Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2024, 09:33

General

  • Target

    05455aa034f50619efe924e56d008725_JaffaCakes118.exe

  • Size

    150KB

  • MD5

    05455aa034f50619efe924e56d008725

  • SHA1

    eb96a81e678600c4cf44c4b896a975759db5da39

  • SHA256

    c5e09a1592baf021b61fb2142507aef833eee8efb1c25055406186db7b9d3ec8

  • SHA512

    d8a95588b3e802c02df83fc9e6513991905f85d2d5da5c926fe202af25556c87b1444828d866cd85ad1e94456ed50c8921b0cabe124b3f77ff569b27fded026c

  • SSDEEP

    3072:t+HCQvA+xM5soj5SCB+oLtLjFZUQ1r2UgPD7SMm2EwyP:tIvA+xM5FB3Fh2Ug77Lm2E

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05455aa034f50619efe924e56d008725_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\05455aa034f50619efe924e56d008725_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start iexplore -embedding
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2816
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\gXiE560.bat"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2732
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 160
      2⤵
      • Program crash
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d35192de098b36ec14eba30feebc1f8b

    SHA1

    e28ecd4dd92a940c0c6aa80ccaf248bc0e6ac59d

    SHA256

    b891b8d0501d6c843786dc8bb552fb8250639f230e7c079df0fcaaee60ca125e

    SHA512

    56bc9acf248a0050c6b5f9a9dd2dc8ba3b4143f77563f8fcb34540db770fc64b305229d441b895d2b35167ff39f19f27ec3d21ede9c7f96e6fa02ed86770e4f8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    621a9c917710e6d9394f97a3a0aed74c

    SHA1

    e623f3ab862908fea917df4fdd82b33adda74639

    SHA256

    3282ec768bd99c4e744f5f661bd6aad312b45cc2bd1042d85ac8a01f3335e5e1

    SHA512

    6c9508f10882cc0bb510b068c3f9254e3c72eca04bf8394a2cb5bf28feeeca356cc7c8a8e6d28df1286070acade365647d9f94720456feb2841e888a8d0253ba

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    530e1335c2c179030da4a8f5b72b8b44

    SHA1

    76016c50171452318a01bda74af75a2cdab49ec6

    SHA256

    a9a927831189c3be1657754c8e5ad04042c06d5c0d10f54741ad6450663586fc

    SHA512

    eb265894f9e4588aee519b268017250531b682998e413b490c7b267cedaa12b6ec36771c927542ce8fdbcb83c0538766ffa651207c8ed9c32a724afc687d5065

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a3189ac3545146be85f768e93eaaf563

    SHA1

    596b9b69e8330624c3e3aac83c46c1e992a4d1c2

    SHA256

    0890bcb0f2f57f8b2c19b7ece76775729bf9fd0057510e4c13591a670c9210fe

    SHA512

    90e6217cf3806d51d222633f79cf8a7a68c5d2defb0a7627e45e5d27ba382802c02685c01f9e772d6c2eb7f477044db3f38ab1c3c83054501bc18586480288a5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b15a70aa21d00909bb1da24558a7981e

    SHA1

    8fc43b73704693a9efbbf3aa332e2ff33540b817

    SHA256

    55fd2b5acb011a1696614bf93e33b1685ea26cc7c0dc0caef5cc99bc877ea30a

    SHA512

    35afc13fd3747fe7fb9877bf5bc2cdfbbc28f186b8a4fb4a83617325fe855d1705c1cb88630e5b8e361bc00f45b4573039ed6021b194f639d387fc7b2e67ce98

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    72115c27bac958eb3895d4f3db2a0f52

    SHA1

    34bd118a6437bfc36fa63d7edb8a1958716f646d

    SHA256

    623baa0f462d336c75fc1c690f30fa538160aa229e15cd4ca8ecf37c2c1e2022

    SHA512

    2ecac34557213c43aa2f3aacfc36f461d2d173bcd76de5728dab4e046713b7c0a7ba98e2dd824645acace847ae575633e7e2be9c2cf3a264a8b4b1393a305a4d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b72e5acb788de2297e10aa514fd17436

    SHA1

    334f3360f82176d2e6bfede61578e47e3b480090

    SHA256

    539eeb010090ff71d0864ec44599d2ed88faa20141813c1baa95105b6b7fdd23

    SHA512

    0ecee775316717733827d99f33c2bc983238b5b140c33a463358c29c42e0e2b061da3ece3966ffef6a4f50ce6fae700857f7afd8ae2476e6501614687e12ad19

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fd3eb930b208ee0822d3fb2980678cc2

    SHA1

    a8b2eac770ae3a9a62340ea46b80f0c29112ef9e

    SHA256

    4896a3934a66b58b0e00c31207cb0da1ade31eb1d64ef92609773c175159b67e

    SHA512

    ce2434d3ec040db25fa667a59e04eab2dc491c893f42dc088a09cd2c55196c0c8a950a6fcc22b959426288c2f565900c14ad893b1dccbdc1cbd3a20fd4343fb1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    af7b606fbb998d13c0d9d2284676b00b

    SHA1

    00aac01711d013d722e79759a94611eb257877f8

    SHA256

    8a455688278bcf0173e6b6420beacc17ab228062d52f0982d6a3d4a556aa2844

    SHA512

    64381d1e5888c366b415e8c10a1b81627a8d234628deb45879a65ae6f0b749e9bc58142e7f1432a5f4997c211b2eee9e1ebf03ddeaee15e06031882dc1583c3b

  • C:\Users\Admin\AppData\Local\Temp\CabF392.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarF4B1.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\gXiE560.bat

    Filesize

    188B

    MD5

    4fe8e278d2ffc913978827b95d07d1ef

    SHA1

    143d0a8a22f1027d317d0e398baa5264d76f354c

    SHA256

    6d1d74ed8861f14a447735f26ae414c116c24a16f38c813fe60f3f4e6e7af178

    SHA512

    53710a6a9399b6da6442b9e6f2607c7f780073ae539b11f473118b64a91d392483903093454615af534fbfb57364bdac511481f1897027d31a9fb2b18f2143cf

  • C:\Windows\SysWOW64\winkzk32.rom

    Filesize

    80KB

    MD5

    82dc596c6551a9a09c78441c05c31487

    SHA1

    bbdb4686f10ae504a4e8d02ecd2451143f662e93

    SHA256

    d44b730db7dea5a0072567771e76e20ecab2ccb0dcf267665999636336b2ce45

    SHA512

    ef93a56721eedd0816751f92f7ed82cea59e17895dd74c29ef9963be2b15ce121dc296f0c10be6d9373849c6322340be3112a871dfa82e593719cb9cb73fe245

  • memory/1168-459-0x0000000010000000-0x000000001001A000-memory.dmp

    Filesize

    104KB