ee006269107ab065dc4a1faaa0385aee3ad742c1d9559e0903d5daf54a2c40ae

Analysis

max time kernel
121s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe
Size

43KB
MD5

084a98df2578014a6a438bbebf073f3d
SHA1

1568f2273314c2323862beda1974c8bf92e5ba30
SHA256

ee006269107ab065dc4a1faaa0385aee3ad742c1d9559e0903d5daf54a2c40ae
SHA512

2765cf94dc047312abb14ba6e273d4276254daf8442090d5816c419ea18a68de55f18b944f527b69f3b68b6161d6e61a4a8db295816a0bd7180d216c16f306c6
SSDEEP

768:nAKiuDaSA1BlLHM+mA37Wl4VBimP0hntn7b0nAy/Q+up/f8qkTlVaxLfFi:nAKiuSvLPBPYt73y/Wp38TbkE

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSSMSGS = "rundll32.exe winuuk32.rom,IgzRun"	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winuuk32.rom	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winuuk32.rom	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433995054"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{336AABE1-805F-11EF-B594-F245C6AC432F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1884	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1884	iexplore.exe
1884	iexplore.exe
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1732	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	28
PID 1316 wrote to memory of 1732	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	28
PID 1316 wrote to memory of 1732	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	28
PID 1316 wrote to memory of 1732	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	28
PID 1732 wrote to memory of 1884	1732	cmd.exe	30
PID 1732 wrote to memory of 1884	1732	cmd.exe	30
PID 1732 wrote to memory of 1884	1732	cmd.exe	30
PID 1732 wrote to memory of 1884	1732	cmd.exe	30
PID 1884 wrote to memory of 2104	1884	iexplore.exe	31
PID 1884 wrote to memory of 2104	1884	iexplore.exe	31
PID 1884 wrote to memory of 2104	1884	iexplore.exe	31
PID 1884 wrote to memory of 2104	1884	iexplore.exe	31
PID 1316 wrote to memory of 1884	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	30
PID 1316 wrote to memory of 1884	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	30
PID 1316 wrote to memory of 1624	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	32
PID 1316 wrote to memory of 1624	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	32
PID 1316 wrote to memory of 1624	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	32
PID 1316 wrote to memory of 1624	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	32
PID 1316 wrote to memory of 2708	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	33
PID 1316 wrote to memory of 2708	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	33
PID 1316 wrote to memory of 2708	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	33
PID 1316 wrote to memory of 2708	1316	084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\084a98df2578014a6a438bbebf073f3d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start iexplore -embedding
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1884 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\gos9EA0.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\084a98df2578014a6a438bbebf073f3d_JaffaCakes118.bat"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bce1fff84ec111701bd63dac4a02d93

SHA1
10e7955feffb097cd245fad9e4b11e7a1cd8439b

SHA256
0607f753ba309d8153ce8f8c8f2c2c728ccdda221524e804ccf617d86ef9142c

SHA512
cec2ca0b118274cf032cac82cb30b02d76c422be961e2ea924f7a7d6daa4cbce5bb03023b732c749c415128a2b4a6398ba7af55c395f0a3b88a860ef9fc22b39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d517ae6a75821b9ab6dd6fd28e83d64

SHA1
23ecc05fdeb33c925c13e7e0d8755b3c040c16f8

SHA256
4ca9627d3e93bc462e0972483163785bed777da0ad078bb220fd53283fd85cb9

SHA512
90944091bfd212697ad096f9cdeeab777b923b63287d7ce72ed2e2d0b027c3b4675fbe59b9bc9d25bc54a4e1b5fdbdca54a919145e27f0c79efed88822744c5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca3b93716919c7c7e84df24744bdfcac

SHA1
4c3220f903cd55d667be7dee9502fe2445e91e41

SHA256
753b651fed0ddf484a93f9a7750e6da3ffd230e22ce6e0130ba71bf997b5d4a8

SHA512
531813b0ef50045a775a11908a927e615c14868c722a53e8a361418c3bcdaef13cf461c82131a34cb863f1bae81cb54a03860be9852c925385cec33556b08fd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df6a2e85c8893fa497def1209a8b69af

SHA1
963698e758e944e5c04d1a90e3b594fa3cd95b08

SHA256
1380d23653ffe6be9f3c2b8d7d93828ec59dec8ef408f94f4992bf6c5c84e83a

SHA512
b43b04a16e3fa8fa9bd512726f608ab52b640162b1649782c431870c3bcbe693115164f01a617c5e459e8cea31ec7a65e8e063a3a05bf43bc4884f8837911864

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a3b072035117a4277bb039f89765470

SHA1
80103ba194fc17cfb8ea03fd1aafece8f0be1178

SHA256
24d035e3dba040b66623018616b71ce502ee7ce7bd13aaa3cea4c2fe0b6e550d

SHA512
9ede2af6adad724d5a4d185bc42c77d2f08f88bf825ccd2d76854b3c48fa339b235ba9d9b1293feab58ddc67d8c055320d0819557d1c3a08b1afbf77bfff42e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
268bc3692dc8d3b6db326ed5adabdf83

SHA1
700452f3339fa2cc99048979bd61d55204df9eff

SHA256
e34373f1fa8cd4ef67e07d9a3786ce2a9dd749dbbd80a1c55bfb7de4a8bec754

SHA512
c719ba62f2b98297d4663887ec9358cd9c2a0b3e9d3092f907df651eed71cd8406efb10a4f35da85c36e02780ac22d95d375b6a573fb50ffd6ae66c90e94e148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22c24146ff71df6e4af3c127eab66e66

SHA1
97ebede2a71d4deb3700fffdf09b6237a14e60d2

SHA256
2ebb5f8a823a36b3b78d8a5b7d3b009b661575bccf087e8a60773bc82f7a0600

SHA512
45178bd77234d3d8c196cd8a7a366f00f93c3a4c7e71e511ff2ca57db21a64c9004f03629fc2e9c8d15cb8f7e9ad51863af3166bfe3d22d0c2e4e85cda3a1c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6d215586cec882af376ae80261315b1

SHA1
5f2fa20c39a67ed2b27e9a90da391860ce893a79

SHA256
e51e480e4574028bbef3e2d8cbb34babf50d5b4e5ddac27787836620bda0b3ff

SHA512
f7f18570854cba8d1ba3fc6cbea54996b8da6a0e7d99291a8a72ba9a489f874285aefbe2e7bd5e9f2ef3a28a5825516e0487428c6a87c0c01019c2f1db21a62d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53e7e2a99d8390286e9cda65f32a4726

SHA1
3817b236c138dda7dbaa4af128b3259a2de056d9

SHA256
1563ac52b3d73251f1a7031a7f0a702a7867ef808a6dbc2a4058c6a7a975410b

SHA512
7b99316ea55c9326d5552543d5b206f1efa8cfe1a4e2eee3dbaf513958ec4acc3e3f75a3ad5504eac18beb86da0ae604339980d7bdd017b2c26b9240019535c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\084a98df2578014a6a438bbebf073f3d_JaffaCakes118.bat

Filesize
305B

MD5
2278cd220b3acc71db8263ec3ae034e5

SHA1
e60b8d27e9886f3ee25aeff133f236af2ccbdec9

SHA256
cdb19800d9b5962b5177c6bece36f6134775a404b22877fbc4784e4e46341f5e

SHA512
d3fc9252237396dff32b9486a2aa7f88dfdd3b631861d79497ce6523acd6b332a5f51d847e59c37dd3da5e89bd6062398a8af462adde0063cfd3f6a4293a88a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA8B0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA901.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gos9EA0.bat

Filesize
188B

MD5
f487b248c1da04eb6a20fa6a02608e18

SHA1
1f648f7ad36cfabfc55ef209bf080e1643b8fa04

SHA256
8f73694825bba5916440cbba31a95ae9c90318cfb75a33c3be1138f432a46a86

SHA512
daefee47422e11209a42e0e57bf313580959ae2f3d20b2216dda912560f8851559191e8367c900a38767aa32736a28fed8b503343b87b7fbe00e6b3a063f0332

Download Submit
C:\Windows\SysWOW64\winuuk32.rom

Filesize
32KB

MD5
433113cbc3c0b48f3142d7455d0e6901

SHA1
958e21b8b68f49f017f95596eabc269089ea1c56

SHA256
e3576effc96547514134b0c8b36fd3ff33bff2cfc518955d0f0cf0a0ccccc2d2

SHA512
eb2bfa9be9776d9d3f605af77e35ba33df7682f9d7f55e2b937ed15afb22819a822a4ed17c57dc3e818b0551338624f2e660e0500c4d640d675c4b83940df5aa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads