357d48ac369c240b339687beb4daee4e4e6faf071b89bf60a4655025088e57ca

Analysis

max time kernel
126s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
Size

1.0MB
MD5

09f8745d138f25e807860f9f7bb16d0e
SHA1

4f3d20d1b0b745d0857121d4036fd1b95ddd722e
SHA256

357d48ac369c240b339687beb4daee4e4e6faf071b89bf60a4655025088e57ca
SHA512

f732e6a8068033fa282abe3447c891e2276f711f805ae6f110f830d1f933c1181011b975c33335b4596d220b9650e0478d4f73d3f37f333e75a11b0f02c27d7c
SSDEEP

24576:0ty/AMkERzF1fcEdN+ZQVZXBM348cBscckNvLSbgpMSLz+jJtdtvgw:0LEH1dfVF2I8uscckdLSbgpMk+t1gw

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2192	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2448	09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
272	PING.EXE

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
272	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2192	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
2192	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
2192	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2192	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
2192	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
2192	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2192	2448	09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2192	2448	09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2192	2448	09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2192	2448	09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2192	2448	09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2192	2448	09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2192	2448	09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	30
PID 2192 wrote to memory of 1304	2192	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	32
PID 2192 wrote to memory of 1304	2192	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	32
PID 2192 wrote to memory of 1304	2192	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	32
PID 2192 wrote to memory of 1304	2192	internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe	32
PID 1304 wrote to memory of 272	1304	cmd.exe	34
PID 1304 wrote to memory of 272	1304	cmd.exe	34
PID 1304 wrote to memory of 272	1304	cmd.exe	34
PID 1304 wrote to memory of 272	1304	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\nso5EC.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\nso5EC.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe C:/Users/Admin/AppData/Local/Temp/nso5EC.tmp /baseInstaller='C:/Users/Admin/AppData/Local/Temp/09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe' /fallbackfolder='C:/Users/Admin/AppData/Local/Temp/nso5EC.tmp/fallbackfiles/'
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\29742.bat" "C:\Users\Admin\AppData\Local\Temp\45B3800AC4084E2E8072DECF189242F3\""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 1000
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\$I6UIOWJ

Filesize
544B

MD5
5eeb678c4a0fbe0b0248965d41de41d7

SHA1
e1a7432ff355ca554040df9d2e83b30598155043

SHA256
a4d6d7c391eb7ef5c47bbfa0d63d7e5a095104e66541f80eb350dfca15f68aec

SHA512
b7bf567ba142d84711d7e3f74b3e2e3db80869cfe8a9c9c6fdd66cbfe38a0f99593b0a1350d3f7ff90986ae964f8e5d52f7b935f1856ef50c2ab57b1b27ef89c

Download Submit
C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\$IRWYEBB

Filesize
544B

MD5
076042e936cb1de29be028cba28d7d1b

SHA1
0e7351689b78e014af7d7253bcc3b6aa91ea0130

SHA256
00df9fd740ebcfe47b8cb51078aa568159259ba6ad05f11410a34dec9379a1bb

SHA512
53d760e14804086052835e48804b44e6fbea88aaa2a4162c9ece3ab525da44f46e0fadfdfaca7b64a5dba82b4d551b203dd83e291a9c31bf82e326617c2efe8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\29742.bat

Filesize
212B

MD5
668767f1e0c7ff2b3960447e259e9f00

SHA1
32d8abf834cce72f5e845175a0af2513b00504d8

SHA256
cdb93994093a24991c246d8b6f7003920a510a45bfc8441521314ce22a79191d

SHA512
c07f26c8601cf91d9805004668463721ab91e14f3cc59e77e20f43d98e070ea8e742c38fe8021c4ffb1ebc02e3743ab732b66ff84bb24b59a5fdcc8634c77680

Download Submit
C:\Users\Admin\AppData\Local\Temp\45B3800AC4084E2E8072DECF189242F3\45B3800AC4084E2E8072DECF189242F3_LogFile.txt

Filesize
2KB

MD5
6ee01b03e1b83a8a816aecf779eafcb4

SHA1
3239248c79673bc76d028c21f42327ac751e224f

SHA256
17c4775f6659d17cef3b18dd8bfd42b692530873664044da6b455f0696f9cdad

SHA512
db556c7e5ef455e293ffed696cc60f7ed7a4bdf3f9c699ce13e7a6b3d530a121839e14d6311cc879cab75288a53af3f13c7a0f9eb9680f60d1a065787ab9d54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\45B3800AC4084E2E8072DECF189242F3\45B3800AC4084E2E8072DECF189242F3_LogFile.txt

Filesize
3KB

MD5
0684682e47f14ab0248441b446b39e12

SHA1
ee9a9e73b7f2b4175d529c0a93099668cdf59290

SHA256
4e23e052d5e90c428a7e729263e508544ba855687c91ebb60558c06dba6cc2a5

SHA512
9d0994750d2e27ea2faba42e0e339bda19c4472f48002013db5df958e8f93fe6ec9aa095db90d3bcffd9ce999f55ffff657a77d332414a11f8b171bd7e981a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\45B3800AC4084E2E8072DECF189242F3\45B3800AC4084E2E8072DECF189242F3_LogFile.txt

Filesize
5KB

MD5
a5f6d53c9c8423f0f7a9529d1697b9a8

SHA1
c0e2a007036088ea376b35c264fa147cc9c507e1

SHA256
50f392b70239d5e04b61d8ec0bf7d36b7b6650d3b463cd6003c2ae4bf74b3fc3

SHA512
df997023d4dc92e5ee108e75694279718cabc4bc14fabb94d08b76a9d93834b61661ebc3d99588e10ed47d909585631ba998695558409f61a368f49237f6ded0

Download Submit
C:\Users\Admin\AppData\Local\Temp\45B3800AC4084E2E8072DECF189242F3\45B380~1.TXT

Filesize
46KB

MD5
34102968432410a7c1422156df08891e

SHA1
4e4ada0209086f98bde9c98f03d7da8183257923

SHA256
8eae57c5db0f73e3513b7c0f39e1cac0bd32af78eb9e512b326739e577775675

SHA512
fd9e95ecd450297399f054af823e160be13aa4158816c35e6c5d265ea8bec978fcf357efcd3dd6b4832f56d705a3a43297b4a45e2e785b010e653c546d9f5af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\45B3800AC4084E2E8072DECF189242F3\INDEX1~1.7ZE

Filesize
142KB

MD5
3edca5be7ec88fc61ac0df56e9bbee9b

SHA1
8d57c8ba39ccd3fe6360a959090d988105768a21

SHA256
a5e9740a4389950d2b36a8d9eb9c5e3c611400a1b29c17e80ceac2e6af50e6a9

SHA512
057330fbc93ef117789e5bb61a4c7fa348374e8769e0a8cdc53349e5e9382a75fc7c05a335698ac10169e0a1013ce801afa29421994bbfd3db570cd9c997bb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\45B3800AC4084E2E8072DECF189242F3\index.html

Filesize
608KB

MD5
1bd69b138c5b77bfc11ef8ef18263a1f

SHA1
0ef81f61b5ff325a5e47e96ff044a5ca2b211bf6

SHA256
ca20e9421c499324bf51a41bb156dc4ebf466b2f279e27059079a07fca0ca8b1

SHA512
e4ee339aefd47529e5f290a4685d2268d189123112e338bd5b397defd9b8679ee3445d2688def20d59fc5f7098055357348406fc1a91decf158bfa5367220e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5EC.tmp\fallbackfiles\index.7ze

Filesize
208KB

MD5
75e10bbc4a869080b47c151c05e83777

SHA1
df12169fec3c26da438733ecfc8aad6cbb437eab

SHA256
83f1801408b2592036c221c7cdfd661bc852c06433fa77ce719926bc8195c5f3

SHA512
de850e0a4912aa187869d67d3be0cf87afa2981e8f33e9ab43081b8ceb85ff6780e890483a03df32b3c35409a37cd7909b0d317e3abd9eee9a26dacfbebf6a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5EC.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118_icon.ico

Filesize
31KB

MD5
30430957e675f266e56dac20764c081c

SHA1
18f71953953787795e0b0b32bcc367d23a67b5f5

SHA256
5f281671e0eba3728c0f2d46f05721042c9ea98f5d02791438dbfdfa3e15dba6

SHA512
3a888725349d1b1b9313b62c1666dce55a2132b1d3b4fa9f05bf65c5bb966ebe47ccb42c9f00dded0d0858c4658085b6fbbed601e30edaddc5dcec78266a8fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5EC.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118_splash.png

Filesize
129KB

MD5
86c6e4408d9a14285fe4148f0d4695b6

SHA1
a974a8b1225635490176fe02893dc0395f22bcc5

SHA256
f69c403c12436a163a4f8324562fe45c000f6b6eaf3fe940591b5f296086663a

SHA512
2ab52a54371a34db5aa9c4b2cf1fa60b56e6ca06db1ecf9f6e5d79ce2dd446eb833779e6cacee00e8fb9909882d3ad5495af464b4df4c8d13f73d6935a091ff6

Download Submit
\Users\Admin\AppData\Local\Temp\nso5EC.tmp\internal09f8745d138f25e807860f9f7bb16d0e_JaffaCakes118.exe

Filesize
1.7MB

MD5
2ee2b50b5e4ca76e33244569b962c139

SHA1
2dc786b5da140ba79e6fd6288e8f6c34e0d8dab3

SHA256
d47132aafe3e47d4296266854582c3056bc527efcf2982652bd33e2108255b44

SHA512
cba8d1c5f9ee4102310acf8cb1990952611ccacb82d2ec7fc76741e0651a1569090d09af3408e45c79362d8a22d0643549a38115750de3536edad44241dd2f11

Download Submit
memory/2192-77-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2192-355-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2448-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2448-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download