa49bb062ae37767b033abde0d797e46d52148366f34bda4fca31ecfe0

SHA512
c8183e4fabc64566c96190c75b64ed7a0e85aab5ad3f39b9131a81e0fb6f6c98b2ef21736f9454423d2d1e02ad65ed4e45a18b43f012ea71c483c1cfbcf4db48

Download Submit
memory/2520-5-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/2520-10-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download
memory/2520-14-0x0000000002B00000-0x0000000002B28000-memory.dmp

Filesize
160KB

Download
memory/2520-18-0x0000000002130000-0x0000000002146000-memory.dmp

Filesize
88KB

Download
memory/2520-0-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/2520-1-0x00000000002F0000-0x0000000000318000-memory.dmp

Filesize
160KB

Download
memory/2988-25-0x00000000000C0000-0x00000000000D6000-memory.dmp

Filesize
88KB

Download
memory/2988-26-0x0000000000130000-0x0000000000158000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads