Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 04:29
Static task
static1
Behavioral task
behavioral1
Sample
0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe
-
Size
5KB
-
MD5
0ded0b74c3021cf741c9639f1ec2ac02
-
SHA1
3630ed39035c1e3343a8aa87e17a1cf65410f61d
-
SHA256
18ed2296e8b35c5d91d5d65e70b2cb80830563bd0c3b8222ac5171a7cc842f05
-
SHA512
0a3c67274b9ddd4dfe2e2acfe6c4dda9f901fa7544d23ab9b45eecb3696cf3247ab717eed36a491298e338dd7fe4dd9b9a07f3cefe4a21183de6be6407ca4365
-
SSDEEP
96:R+MQUs5A0j4EqojhfUA2GRu6oTOPKC+Ce362uzbCw2OyTXjTemZ:R+usu0ZVunVJx62uzpUXffZ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2892 cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{121E9961-8140-11EF-A76B-E67A421F41DB} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000002b1b97a7b6596fe126dc712908bb9292705bea3cc73fa5c7e5e2983da6b003a1000000000e8000000002000020000000036d255d3a0410bbd9eb6f0f0d146adf6df12bcb66949dfb7c648f4eab093e98200000000adcc78aaa4d15a30aa3f24939536fcf60ce0d9c710921929b781ad78cc6c0124000000023a84bca9912c2e95c2bc24b67b21f6261bd1663d2867a4167a264d4a9f489a20266a00fbb047169b922acc36d4439cb229113251d2a8ea7a6047fb6dfca4df2 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000dba87abe57a13e209bf0968edbb9407cc85ab004bf03c14da50c4c24235f14df000000000e8000000002000020000000bea257c6b263a8bed1e3fb63b0046d0d8b77b23251f2123987481010ad2a0d1190000000ac259d7aaf897a13390d58bdd4cb358789901afb1e7eeae32433bdf2dace253c3142b7ae9aafb8a5901a2613dbf14b5290bdcbee10b470cfe8d61ede65fe2b2140323f44eebb2c78e5ac7485c997c4a9316d518ba89646ae38f11cefb53920f3e632f38d41346873e4b94c343d067d71f57a654433d21217da601d6715fc4d20b09d429ab9c29ad817dc2c1c1302e20d40000000c681fa986b41cdc1e9929edc192d35ba8a362d0764bbea608dcc18efe76a13b16a012da2fe91544bc775a200aa3311656c2ae42e70c0de4d8972ffe16166062c IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434091632" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80a549e84c15db01 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2040 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2040 IEXPLORE.EXE 2040 IEXPLORE.EXE 2760 IEXPLORE.EXE 2760 IEXPLORE.EXE 2760 IEXPLORE.EXE 2760 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2544 wrote to memory of 2208 2544 0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2208 2544 0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2208 2544 0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe 31 PID 2544 wrote to memory of 2208 2544 0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe 31 PID 2208 wrote to memory of 2040 2208 iexplore.exe 32 PID 2208 wrote to memory of 2040 2208 iexplore.exe 32 PID 2208 wrote to memory of 2040 2208 iexplore.exe 32 PID 2208 wrote to memory of 2040 2208 iexplore.exe 32 PID 2040 wrote to memory of 2760 2040 IEXPLORE.EXE 33 PID 2040 wrote to memory of 2760 2040 IEXPLORE.EXE 33 PID 2040 wrote to memory of 2760 2040 IEXPLORE.EXE 33 PID 2040 wrote to memory of 2760 2040 IEXPLORE.EXE 33 PID 2544 wrote to memory of 2892 2544 0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe 35 PID 2544 wrote to memory of 2892 2544 0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe 35 PID 2544 wrote to memory of 2892 2544 0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe 35 PID 2544 wrote to memory of 2892 2544 0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0ded0b74c3021cf741c9639f1ec2ac02_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://www.placeforporno.com/2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.placeforporno.com/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2760
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\n.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5440585c4dc974c4d2c4e3d097ae9cec3
SHA1ae8238ea1fd762d358d133b1c7401ea74bf0e75a
SHA256c91140ca86432a2affe05ccc4409f4638fa86262c325499dc9b4a0cfc69a7a28
SHA51218afecf5a6651c91622d5ec32549ba198ab68a8d945d6621ad2b42ac1808e02f25f350607ffa4fe793064253638dec110faa9ce19d24fbe1128fd6963fb67d3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59e635968c739f6205d8543cca13b4373
SHA1d656f96b428e07d1dfd426111465d40a86ef896e
SHA256433e40eac628dec8e341a177e397d20573a9e95bfacc0bb6efbc67c09b55b035
SHA5122981dd8834e8bd33099c139f7686bc648d2a58e690dd650c47a9ebfb345583c1c37effbd4f29730fcd26d420b025b266ae576a9e4ddd8e635eba10c4a025bd0a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e25c974a5d48e2f74cb5743c0827df73
SHA14d687a29001079c9d71b5d5746cdacb4a823cdfb
SHA2566e195404b2541434d51f75d08f4690d822cb8eef06327223cbbf1ef8ccd24f43
SHA512cd300679466f2261aaf9b5be692d75f6040ce2096f93b11e328d2d6fe0182bdcd8cfbbce8e8dcf30c79531a637bda07cb3117b2144ebb178eba8fab9e5f9e13c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e787c752ec76151c9673e3a58f5cd826
SHA1f30889b05c846bb7a3c40809c432b3537f6810c4
SHA2560329472fa46e836b5a20265e6a8a4ceb2937924a4bfdd4841a8a49cc444a1331
SHA512f702b68eb939a49f274149131cff01c62a496587a6a0db1592e997a4375b0295b0b16a94c810170aa65dba2131c406fbd71051bd9351ca4a30dca6da00f267d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD511c72c039671459138854ba179c0dc52
SHA1aa745f7385b3f05c1f68a36d36da5a1dd215ce33
SHA25658e30157510c60738557e89d28d3d631c292fded61adfb7bd01436aed06f9236
SHA5127c79be47deb1befb8df0ee275d174527fae87298f340b0e305b0ed4bb953dd28e0806703fdfd7079b3559b6e02e10c879dae4c4636eee040a50c1c5dac94a0e3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51fc63e19b875a90a81db15af3108646d
SHA1316c6db1cfec463f65467c8ac19234945e6ffafc
SHA25607fae79f1adb505730300c5290af189d61cd2da36cb503855b62689c03e55467
SHA5126dbc0028b61d0a3b795d813c5a33791d93ad5f56b9cec2a36cb8ea60e0508894d5e39fa19186dc37849139801432f0cbddfb0c3b6931b034530119517dc209c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c15aff5839d4f28499ca8d3982d2ae7b
SHA149d83d58255b695d327c8d75e29e05d58272d4b1
SHA25614bd7de23d92e3b42ff9689f6a6c808efb3d96502cf7c2be305e3e13218b9413
SHA512b5a1022fd38f7b0f2529b8fb8e5c12d2d484190deed525af6aba2bc13e3f69ccddd30a94a2b5089a90d1d76eb68650f92445fccc508f578d289f7088a7d35c73
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58ad819763852751b7f9512e8dc2c9a05
SHA17cf607285b055f8592aef43b51b3cffd5394b7d5
SHA25647a8ef94062099988f1bbd46ea1e9e9c5ba3553373eed39abfa80854fb49e826
SHA5126721f32fc82ff0f360eb513c3db0445f787ae802488b4c3e26de29f6a9eaa9948118a83cf3ed33a12a1b9cae8cc56e26abbd54f0179f1deeeccdfc8fcfa45308
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5853c91139aadd05f2acb8e97dd0e3833
SHA1998eb7cad10fb11b54362430e68283d8acc9460e
SHA2567f0ceaac08e231e258626615a4320630b617c4d1328f29b6f3871424702ee238
SHA5126457f712663885f95f5fcd728ece03fc5c9ede21342c9023ecc9a960595b748d7b79950c1b835170b8468e5e49c86240c36edd1b5439a583015fa740c1374034
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD580c45881e275a2be4c468b574907c61e
SHA1e056f1e4a5b08ae760232b2930712c434f2b13dc
SHA25687a98972168662065ed7f89d5e42703ac6f2e8398ed38d98cc651ea2538a8905
SHA5129b818e7fff53d7267728936852640fe56c1bb33ef09382999fc36951a856c7a320dbff78b123bc830285046ccfab9d977e9d16b1f4e22866ceace179f5ef5746
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e30bca4f3925f77e7ee473c7c3689831
SHA13d8e4c1121c0d22c917b0ca30c6fb5c142bbb58d
SHA256f904ddf784d3a6e1d075ed0819105235be10f75aeda3fd8c1d4f9e93fa781e71
SHA512f690f06a6bdcefedb4d4787eb85bf551e2898357f81b0d99335afab8b84d2bf997784e4c04d344dd5e1847d42172810ea5cd95b0e288066fa3a8fef4fa2f1334
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
219B
MD50700476e041cddbcf5435d41a711c439
SHA1489c0115a954d23a8082f1e12ae378b1735cb37f
SHA2567a3734b451c854ae9702995f09025becd1f867fcd94220d68a04fae662113fa9
SHA5120df5059c2ea40d9f9d46d5f6ee0e04e9337cecad94747416dc6e131c9d49f6f97366c2d0f2ea2cb8db9aded00ea6396545df3b8a06777976698a7eeddd7c805c