d746cabdca2c8d97c6f3ec9c793a2aca742d8eb008d0cfcbbbbb9e60508338a4

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09426f3d32fb7b7b3ca3981976d637a1_JaffaCakes118.exe
Size

159KB
MD5

09426f3d32fb7b7b3ca3981976d637a1
SHA1

1362871178960f30d4f674fa11ee9a98ac7b0272
SHA256

d746cabdca2c8d97c6f3ec9c793a2aca742d8eb008d0cfcbbbbb9e60508338a4
SHA512

5d5e8f5ff86dce134b6d7a1a018758f0a3f4fa97f6fe5116a1e8ea6745838a4ebea62af5e35d073c4d5eb085a305629db716b5286b9f3bfa2e2ef0831d3f3bfb
SSDEEP

3072:f22ihA0m3BJf0AtDtBHo5V3h02UFZKeNGwQnAvv9Im:QA0m3T0AtDtBHwRUzETnAvv6m

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2416	biclient.exe

Loads dropped DLL 1 IoCs

pid	Process
948	09426f3d32fb7b7b3ca3981976d637a1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09426f3d32fb7b7b3ca3981976d637a1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biclient.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	biclient.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2416	biclient.exe
2416	biclient.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2416	948	09426f3d32fb7b7b3ca3981976d637a1_JaffaCakes118.exe	31
PID 948 wrote to memory of 2416	948	09426f3d32fb7b7b3ca3981976d637a1_JaffaCakes118.exe	31
PID 948 wrote to memory of 2416	948	09426f3d32fb7b7b3ca3981976d637a1_JaffaCakes118.exe	31
PID 948 wrote to memory of 2416	948	09426f3d32fb7b7b3ca3981976d637a1_JaffaCakes118.exe	31
PID 948 wrote to memory of 2416	948	09426f3d32fb7b7b3ca3981976d637a1_JaffaCakes118.exe	31
PID 948 wrote to memory of 2416	948	09426f3d32fb7b7b3ca3981976d637a1_JaffaCakes118.exe	31
PID 948 wrote to memory of 2416	948	09426f3d32fb7b7b3ca3981976d637a1_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\09426f3d32fb7b7b3ca3981976d637a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09426f3d32fb7b7b3ca3981976d637a1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\biclient.exe
  "C:\Users\Admin\AppData\Local\Temp\biclient.exe" /initurl http://bi.bisrv.com/:affid:/:sid:/:uid:? /affid "ffonts" /id "popstarregular" /name "popstarregular" /uniqid 09426f3d32fb7b7b3ca3981976d637a1_JaffaCakes118
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70ba62ad8a3292206c235dc245e703c3

SHA1
0775309ba44d3286b9e1d69ae88eec2d0566e84e

SHA256
55be45b05225f6db619ba01601adcd0b1c8a485e431d967d82455a9f53c301c3

SHA512
c289a8efeec00b4116fe3c572851dd83bdfb8022fefbee672446d3a747725003daf65be05c6988e7a469aa43998af944d7ba64f6e989768ae93417eec7b7e4e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fcd41c03927cc3db3e5962d9a3d958e

SHA1
d38b75f945edf205fe297492f2e163fa24d24fd5

SHA256
76659ced28577699717b87f741bd27a6ab8daea1ca3a48e4a5c6bfde75d6db54

SHA512
7c28613d722268f2b2d9329bffdb4ec135e7842472491bac1246693b7f0f0e08b8e2d56ed6cd8a6de3cdfe9e0ccca94073530af0d4c2cd8613079ca00fa9b423

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51eb5dddecd2bcd1094d6372a178c640

SHA1
3e52383697cc9d99bcb5bb3c1da3508d40ec64a3

SHA256
f881f807aaed55a27e2be92ef565e817aed01cdaeb7808c2dfee14dcf0d10850

SHA512
46d2a1d511e280321b4c27400050b347b155f5da13fe527d4cb87c768571598ba81a08655d16d420291c0c2aeb1563c1620fc30ab29bc2b5663a0688d19859c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1828dad30113aa00cf87ee57b3fdd5c7

SHA1
e0fa2e5eb8aaf9d0a038ef0561d8729218646319

SHA256
7c4f72150b01dd3fe06604b91ab4ae963b8ef1b1d8d044e72d971f826c401b20

SHA512
27f23a47aa5dade4f64fd5688b7e690bf144487936fed7b23d2b07a44297079c42cee8f7df9649c0f101af92c8dd06b4757c2717767338e720b5dbd0c76dbb87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f29d83fcb829fcef0fa7576e6dc2159

SHA1
510954c777bb8a84a73f5656ee7204f4111b8d93

SHA256
bb0996decf31fe6690b747ef79ec5eec7cb102439d5b0d029888ad6c164c3da2

SHA512
810548e59072ffd84c6611390d4ed0972aad931f7bb8e9f7fc563f82e12cf0c831c63752d87e5ae5cca36880177ed012ca156a269ea64bf24338410cbaeacd07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49348b2f438bc2ca198e2dc525c07923

SHA1
d919d5f19eea009f4eaa04ccfe7957cd6bfba6a8

SHA256
ec46fd343a4c0009f6d7937990c0e355cf6e633a11364950709d24804eb266b9

SHA512
b36fccbc53bed96998ade1dcfa8fc09a4e85348ac877219f54ec6f1c394dbbbdc877acb3c6ece06200d6da7c298cb61731c98942b559912c5ee27962bebe6375

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6066d2a5d0a4eeeafd07e87fe51c6c1d

SHA1
ca00b0bf3189716ac91930f84ee92b3df66e0887

SHA256
3aba4fe1348e7493c137f744cce553c1951c50eaf5237a707e5816bb238392b9

SHA512
c8fc9c99a464415fc790e45a8a8fa207f65d181375f547f6a5cb8d7ccd846e3c8354e0d1fa9947fce5b90700bc6635433575be3a6b09b3a9ff377fdd40b6cd93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77c103d6e709b82f4adfcc4156c89abb

SHA1
c0a4e2ad955fa382bbf6ba91ec32733e503c22e1

SHA256
a65f95b2c3179d11186dac1d6eb8f7ec74e518ed4585515c89dc79b98f2e65c2

SHA512
8e3f0e50d89cd013dd2a5df9588fa1237131018b88b6fc6f231caf17c4f741a9643a49e2273c641840b9f2c5968730285f76688a9481eeb4c6881209a7b51702

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b58046e57cff700821bec93c18708c6e

SHA1
16f3098f32ea4ce8357cc4de90e825d3919cd9be

SHA256
9498e11a0fa8ba0b77a6638837d9037e1f0493170bd12f2a2401b55cfa89990d

SHA512
bd6ed4683d0a0fd8ad4a4bd2d377d51ee4f5eaf6add17d2d39e7073e2c87abdf92e8623cfdbfae9c47c50f885ebc9c944085f0a7eb70f16389fa8623e7e8c082

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF5B6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF695.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
91B

MD5
b409b195ca2a01cb5b5c2f10d97b18f3

SHA1
b03a18eecee8b28c8a74bd2d4eaabb1828d9c938

SHA256
06cdde40fb9f502bb96d264058c21ffbe55ad5f98ff845ebfb2620a1c1e36fcb

SHA512
9d5921a139ae9ef3848263797da9522bc2c4968bb83407b48156b6aaabf4ebdbd82c36cd560228121bb57089de4d349983db18045da50435e8d4902ef28cc11b

Download Submit
\Users\Admin\AppData\Local\Temp\biclient.exe

Filesize
219KB

MD5
c66293ccd7cbe84b1b8f393ca5e4e6d7

SHA1
c24089d407e6280b79bec86532e9de0118e4de71

SHA256
ffbae29e2f233767fd42909720497165ce3552427ef93efb2fc714fb4204755f

SHA512
7ff97aa71f182035f90ba10c3bf8087280e3f34bf717bda139d642f4e043c64aa2b98d82a90a32f1df4b76f9d7610af62390fe934e514c90c703381a421c00b7

Download Submit
memory/948-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2416-16-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2416-470-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download