582bccc9b516d4f20c398f73d1ea2bfc3ddd989e02ec359440adfe487d02a788

Analysis

max time kernel
120s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-09-2024 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe122253e3033c0080e0cdd0def35629_JaffaCakes118.dll
Size

67KB
MD5

fe122253e3033c0080e0cdd0def35629
SHA1

9fade97669e44b768b37b146c8c103bb9ecab188
SHA256

582bccc9b516d4f20c398f73d1ea2bfc3ddd989e02ec359440adfe487d02a788
SHA512

05154e5596727fcc41df3cfc009f87d95f24bec3099a0c8c30ef7b37d6b0f35cbdce8759c2a92bd9c334dc7dec51acf3ea7c71a0f4b61d2be0cb1a2fbda9e6bf
SSDEEP

1536:yKaouK0rof8925RMehGW4A6cHgP3MqshuqRxTjfo:yKaouK99MqB4A234nFw

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 2720	2712	rundll32.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433757514"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2212F441-7E36-11EF-92B3-F2BBDB1F0DCB} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2720	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2712	1364	rundll32.exe	30
PID 1364 wrote to memory of 2712	1364	rundll32.exe	30
PID 1364 wrote to memory of 2712	1364	rundll32.exe	30
PID 1364 wrote to memory of 2712	1364	rundll32.exe	30
PID 1364 wrote to memory of 2712	1364	rundll32.exe	30
PID 1364 wrote to memory of 2712	1364	rundll32.exe	30
PID 1364 wrote to memory of 2712	1364	rundll32.exe	30
PID 2712 wrote to memory of 2720	2712	rundll32.exe	31
PID 2712 wrote to memory of 2720	2712	rundll32.exe	31
PID 2712 wrote to memory of 2720	2712	rundll32.exe	31
PID 2712 wrote to memory of 2720	2712	rundll32.exe	31
PID 2712 wrote to memory of 2720	2712	rundll32.exe	31
PID 2720 wrote to memory of 2716	2720	IEXPLORE.EXE	32
PID 2720 wrote to memory of 2716	2720	IEXPLORE.EXE	32
PID 2720 wrote to memory of 2716	2720	IEXPLORE.EXE	32
PID 2720 wrote to memory of 2716	2720	IEXPLORE.EXE	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe122253e3033c0080e0cdd0def35629_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe122253e3033c0080e0cdd0def35629_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ae2cd17b798afc3b3690288af2237e1

SHA1
8dcdf3754e7c82da655877c274d5ee81e1cfdb89

SHA256
b28841c702e1cd41c6cee6e9ae9b5a0ab2b3d8c69a16bcce777da6286bd637fa

SHA512
2372c06dd0cda0d2e25cd643c0ec5a62d619e9ce6f2a5b1071907b051b4882335cb65a1e1d82b626eb1b16800e40903e97ddc3a2a6596f9185c76771daf42afa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9001e41c646edd8906a62525adc26af1

SHA1
4cd0f55a160b0e1c106cbff25004460ee2dcadb8

SHA256
b7e8f23a43d0ef11b0fec0a1f4c46804df28e9aad5eb0c257be8a8d737fa28bb

SHA512
8b6ed0f3eb82f04d112c7c3752b1120d96a1ddc0ba34d1593b6b7d166366aa1d12209a42d7c1cb601be031c6f9c01e159d5728aceb86c26f99c7fd7d7d6e0012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
866c605ef017fc3831416950fedfdccc

SHA1
1ae99e0231c2be5fece60531d0b6afcf681fc0c3

SHA256
4b002fe192662b3591c493d44177af179c7f8646ca98668b2e4fa578809ade4d

SHA512
e854bffb0109b5080732abd45980bbdd2b642a0949bb9ec37df4b8372e187d90c4130030eb3f48e5b7084a36ada5f25d6578205cffcf7a11512cf6ce275b4f58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4a4d5ebb21f81d92c84b8d8c308746a

SHA1
ce2d5f0271fb96309ab763a1308c1f2d3e45890f

SHA256
e8dd0c6162c8882a421fafb6ef10d404e47a5ab6faf3816baefd435b9d529d25

SHA512
902f0fcc27047563f5c63f9df5de9da244432fc1332c7b569ac9c54cd696506f5fc622b176f768b24adeefca5ddf01cc2521a9377c312849ca26716c84218564

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a845f6979fb45d183ee52ed6185c1bf

SHA1
e2fac5ee41c0c5d11b6a07dff58aec42cb2d9a91

SHA256
6f58c1a879b0bfb120008511ff7a1016d2b645f8c19289851aa5f028498a1be9

SHA512
a2b2d875d73b666a018e26e2f57991605ff1028c04662c5dc04f99e75bb0da746157614e72f363aa302c7da662d81f801e5e834de724bed7e4c196b75cff7a63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b69a2a21b4cc6d6d5383607fc87cef0

SHA1
4b4e1424ed4f2b19d59f4f6edc608c177d208f09

SHA256
2d5ff6b71ef1dbc220e2722555426605e218b323d61b3fc296a3bccc5884b5f7

SHA512
a9362477bf8922ecfdeef11ae869cf4e9e618801d200ae45566f0307109f4eb494f7e44b819f942e321b99146a6c012f2585fe1090d288b7ab72de984544f37b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
add0277ae78a8b31067088e8be89e975

SHA1
cc9025baccf64e5abe0cae2495633f63092824d5

SHA256
c735aa751837a829e60775cae4587af089599017c5419dd503bda80872b0d824

SHA512
8605bcff9d66f2c7a4e7fa66db6ed1d6900b78dba6567a3580a2574d2a7c21af376412851b704d1eb2c5fa9ebab909b0a96c1bce0691abc9c10ebcd1b702d238

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f58bef765a0933eb007dace3abb12bbf

SHA1
6c7f32c54ff21fd82faa41e0dd0765df5070f483

SHA256
0f428e49617ec53949118b0bda7d7174235cd3ea452833335bb69d5c8d151d4d

SHA512
5a283916a00d356a6c2c2a1b2cb3b2b78a79566339cccee475cca8e72db4c65158adbade2519e17ea6d818d49d8e7a16fb06c6b3c7d56d35cef774a790a41baa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f31a1f1772472d46ad246614195d0a32

SHA1
9d4e931a5eb7c385f6d26c37b9d201478b1170c2

SHA256
ed970860a173e7baa45216953a968522c4670f3aa305e4b03d9e52c03cb2cf47

SHA512
8beffe6d7a601c1d09d35cc31a4da6aa6923b4c97d000964aa3b9cc3eb6a64a41d8c62acb16a554c186116c7a6dbde06520b3287860c1c20168f5e209ac51b9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
816d68aa9a538c6ef732fd4b2633b240

SHA1
e4368b49845f9d8bf2b20e6fc361d4ccbbe9b6a1

SHA256
f7a6a888f2af7fc9d93b60d513402f41c3e68e6118ba4274f8033e893e47e914

SHA512
1a9e3f8c5c73762937814034636ce76638cd84de1f11efe1f8cf11ef0155478db1e7ea1e4f78161448f5d24aaaf9983f7467df7c2fa65cd7f4dea5c6a8e723b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bdf105cf4b615f73eb7ffed7caa7df7

SHA1
567e7ea3d64e24736ca5b68b35412a5667e86efe

SHA256
3510128dc423b9e56335834eebfdabbe38631571f7d3a159b145b24dbd828f06

SHA512
a6fb789e4c73685539d5df4bc947fb1a5867c3d38c08c80c7d79f2684f87ffc90531d8fa99ea8fe9b73fcf9b0918e88cd5d9d874820c99979887bfd4f4cc4c5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6367d9452578ec9bf4278b1439d3f9da

SHA1
fb6a4dafe4dd6dab34a6407f104905eb1047e301

SHA256
fa91ec17f7d793dd5a23ad50479682e30bc7c0e6a33a2df9262836382996178d

SHA512
f194a8f6291190156964c5b07b34a71bff45275ebf7957a94185626ffab3a24c3bd0a6fc22256eecf7f28327ce71d33ed1372a192674a27fb1cb6853c299c826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06a9a974d2c43bd6b29947680c662d3e

SHA1
e88f40aad245c7f84fd09e8b730b1fad2846423e

SHA256
2faf9b341c94b495326b11338e7c65588095c04e619b85b538242b51623fc262

SHA512
b131fadf87c2a0922740d5fe094bf4ba0ba42369cca2fef47279c3a411c7f25b661a3797f390cd23a3ef3cd82d60ccc8cf3a3483ef69b5171bbed10d8deca284

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d3ee0fd30469052952320641f748d3e

SHA1
40518895994cb8b2f625b0a16264ce7f6adec9e8

SHA256
0c6edfe24f467a6c85f8c3db346cc85e7dd0d09ae17f48625b890738cd01b672

SHA512
3100507f53be082cd8ff10ccdc5933e2403fb2961b30fbb456d16a04f7839529b3b593588d6213b3ebef41e9e547c485976c24b76cf9f7819a2ad0e94e8bbeb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2528aa32b59f6bda35fca05884ff3ef

SHA1
4c3eed8c78991c56757ba4e93f4655f2a83814f1

SHA256
c1e8a624ea253a3f87cec0e6a05f32cb4a510b5bf1349b81c2193972e06eb519

SHA512
f951faa32223bdf08e437f3455bd78cad36bf0eaa1d116ff7aca0947aa40c1a5c2dbf5c4ce77f9f761296d246f7707ea56fa961f91edbb5400c3ddfb4bbabc98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f87e51b268e05afc7f1ac815a1f01d1

SHA1
44478940ae10ae2f53edbe45d3527e5152095ac7

SHA256
f7d0f7a09bc070c2eddaa4d1f61322c53170c97fcd9ab1b66d28b82515c36ccb

SHA512
af58c2e0cd28a395e4b4a647d93f6eb8ad182a360937a824b3a03a67ef260eaac76eecc57e9a3215a725d7f857df29e43acdca38c403c2a0b672fa42d0587333

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f290147245381004e200e1590439e62

SHA1
9c52120b11f3aad62a4b9e4d375f0e91184c3bf7

SHA256
b94a74dc3bfb1f4947f630ad5f2c42f9a05774d5beda5440b92872759ab044a2

SHA512
50168a1feb4eb8b815375ee83d42cb825a3d8dd6f19c33e7b2e5452f4bb1a0a18fc381fdb28e47d408a333d820f0b28db906dda7cecdcfdd67efbd269c0df171

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17e243b1b07b719506368a790348bf66

SHA1
b2c6254afc7f2b54f04e541f7e3c783979bff3af

SHA256
9162d20331ddd68465b2e125c987900d9aa94fac8bb538e7ef1d4d7e0d5cc3da

SHA512
863646623932192e6bb60a3820bca44dcdbdac68d959263017d8dcb3658928ce2f9b9dda310563777670e8c1be232a13aee530b02f065fa321874cbd062b8025

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5AFF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5BFB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit