e945eb4d7c65d8d3122ff6626186385ec073946a051318280a99abf72fb98431

Analysis

max time kernel
96s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 15:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
Size

927KB
MD5

020e56050370601a07eebeeea89b646a
SHA1

d9b2b1cddb6b5ec1c3198d112b755cc8b2e0c468
SHA256

e945eb4d7c65d8d3122ff6626186385ec073946a051318280a99abf72fb98431
SHA512

eaf6e84dabd78657f3ddf2aa51a2610657c920b3f4e16992a6404d61938a2b75e123f0671810de4026d19ab93faf04501ac9d0f6d1097c19f193b7f91fa597a7
SSDEEP

24576:yN0Men6rCMI/TwADt34svKIL5Ia6qdHsLS23i0iDHvJR7wGGg:yGMep7/s8o4KItIafdHwrkDHvJV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4672	installstat.exe

Loads dropped DLL 4 IoCs

pid	Process
3240	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
4672	installstat.exe
3240	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
3240	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
File created	C:\Users\Admin\Documents\backup\desktop.ini	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Documents\backup\desktop.ini	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
File created	C:\Users\Admin\Documents\backup\User Pinned\TaskBar\desktop.ini	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\Connection Wizard\msn.hkn	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\Connection Wizard\msn.hkn	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\in	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\t	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\t.hkn	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\t.hkn	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installstat.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\Attributes = "20180000"	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "20180000"	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hkn	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hkn\ = "lnkfile"	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3240	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
3240	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 4672	3240	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe	83
PID 3240 wrote to memory of 4672	3240	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe	83
PID 3240 wrote to memory of 4672	3240	020e56050370601a07eebeeea89b646a_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\020e56050370601a07eebeeea89b646a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\020e56050370601a07eebeeea89b646a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsqE001.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE001.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE001.tmp\ioSpecial.ini

Filesize
575B

MD5
731827e75df2e7f9989234774e9b9176

SHA1
3d42669219110a1c774d0fd6c6b873f3c4bbae00

SHA256
aa2723c63277982124490d84c9a46bc87e4e54c71738080d41fe4d47d76ba128

SHA512
24a5a1fa5aa16ba0c0fb21bc17eea47bc1fc0f3732f536dca632752a644eef6ed07e17e7f67892d097fc907bf5511cf3d0b6d6f4dd64971105e612e5ea161b88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.txt

Filesize
2KB

MD5
e28f2e1b0fefefd503c2ec866eae346f

SHA1
72e75687041acb20b1c3dd2682bd803a0accf838

SHA256
7a6fc7e6c25eb2855ea6649783267850cc9bd70e12c0b6b62d8e476109c310e1

SHA512
c01572df296e8e06cb0ff2f5923db4f7fb09c23357f1d3ac1ac65124120099c346ae0127660635e567d4ff14febccf6f5aa5f8f63164ab633fc37ea6be8433fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.txt

Filesize
2KB

MD5
63c6ffa4347cd17e1581677c4f33bf25

SHA1
783201dbfa95919a4c73a8f3173284213e668d9b

SHA256
5fe39fe772e5d13e5dac1de5ff23fd434d65b9b8e3d74bc0452954c076668f79

SHA512
c5d60332d49f6e8933ef08059dc0cfdf2e9493f638382bf32ca53479aae9fa3daa9457017a26650181337c4f8275e5079334ffb5ff7d27ee03c4836a4793364c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.txt

Filesize
352B

MD5
325b790bc93ad8d27655c44365b485c0

SHA1
50b633a4ca28210ca882467cbc0d717d3283ac75

SHA256
78be9c61505cd98110a9b9ead83fac552d5b89fc549988fc9050cdaffb66f281

SHA512
a110a939eaab63be4cf362f4755f46486d41abfb316dedba3eb553d06bbaaa67fd2db31069fc47e937229f7a5c741aafd6dafa3c5a2cdb0cc9a62e0c2400e7b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

Filesize
83B

MD5
5739ddee167d55bbc4e313d778724a2b

SHA1
c0bff8120f033ed78dcbb8729fc7a42f015e878e

SHA256
384d63847d60b0612904dbde266eea1026c7c44efc8582a3ec18d2f49ca22805

SHA512
85a84e5d900e6b58bb4c0ff77f33ff41c355932f3f2bf4d13b4dfd4e41c7a0671404731a5d4d3cc3fb15acf838516620f1d9c1f896f3e068279b8da00807b29f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.txt

Filesize
334B

MD5
dd26c664f5264c672b6c4c260ed79c73

SHA1
b118670620d7214224c7ed2dc14ee67d7a49c044

SHA256
f8af405fb4819223f8f55c0ee3c054d58998af1560cededeaee35ea46a3497bd

SHA512
7d4773e7b7a9bdeff00886b73e082c1fd74f349db88edaf5a2fc1fad312ef770a70ea6f620833302e3e53c82d539c7132001610b9b24c4540b2f829cafbbadb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe

Filesize
44KB

MD5
7c30927884213f4fe91bbe90b591b762

SHA1
65693828963f6b6a5cbea4c9e595e06f85490f6f

SHA256
9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

SHA512
8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll

Filesize
528KB

MD5
410fc558ecbf82a45edd04c1853a918a

SHA1
718212f09564f68868db35c23bdae897a009f682

SHA256
7afcb7555f1f595df9b87900239bf7614930846e356f633d1eb9199c861dfee2

SHA512
b9af2f529ca55aaeb713dd662b5039345deb1678095f937fbd9819c71de6e95bc6781332b46bb7695aa5c78a2a1787ade2751acbc05f248f2ff44cead8a4f73c

Download Submit
C:\Users\Admin\Documents\backup\User Pinned\TaskBar\File Explorer.lnk

Filesize
407B

MD5
f727cbb9351106b2dd46f3ef649f3176

SHA1
5732055ec636a4706c6da6857ce1c1ebc1bc86e5

SHA256
cf116b33831de9f80847abdb2a0d92ab3d3f956a8e209ec95d35d986eea8c7b5

SHA512
01dffdcec62254701b9523bca7f572c1f5a5328a18c01fd6590721aded39d86db801bda23bb83b23876b67101991426a5c54087597971206276eeb18dd70f6bc

Download Submit
C:\Users\Admin\Documents\backup\User Pinned\TaskBar\Firefox.lnk

Filesize
1012B

MD5
62c8ccc8ead15b10990098a9e12a0c4f

SHA1
06eb44eec69dd04613cc2c06104fef57b54a9227

SHA256
f55795fb5e7b636470257ebf7b1b5428089198a8e725182d641ea79c5fded993

SHA512
1cb0073b8648f5b2729a81d95f8282f05f6bc022278d37ada91623acb8f8ea36e49aafb7101f4c5959fbc0817825e1da3fd03d5c18588f19e5d18067c1119b83

Download Submit
C:\Users\Admin\Documents\backup\User Pinned\TaskBar\Google Chrome.lnk

Filesize
2KB

MD5
36ac1a7c73f0fd2f5f5eb3bd2b752f05

SHA1
881856bb7c0f40f98b12dfb19414bfb5d116d916

SHA256
9b2722920113bde2898a39d91bdd6038bbca518db0b254da506496c003454246

SHA512
c79fa68656e3ffd5c4b973371b14144e6af5c5937a9ef86cd2f58e2ba49b535a303699aa25077ee19d9492b084fbce002d27567bf693bfa527f030d06ac86bb8

Download Submit
C:\Users\Admin\Documents\backup\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
f6b73f5ace8b2dfe3bde73d6361cd2e8

SHA1
372f82dae91dceff87aad20dbccc7ea8cadb8e8a

SHA256
8ed7a14aaece676850b78f4ed30ac5cd1e94cfcab813b63dabd439e57e5e281b

SHA512
b1871d376e303a7e3e4b83cc5646b0b13ac14daaaf65b7fca6a15cb5d09aaffc28a68e4095a9ab9987879a17762c7bd839bbcb583bdaedeead5f768710bdb35a

Download Submit
C:\Users\Admin\Documents\backup\desktop.ini

Filesize
148B

MD5
623a388da0f5a5c9892d3eabf1bbd52a

SHA1
1e2f6397843c518728affeb462127d70eab34e91

SHA256
7ec3a3fb6a5f1cd628305053dfadc26fee7f378ea95d7fec212c5e42ae376066

SHA512
83608a90ca9cced09547f21c6b420634713a88fc153d3eed6275e3d38c8d2feb739dbfbeba108a6d8414db7e6e8b081e8d716b2ef905f57f2871a82e2964d25f

Download Submit