676047897f340387e718842c45ff18d3e130f023c9156659883caf33c8b1a7cc

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Size

229KB
MD5

0841f7e3cae56885f4ee4792814907c6
SHA1

4b08e588a05e268790461a0d1f3bf1b2dace3e92
SHA256

676047897f340387e718842c45ff18d3e130f023c9156659883caf33c8b1a7cc
SHA512

9347e6ac1b60e3c54aedd1dfe714e95027b923e626b40610e735dd7bfc2b8a136754386da87f6b7e8d36ef9a08a005901268268834488b6807fb3cef6731c700
SSDEEP

6144:tOzbPpjSRkXqCJEmFt+p7GCvB/wCgVlqXAcdkRi5:tOfpGRkXqaDTaGCvB/wCgf0h5

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2696	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
2696	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
2788	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
2788	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
2340	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
2340	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
2332	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
2332	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
2160	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
2160	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
2092	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
2092	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
1524	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
1524	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
708	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
708	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
3064	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
3064	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 708	3064	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	30
PID 3064 wrote to memory of 708	3064	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	30
PID 3064 wrote to memory of 708	3064	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	30
PID 3064 wrote to memory of 708	3064	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	30
PID 708 wrote to memory of 1524	708	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	31
PID 708 wrote to memory of 1524	708	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	31
PID 708 wrote to memory of 1524	708	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	31
PID 708 wrote to memory of 1524	708	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	31
PID 1524 wrote to memory of 2092	1524	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	32
PID 1524 wrote to memory of 2092	1524	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	32
PID 1524 wrote to memory of 2092	1524	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	32
PID 1524 wrote to memory of 2092	1524	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2160	2092	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2160	2092	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2160	2092	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2160	2092	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	33
PID 2160 wrote to memory of 2332	2160	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	34
PID 2160 wrote to memory of 2332	2160	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	34
PID 2160 wrote to memory of 2332	2160	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	34
PID 2160 wrote to memory of 2332	2160	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	34
PID 2332 wrote to memory of 2340	2332	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	35
PID 2332 wrote to memory of 2340	2332	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	35
PID 2332 wrote to memory of 2340	2332	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	35
PID 2332 wrote to memory of 2340	2332	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	35
PID 2340 wrote to memory of 2788	2340	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	36
PID 2340 wrote to memory of 2788	2340	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	36
PID 2340 wrote to memory of 2788	2340	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	36
PID 2340 wrote to memory of 2788	2340	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	36
PID 2788 wrote to memory of 2696	2788	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	37
PID 2788 wrote to memory of 2696	2788	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	37
PID 2788 wrote to memory of 2696	2788	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	37
PID 2788 wrote to memory of 2696	2788	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	37
PID 2696 wrote to memory of 2268	2696	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	38
PID 2696 wrote to memory of 2268	2696	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	38
PID 2696 wrote to memory of 2268	2696	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	38
PID 2696 wrote to memory of 2268	2696	0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        9⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\0841f7e3cae56885f4ee4792814907c6_JaffaCakes118.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\tds2[1].htm

Filesize
2KB

MD5
733937d857dde873432d389a4a1a04b2

SHA1
f19489e18b6138f7c1ea0c2d8b93c341dbdf99e1

SHA256
9d1833f001cbc0765d530013d5879cd3c47285220162b541f13f5285fdbf9ef7

SHA512
18c366918a0b06f9b8b09921b85dd11d7e4c5ae78edcc3da5882d4fc11149be108959d6f0f00274e19f8800f0c624ac366343541f20deae2665c897ce966cf5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\js3[1].js

Filesize
1KB

MD5
a66b149a7ebc798955373415d683f32a

SHA1
15ceaba8cfae8368600620ae97aa26ae7331d626

SHA256
036c94653e84e6078c087abeb3ac8804491d27b27938839ae3df42b31e2238d9

SHA512
286add411911651ed9217ab94b286d4e3fb546f4bf39c451eff86df0b6daab412d2fd97e0e34c4b71322e862eddf8bc1efdb9d7e1e3c53c15bb420f609966443

Download Submit
memory/708-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/708-10-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/708-4-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/708-5-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/708-49-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/708-3-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/708-114-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1524-7-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1524-115-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1524-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1524-6-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1524-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2092-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2092-89-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2092-12-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2092-62-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2092-116-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2092-52-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2160-13-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2160-91-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2160-117-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2160-53-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2160-63-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2160-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2268-19-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2332-16-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2332-20-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2332-118-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2332-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2332-15-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2340-17-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2340-55-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2340-65-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2340-119-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2340-18-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2340-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2696-121-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2696-57-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2696-130-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2696-67-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2788-58-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2788-120-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2788-66-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3064-9-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3064-113-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3064-2-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3064-1-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3064-8-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3064-0-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/3064-59-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3064-25-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download