Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 09:33
Static task
static1
Behavioral task
behavioral1
Sample
05455aa034f50619efe924e56d008725_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
05455aa034f50619efe924e56d008725_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
05455aa034f50619efe924e56d008725_JaffaCakes118.exe
-
Size
150KB
-
MD5
05455aa034f50619efe924e56d008725
-
SHA1
eb96a81e678600c4cf44c4b896a975759db5da39
-
SHA256
c5e09a1592baf021b61fb2142507aef833eee8efb1c25055406186db7b9d3ec8
-
SHA512
d8a95588b3e802c02df83fc9e6513991905f85d2d5da5c926fe202af25556c87b1444828d866cd85ad1e94456ed50c8921b0cabe124b3f77ff569b27fded026c
-
SSDEEP
3072:t+HCQvA+xM5soj5SCB+oLtLjFZUQ1r2UgPD7SMm2EwyP:tIvA+xM5FB3Fh2Ug77Lm2E
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winkzk32.rom,qKqXRC" 05455aa034f50619efe924e56d008725_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\winkzk32.rom 05455aa034f50619efe924e56d008725_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winkzk32.rom 05455aa034f50619efe924e56d008725_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2656 1168 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05455aa034f50619efe924e56d008725_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433937074" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{33210441-7FD8-11EF-AA6F-523A95B0E536} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2740 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2740 iexplore.exe 2740 iexplore.exe 2816 IEXPLORE.EXE 2816 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1168 wrote to memory of 2540 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 31 PID 1168 wrote to memory of 2540 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 31 PID 1168 wrote to memory of 2540 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 31 PID 1168 wrote to memory of 2540 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 31 PID 2540 wrote to memory of 2740 2540 cmd.exe 33 PID 2540 wrote to memory of 2740 2540 cmd.exe 33 PID 2540 wrote to memory of 2740 2540 cmd.exe 33 PID 2540 wrote to memory of 2740 2540 cmd.exe 33 PID 2740 wrote to memory of 2816 2740 iexplore.exe 34 PID 2740 wrote to memory of 2816 2740 iexplore.exe 34 PID 2740 wrote to memory of 2816 2740 iexplore.exe 34 PID 2740 wrote to memory of 2816 2740 iexplore.exe 34 PID 1168 wrote to memory of 2740 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 33 PID 1168 wrote to memory of 2740 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 33 PID 1168 wrote to memory of 2732 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 35 PID 1168 wrote to memory of 2732 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 35 PID 1168 wrote to memory of 2732 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 35 PID 1168 wrote to memory of 2732 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 35 PID 1168 wrote to memory of 2656 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 36 PID 1168 wrote to memory of 2656 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 36 PID 1168 wrote to memory of 2656 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 36 PID 1168 wrote to memory of 2656 1168 05455aa034f50619efe924e56d008725_JaffaCakes118.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\05455aa034f50619efe924e56d008725_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05455aa034f50619efe924e56d008725_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\cmd.execmd /c start iexplore -embedding2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -embedding3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\gXiE560.bat"2⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1602⤵
- Program crash
PID:2656
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d35192de098b36ec14eba30feebc1f8b
SHA1e28ecd4dd92a940c0c6aa80ccaf248bc0e6ac59d
SHA256b891b8d0501d6c843786dc8bb552fb8250639f230e7c079df0fcaaee60ca125e
SHA51256bc9acf248a0050c6b5f9a9dd2dc8ba3b4143f77563f8fcb34540db770fc64b305229d441b895d2b35167ff39f19f27ec3d21ede9c7f96e6fa02ed86770e4f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5621a9c917710e6d9394f97a3a0aed74c
SHA1e623f3ab862908fea917df4fdd82b33adda74639
SHA2563282ec768bd99c4e744f5f661bd6aad312b45cc2bd1042d85ac8a01f3335e5e1
SHA5126c9508f10882cc0bb510b068c3f9254e3c72eca04bf8394a2cb5bf28feeeca356cc7c8a8e6d28df1286070acade365647d9f94720456feb2841e888a8d0253ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5530e1335c2c179030da4a8f5b72b8b44
SHA176016c50171452318a01bda74af75a2cdab49ec6
SHA256a9a927831189c3be1657754c8e5ad04042c06d5c0d10f54741ad6450663586fc
SHA512eb265894f9e4588aee519b268017250531b682998e413b490c7b267cedaa12b6ec36771c927542ce8fdbcb83c0538766ffa651207c8ed9c32a724afc687d5065
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a3189ac3545146be85f768e93eaaf563
SHA1596b9b69e8330624c3e3aac83c46c1e992a4d1c2
SHA2560890bcb0f2f57f8b2c19b7ece76775729bf9fd0057510e4c13591a670c9210fe
SHA51290e6217cf3806d51d222633f79cf8a7a68c5d2defb0a7627e45e5d27ba382802c02685c01f9e772d6c2eb7f477044db3f38ab1c3c83054501bc18586480288a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b15a70aa21d00909bb1da24558a7981e
SHA18fc43b73704693a9efbbf3aa332e2ff33540b817
SHA25655fd2b5acb011a1696614bf93e33b1685ea26cc7c0dc0caef5cc99bc877ea30a
SHA51235afc13fd3747fe7fb9877bf5bc2cdfbbc28f186b8a4fb4a83617325fe855d1705c1cb88630e5b8e361bc00f45b4573039ed6021b194f639d387fc7b2e67ce98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD572115c27bac958eb3895d4f3db2a0f52
SHA134bd118a6437bfc36fa63d7edb8a1958716f646d
SHA256623baa0f462d336c75fc1c690f30fa538160aa229e15cd4ca8ecf37c2c1e2022
SHA5122ecac34557213c43aa2f3aacfc36f461d2d173bcd76de5728dab4e046713b7c0a7ba98e2dd824645acace847ae575633e7e2be9c2cf3a264a8b4b1393a305a4d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b72e5acb788de2297e10aa514fd17436
SHA1334f3360f82176d2e6bfede61578e47e3b480090
SHA256539eeb010090ff71d0864ec44599d2ed88faa20141813c1baa95105b6b7fdd23
SHA5120ecee775316717733827d99f33c2bc983238b5b140c33a463358c29c42e0e2b061da3ece3966ffef6a4f50ce6fae700857f7afd8ae2476e6501614687e12ad19
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fd3eb930b208ee0822d3fb2980678cc2
SHA1a8b2eac770ae3a9a62340ea46b80f0c29112ef9e
SHA2564896a3934a66b58b0e00c31207cb0da1ade31eb1d64ef92609773c175159b67e
SHA512ce2434d3ec040db25fa667a59e04eab2dc491c893f42dc088a09cd2c55196c0c8a950a6fcc22b959426288c2f565900c14ad893b1dccbdc1cbd3a20fd4343fb1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5af7b606fbb998d13c0d9d2284676b00b
SHA100aac01711d013d722e79759a94611eb257877f8
SHA2568a455688278bcf0173e6b6420beacc17ab228062d52f0982d6a3d4a556aa2844
SHA51264381d1e5888c366b415e8c10a1b81627a8d234628deb45879a65ae6f0b749e9bc58142e7f1432a5f4997c211b2eee9e1ebf03ddeaee15e06031882dc1583c3b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
188B
MD54fe8e278d2ffc913978827b95d07d1ef
SHA1143d0a8a22f1027d317d0e398baa5264d76f354c
SHA2566d1d74ed8861f14a447735f26ae414c116c24a16f38c813fe60f3f4e6e7af178
SHA51253710a6a9399b6da6442b9e6f2607c7f780073ae539b11f473118b64a91d392483903093454615af534fbfb57364bdac511481f1897027d31a9fb2b18f2143cf
-
Filesize
80KB
MD582dc596c6551a9a09c78441c05c31487
SHA1bbdb4686f10ae504a4e8d02ecd2451143f662e93
SHA256d44b730db7dea5a0072567771e76e20ecab2ccb0dcf267665999636336b2ce45
SHA512ef93a56721eedd0816751f92f7ed82cea59e17895dd74c29ef9963be2b15ce121dc296f0c10be6d9373849c6322340be3112a871dfa82e593719cb9cb73fe245