d8e6bfd07b3ddba70c339c414fd723f1090d57c4260f90dcf864403735a07b2f

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe
Size

639KB
MD5

fd3b4d200d248efb83a8b34ae213ada1
SHA1

dc76368f9993364c5466ffc4d82d8eaf83516a99
SHA256

d8e6bfd07b3ddba70c339c414fd723f1090d57c4260f90dcf864403735a07b2f
SHA512

6192bab78b36039f32af7de376fde951b23e4b23a597876e7a36962ee00dcac723eb8afa9494bf93315fd72ffd25af5cff92818d64091e3c3f9dc508375cb892
SSDEEP

12288:hJU5E21oeVUIM08PoIO4CyU4YH4cMVvYTRzKa9FsOJKUWrNKdsk+:h81tZWC74YHBRhK6zKrNmsk+

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2928	1.exe
2676	1.exe
2832	MASTER~1.EXE

Loads dropped DLL 8 IoCs

pid	Process
2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe
2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe
2928	1.exe
2928	1.exe
2676	1.exe
2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe
2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe
2832	MASTER~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MasterCook9Setup.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\MASTER~1.EXE /r"	MASTER~1.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2928 set thread context of 2676	2928	1.exe	31
PID 2928 set thread context of 0	2928	1.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MASTER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	MASTER~1.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	1.exe
2676	1.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE
2832	MASTER~1.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2928	1.exe
2832	MASTER~1.EXE
2832	MASTER~1.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2928	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2928	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2928	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2928	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2928	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2928	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2928	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	30
PID 2928 wrote to memory of 2676	2928	1.exe	31
PID 2928 wrote to memory of 2676	2928	1.exe	31
PID 2928 wrote to memory of 2676	2928	1.exe	31
PID 2928 wrote to memory of 2676	2928	1.exe	31
PID 2928 wrote to memory of 2676	2928	1.exe	31
PID 2928 wrote to memory of 2676	2928	1.exe	31
PID 2928 wrote to memory of 2676	2928	1.exe	31
PID 2928 wrote to memory of 2676	2928	1.exe	31
PID 2928 wrote to memory of 2676	2928	1.exe	31
PID 2928 wrote to memory of 2676	2928	1.exe	31
PID 2928 wrote to memory of 2676	2928	1.exe	31
PID 2928 wrote to memory of 0	2928	1.exe
PID 2928 wrote to memory of 0	2928	1.exe
PID 2928 wrote to memory of 0	2928	1.exe
PID 2928 wrote to memory of 0	2928	1.exe
PID 2668 wrote to memory of 2832	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2832	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2832	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2832	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2832	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2832	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2832	2668	fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe	32
PID 2676 wrote to memory of 1252	2676	1.exe	21
PID 2676 wrote to memory of 1252	2676	1.exe	21
PID 2676 wrote to memory of 1252	2676	1.exe	21
PID 2676 wrote to memory of 1252	2676	1.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fd3b4d200d248efb83a8b34ae213ada1_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2676
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MASTER~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MASTER~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\connecting_icon[1]

Filesize
301B

MD5
81f2114b7bcc913245df781df3eb9ae5

SHA1
46beb25a2a30e66c65ebddb72f836542e3655d21

SHA256
13237f6652c8a50f987ee5227ce16778117add802584a5e19ef892eac6e1d3e8

SHA512
446e34fc67e66d60a7e4a4ee65b47ca04198a8566c4d5cc665249fed8d8616cd6d674cb82621dfea4303cd7a1f90488027b352972219873bf90094d62e763b6c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.exe

Filesize
519KB

MD5
74ef06d22b30ec0db94384213afaf410

SHA1
ca4fc02fd4f9d571fb6c5606344b59a4ec3a3c03

SHA256
cdaddb26141775855a4c9f88b1bc5e45c5807e282126d9a7dd7e6d5907caad72

SHA512
6ac043be83e070f80a6f4c580f59e3e428e582c27efa8192e410a41b3cb226016a814a08b6efaeed6c8ff1613d110ab6d959e6e7651cc9e5620d29cc1231a3f0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\MASTER~1.EXE

Filesize
208KB

MD5
df5c11f0d32ccd9f954c161703adff89

SHA1
bdb86d11e59d1860dfdb8c54896d93ae50576bb6

SHA256
8bfff8d8328b7f38bd9be8dcdc817d2382e5b3fdf1a2d21480b6a7ab376ce813

SHA512
d581435bea6d428101ee415ddeec8525fd87a8789fb33b368823d507890324c90f1de21b6a211c6ce8fc8fa2a86b4a1aa4e46d85d98b30373c6843a572ae5537

Download Submit
memory/1252-61-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/1252-58-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/2668-11-0x0000000000B10000-0x0000000000BC0000-memory.dmp

Filesize
704KB

Download
memory/2668-10-0x0000000000B10000-0x0000000000BC0000-memory.dmp

Filesize
704KB

Download
memory/2676-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2676-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2676-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2676-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2676-70-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2832-76-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2928-29-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2928-16-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2928-15-0x0000000000467000-0x0000000000468000-memory.dmp

Filesize
4KB

Download