659da5be117f8520dacefb2b60909f1a2ef3b9f828b4b7b72919af5d23a20d90

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 15:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Size

1.9MB
MD5

0655f932eb94b75aefc3c52cc95975b9
SHA1

9a69bb564a0ba201d479c177252fd60ffa48205d
SHA256

659da5be117f8520dacefb2b60909f1a2ef3b9f828b4b7b72919af5d23a20d90
SHA512

bf6fd955ff680d3330921df00e4d8c11922537f6524b138a224d0fa3ee28c16a96eaddf3b1d6cc294cfd605fb9824c2dba1830f6b95cf9c429e170b4adfdaf6a
SSDEEP

49152:YM7K2LMZ7fliJAiJqcJUzRkMq5HF3nh/c9uiaEg4ua:YMe2LMbQjOzXW9pfsua

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1732	setup.exe
1792	TheWorld_3.exe
2684	max2_133daohang4.exe

Loads dropped DLL 14 IoCs

pid	Process
2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
1732	setup.exe
1732	setup.exe
1732	setup.exe
1792	TheWorld_3.exe
2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
1792	TheWorld_3.exe
2684	max2_133daohang4.exe
2684	max2_133daohang4.exe
2684	max2_133daohang4.exe
2684	max2_133daohang4.exe
2684	max2_133daohang4.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\newiexplore.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\newiexplore.exe	setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\taobao.ico	setup.exe
File created	C:\Windows\sppert.ini	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TheWorld_3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	max2_133daohang4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000016688-11.dat	nsis_installer_1
behavioral1/files/0x0007000000016688-11.dat	nsis_installer_2
behavioral1/files/0x000700000001688f-29.dat	nsis_installer_1
behavioral1/files/0x000700000001688f-29.dat	nsis_installer_2

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}\ = "Internet Explorer"	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}\DefaultIcon\ = "C:\\Windows\\SysWow64\\SHELL32.DLL,220"	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}\ShellFolder\Attributes = "0"	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}\TypeLib	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}\Shell	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}\InfoTip = "Internet Explorer"	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}\Shell\Internet Explorer	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.131u.com"	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}\ShellFolder	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}\DefaultIcon	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}\Shell\Internet Explorer\Command	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}\TypeLib\ = "{7ACCC7A1-4177-48ED-85BB-2A9EAD4F9451}"	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1732	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1732	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1732	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1732	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1732	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1732	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1732	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	30
PID 2080 wrote to memory of 1792	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1792	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1792	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1792	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1792	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1792	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	31
PID 2080 wrote to memory of 1792	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2684	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	32
PID 2080 wrote to memory of 2684	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	32
PID 2080 wrote to memory of 2684	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	32
PID 2080 wrote to memory of 2684	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	32
PID 2080 wrote to memory of 2684	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	32
PID 2080 wrote to memory of 2684	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	32
PID 2080 wrote to memory of 2684	2080	0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe	32
PID 1732 wrote to memory of 1072	1732	setup.exe	34
PID 1732 wrote to memory of 1072	1732	setup.exe	34
PID 1732 wrote to memory of 1072	1732	setup.exe	34
PID 1732 wrote to memory of 1072	1732	setup.exe	34
PID 1732 wrote to memory of 1072	1732	setup.exe	34
PID 1732 wrote to memory of 1072	1732	setup.exe	34
PID 1732 wrote to memory of 1072	1732	setup.exe	34

C:\Users\Admin\AppData\Local\Temp\0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0655f932eb94b75aefc3c52cc95975b9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\DelTemp.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1072
- C:\Users\Admin\AppData\Local\Temp\TheWorld_3.exe
  "C:\Users\Admin\AppData\Local\Temp\TheWorld_3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\max2_133daohang4.exe
  "C:\Users\Admin\AppData\Local\Temp\max2_133daohang4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DelTemp.bat

Filesize
69B

MD5
32f45cd6abc1d26f07b8ddb71871ce05

SHA1
0cc28dc63d50327a74f8e964cdf23ffed05a8699

SHA256
a2023fadce396c9265a61f24b6dcc5e95aaaf2b9efa1eceac2fcc1332322e716

SHA512
f18d1ed212bda39f671fe7d7dac6cc6f5012e17149b57c7a121e666f09d5040c75ced09679bef1e630cd69fc03d824ced178be25b275139e4f4e139a0f96ebb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\max2_133daohang4.exe

Filesize
65KB

MD5
b904cf041cacaae74655cf009acfed2e

SHA1
028ef889562a55bc98119fe2c186efb35f556bd1

SHA256
72f4498744d1c856eb35028fc0fa59bf0a78b0fa833c49ead54115f08c2f3846

SHA512
4ebf41f49fdcb1b70c6b88351c85dff98eb2f75787e36b8741e922363ec8134399450351c431cefed42d1757163eb6196275d2c6509a9c4826bcc4961d726d4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk

Filesize
1KB

MD5
a21135bbc968ee2c94a0101eaed990a1

SHA1
11aa5ec5f89af6ba18b7e2e7acf4056345ba6b24

SHA256
68ee0873bdfd6d35c6e0304943831f82235e82317883d5ad820e3148ce7d56bd

SHA512
eae8cce626832109e0b4d5067bce315cb499440317b68ddf49fe6a74b1af611c4dc539d3a9abe4d4b1c58b3600b198f7e7b2415827eac6284b0d5ec210635f18

Download Submit
\Users\Admin\AppData\Local\Temp\TheWorld_3.exe

Filesize
1.5MB

MD5
2c08531af1fd74a820931ac2f1d6bcfc

SHA1
ae7273c98cef73d15491a7343914676b96a5fcad

SHA256
ee22bd77b1817994b04a42b473bc179b974d65c15a0bebe88b44a858cd54b7b0

SHA512
19def1f7874c82c67a67509908fe7828351e180a5976be993f3bb2f72d7e45a6cfc861a46d9ebf57ef0d8b5a83c943657a63ecc73cb13ae437fd8d63acba0ea2

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC756.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC841.tmp\InetLoad2.dll

Filesize
21KB

MD5
33322da8b36ea8b67448ec34c827a319

SHA1
45cae4b64ecc9bb5d3f1e01faaa14e067e74828d

SHA256
fcc886a8ef7575e292ef6210902581273e33047da2f3f6e0092b7887a212c2f0

SHA512
e97a4b427e89832c6555ac64044b5b3745164482afd3ff7c4b17005c99f245cc7c7e97653abad345810caca3f472c43f51036157f32926ea81306c939e9e1c3c

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
549KB

MD5
64476e0345c8179039b665cce5cbe0e1

SHA1
fcf296d70d4b1d3d68b7e9178a97bdc7609dcd62

SHA256
43b447164715ae318585e2ad2cf51a883b41c248db9927b3afab2170899c48c8

SHA512
393691f36c600d51bee07fca1032351f7b9510526994a4dc3503ba127dba842256035c16d59d6427775896863a92610495deb64e6cc2458fa4ca0fa85ef0fd3f

Download Submit
memory/1732-65-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download