9570a03522614619744b21ef8cbc40a95dd2fde5ea7775a4f48a973a7bdde197

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
Size

357KB
MD5

08f3373e38ff8f642101ca2f94b996e3
SHA1

47e0d0a2a9c7529dcf70e569808957733659f1be
SHA256

9570a03522614619744b21ef8cbc40a95dd2fde5ea7775a4f48a973a7bdde197
SHA512

67c5798fe678a7789b0a6eace2db6574f181f9eff81f7d37bc6f5e13648ee329f269b9752707f776907a1ffcdedca4fe26d45d34c6687b5da19822137fa6cb37
SSDEEP

6144:yjckxhGotqbSg9RsLvnQAFyhIOKFEjhLzNUTavglyrGtpk2oIPLtpLogTgrTMGdz:GxgJ79RCQRI7Edea2YepqIPLtpLTgrTd

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2788	mIb01804pPhCe01804.exe

Executes dropped EXE 2 IoCs

pid	Process
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe

Loads dropped DLL 4 IoCs

pid	Process
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mIb01804pPhCe01804 = "C:\\ProgramData\\mIb01804pPhCe01804\\mIb01804pPhCe01804.exe"	mIb01804pPhCe01804.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mIb01804pPhCe01804.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mIb01804pPhCe01804.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	mIb01804pPhCe01804.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
320	mIb01804pPhCe01804.exe
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
320	mIb01804pPhCe01804.exe
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
320	mIb01804pPhCe01804.exe
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
320	mIb01804pPhCe01804.exe
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
320	mIb01804pPhCe01804.exe
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
320	mIb01804pPhCe01804.exe
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
320	mIb01804pPhCe01804.exe
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
320	mIb01804pPhCe01804.exe
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
320	mIb01804pPhCe01804.exe
2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
320	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
Token: SeDebugPrivilege	320	mIb01804pPhCe01804.exe
Token: SeDebugPrivilege	2788	mIb01804pPhCe01804.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2788	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2788	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2788	mIb01804pPhCe01804.exe
2788	mIb01804pPhCe01804.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 320	2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe	31
PID 2512 wrote to memory of 320	2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe	31
PID 2512 wrote to memory of 320	2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe	31
PID 2512 wrote to memory of 320	2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe	31
PID 2512 wrote to memory of 2788	2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe	32
PID 2512 wrote to memory of 2788	2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe	32
PID 2512 wrote to memory of 2788	2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe	32
PID 2512 wrote to memory of 2788	2512	08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\ProgramData\mIb01804pPhCe01804\mIb01804pPhCe01804.exe
  "C:\ProgramData\mIb01804pPhCe01804\mIb01804pPhCe01804.exe" BOMBARDAMAXIMUM
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\ProgramData\mIb01804pPhCe01804\mIb01804pPhCe01804.exe
  "C:\ProgramData\mIb01804pPhCe01804\mIb01804pPhCe01804.exe" "C:\Users\Admin\AppData\Local\Temp\08f3373e38ff8f642101ca2f94b996e3_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mIb01804pPhCe01804\mIb01804pPhCe01804

Filesize
192B

MD5
b35b3b5b6a29d41d016cce94cac3dd60

SHA1
56a00155090e5627d5beab16af850a7bc43c7bb9

SHA256
acbe3f8cf9243a79927e9def0c3e4b45c26833cb09cfb68c80fa044ac951ce06

SHA512
5c366e7274a12fff7678a830b26940c004fd9b82d952e397c105e9a9165e66bc1e9547581c2994fae06e43ce1d1075a57c0bdd02b56055fe7d28a4964a512f63

Download Submit
C:\ProgramData\mIb01804pPhCe01804\mIb01804pPhCe01804

Filesize
192B

MD5
a5de1eb1c0f568113aee1f368022bb7a

SHA1
dfd95242cb803c4789eb2b019b00f98a401264de

SHA256
939de6913e1ef4976f0ddd15b228eeb58ee27bc31c121ab50f4d6735756d14c6

SHA512
6dfe558c3f7593729c8ed65a1e87e5080811452b8993ca7ab7d101c1675d74990bc54f3256f647978d91fc58182a872dadd64a97873bd215b213eecd346de0b7

Download Submit
\ProgramData\mIb01804pPhCe01804\mIb01804pPhCe01804.exe

Filesize
357KB

MD5
5a7857ea64c13724c14ca25b451f8b0b

SHA1
8ab43e3f3ec8316d8933ecfcfd5ac94c9ecbbe5c

SHA256
0ad8939a4f0c36d19f46e05999d16883859df24fce0361c03ab57bfc1bc5bb62

SHA512
a4cd58aa76c63bdb8a0d5639e53c1b7c17ee0fb17b812d4e89a0dba434ca69665bbb2b217e057d9f030b46c330cffb27123a2b9f591ca55cef9fd3113c6525a4

Download Submit
memory/320-24-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/320-37-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2512-6-0x000000007746F000-0x0000000077470000-memory.dmp

Filesize
4KB

Download
memory/2512-5-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2512-23-0x00000000004E0000-0x00000000005B4000-memory.dmp

Filesize
848KB

Download
memory/2512-28-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2788-30-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2788-38-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2788-47-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download