c5e09a1592baf021b61fb2142507aef833eee8efb1c25055406186db7b9d3ec8

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05455aa034f50619efe924e56d008725_JaffaCakes118.exe
Size

150KB
MD5

05455aa034f50619efe924e56d008725
SHA1

eb96a81e678600c4cf44c4b896a975759db5da39
SHA256

c5e09a1592baf021b61fb2142507aef833eee8efb1c25055406186db7b9d3ec8
SHA512

d8a95588b3e802c02df83fc9e6513991905f85d2d5da5c926fe202af25556c87b1444828d866cd85ad1e94456ed50c8921b0cabe124b3f77ff569b27fded026c
SSDEEP

3072:t+HCQvA+xM5soj5SCB+oLtLjFZUQ1r2UgPD7SMm2EwyP:tIvA+xM5FB3Fh2Ug77Lm2E

Score

7^/10

discovery persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winkzk32.rom,qKqXRC"	05455aa034f50619efe924e56d008725_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winkzk32.rom	05455aa034f50619efe924e56d008725_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winkzk32.rom	05455aa034f50619efe924e56d008725_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2656	1168	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05455aa034f50619efe924e56d008725_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433937074"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{33210441-7FD8-11EF-AA6F-523A95B0E536} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2740	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2740	iexplore.exe
2740	iexplore.exe
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 2540	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	31
PID 1168 wrote to memory of 2540	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	31
PID 1168 wrote to memory of 2540	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	31
PID 1168 wrote to memory of 2540	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	31
PID 2540 wrote to memory of 2740	2540	cmd.exe	33
PID 2540 wrote to memory of 2740	2540	cmd.exe	33
PID 2540 wrote to memory of 2740	2540	cmd.exe	33
PID 2540 wrote to memory of 2740	2540	cmd.exe	33
PID 2740 wrote to memory of 2816	2740	iexplore.exe	34
PID 2740 wrote to memory of 2816	2740	iexplore.exe	34
PID 2740 wrote to memory of 2816	2740	iexplore.exe	34
PID 2740 wrote to memory of 2816	2740	iexplore.exe	34
PID 1168 wrote to memory of 2740	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	33
PID 1168 wrote to memory of 2740	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	33
PID 1168 wrote to memory of 2732	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	35
PID 1168 wrote to memory of 2732	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	35
PID 1168 wrote to memory of 2732	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	35
PID 1168 wrote to memory of 2732	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	35
PID 1168 wrote to memory of 2656	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	36
PID 1168 wrote to memory of 2656	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	36
PID 1168 wrote to memory of 2656	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	36
PID 1168 wrote to memory of 2656	1168	05455aa034f50619efe924e56d008725_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\05455aa034f50619efe924e56d008725_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05455aa034f50619efe924e56d008725_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start iexplore -embedding
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\gXiE560.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 160
  2⤵
  - Program crash
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d35192de098b36ec14eba30feebc1f8b

SHA1
e28ecd4dd92a940c0c6aa80ccaf248bc0e6ac59d

SHA256
b891b8d0501d6c843786dc8bb552fb8250639f230e7c079df0fcaaee60ca125e

SHA512
56bc9acf248a0050c6b5f9a9dd2dc8ba3b4143f77563f8fcb34540db770fc64b305229d441b895d2b35167ff39f19f27ec3d21ede9c7f96e6fa02ed86770e4f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
621a9c917710e6d9394f97a3a0aed74c

SHA1
e623f3ab862908fea917df4fdd82b33adda74639

SHA256
3282ec768bd99c4e744f5f661bd6aad312b45cc2bd1042d85ac8a01f3335e5e1

SHA512
6c9508f10882cc0bb510b068c3f9254e3c72eca04bf8394a2cb5bf28feeeca356cc7c8a8e6d28df1286070acade365647d9f94720456feb2841e888a8d0253ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
530e1335c2c179030da4a8f5b72b8b44

SHA1
76016c50171452318a01bda74af75a2cdab49ec6

SHA256
a9a927831189c3be1657754c8e5ad04042c06d5c0d10f54741ad6450663586fc

SHA512
eb265894f9e4588aee519b268017250531b682998e413b490c7b267cedaa12b6ec36771c927542ce8fdbcb83c0538766ffa651207c8ed9c32a724afc687d5065

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3189ac3545146be85f768e93eaaf563

SHA1
596b9b69e8330624c3e3aac83c46c1e992a4d1c2

SHA256
0890bcb0f2f57f8b2c19b7ece76775729bf9fd0057510e4c13591a670c9210fe

SHA512
90e6217cf3806d51d222633f79cf8a7a68c5d2defb0a7627e45e5d27ba382802c02685c01f9e772d6c2eb7f477044db3f38ab1c3c83054501bc18586480288a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b15a70aa21d00909bb1da24558a7981e

SHA1
8fc43b73704693a9efbbf3aa332e2ff33540b817

SHA256
55fd2b5acb011a1696614bf93e33b1685ea26cc7c0dc0caef5cc99bc877ea30a

SHA512
35afc13fd3747fe7fb9877bf5bc2cdfbbc28f186b8a4fb4a83617325fe855d1705c1cb88630e5b8e361bc00f45b4573039ed6021b194f639d387fc7b2e67ce98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72115c27bac958eb3895d4f3db2a0f52

SHA1
34bd118a6437bfc36fa63d7edb8a1958716f646d

SHA256
623baa0f462d336c75fc1c690f30fa538160aa229e15cd4ca8ecf37c2c1e2022

SHA512
2ecac34557213c43aa2f3aacfc36f461d2d173bcd76de5728dab4e046713b7c0a7ba98e2dd824645acace847ae575633e7e2be9c2cf3a264a8b4b1393a305a4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b72e5acb788de2297e10aa514fd17436

SHA1
334f3360f82176d2e6bfede61578e47e3b480090

SHA256
539eeb010090ff71d0864ec44599d2ed88faa20141813c1baa95105b6b7fdd23

SHA512
0ecee775316717733827d99f33c2bc983238b5b140c33a463358c29c42e0e2b061da3ece3966ffef6a4f50ce6fae700857f7afd8ae2476e6501614687e12ad19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd3eb930b208ee0822d3fb2980678cc2

SHA1
a8b2eac770ae3a9a62340ea46b80f0c29112ef9e

SHA256
4896a3934a66b58b0e00c31207cb0da1ade31eb1d64ef92609773c175159b67e

SHA512
ce2434d3ec040db25fa667a59e04eab2dc491c893f42dc088a09cd2c55196c0c8a950a6fcc22b959426288c2f565900c14ad893b1dccbdc1cbd3a20fd4343fb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af7b606fbb998d13c0d9d2284676b00b

SHA1
00aac01711d013d722e79759a94611eb257877f8

SHA256
8a455688278bcf0173e6b6420beacc17ab228062d52f0982d6a3d4a556aa2844

SHA512
64381d1e5888c366b415e8c10a1b81627a8d234628deb45879a65ae6f0b749e9bc58142e7f1432a5f4997c211b2eee9e1ebf03ddeaee15e06031882dc1583c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF392.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF4B1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gXiE560.bat

Filesize
188B

MD5
4fe8e278d2ffc913978827b95d07d1ef

SHA1
143d0a8a22f1027d317d0e398baa5264d76f354c

SHA256
6d1d74ed8861f14a447735f26ae414c116c24a16f38c813fe60f3f4e6e7af178

SHA512
53710a6a9399b6da6442b9e6f2607c7f780073ae539b11f473118b64a91d392483903093454615af534fbfb57364bdac511481f1897027d31a9fb2b18f2143cf

Download Submit
C:\Windows\SysWOW64\winkzk32.rom

Filesize
80KB

MD5
82dc596c6551a9a09c78441c05c31487

SHA1
bbdb4686f10ae504a4e8d02ecd2451143f662e93

SHA256
d44b730db7dea5a0072567771e76e20ecab2ccb0dcf267665999636336b2ce45

SHA512
ef93a56721eedd0816751f92f7ed82cea59e17895dd74c29ef9963be2b15ce121dc296f0c10be6d9373849c6322340be3112a871dfa82e593719cb9cb73fe245

Download Submit
memory/1168-459-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads