b7c782895eab0b5d9609affee7f8eb97812a3fc872ced8d46d904b5280c7a80a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
Size

7.3MB
MD5

0ea029ddc6e0fd91a42f87d5313498ab
SHA1

8562130191ce59575e53bbd6ab39e2c66d82998c
SHA256

b7c782895eab0b5d9609affee7f8eb97812a3fc872ced8d46d904b5280c7a80a
SHA512

55274f33cbed3f55b55a7d86f1380fde627fe7a2429f399a8d0e042a375e558f9848d03bfb56ba6ae326f3e1326b683ce0b0e1281e916260fab076188d8f1ca5
SSDEEP

196608:FGH7x4Ar254tQEOD3YdPlDkpA3yn3MrN1Au:C7zrO4pOTEPlDk6ycxL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1392	Installer.exe
2240	DesktopSwitcher.exe
912	ds.exe
1524	manager.exe

Loads dropped DLL 25 IoCs

pid	Process
2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
1392	Installer.exe
1392	Installer.exe
1392	Installer.exe
1392	Installer.exe
2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
912	ds.exe
912	ds.exe
912	ds.exe
912	ds.exe
912	ds.exe
1524	manager.exe
1524	manager.exe
1524	manager.exe
1524	manager.exe
2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Desktop Switcher\license.txt	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\manager.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\tools\register.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\tools\register_y.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\Uninst.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\ds.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\help.chm	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\hook.dll	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Desktop Switcher\Uninst.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Desktop Switcher\DesktopSwitcher.url	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\DesktopSwitcher.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\DesktopSwitcher.url	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\Process.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	manager.exe

NSIS installer 5 IoCs

installer

resource	yara_rule
behavioral1/files/0x00070000000174f5-16.dat	nsis_installer_1
behavioral1/files/0x00070000000174f5-16.dat	nsis_installer_2
behavioral1/files/0x0005000000019468-55.dat	nsis_installer_1
behavioral1/files/0x0005000000019468-167.dat	nsis_installer_1
behavioral1/files/0x0005000000019468-167.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchUrl\ = "http://www.forumswatcher.com/search.htm"	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\SOFTWARE\Microsoft\Internet Explorer\Main	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchUrl	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.forumswatcher.com/search.htm"	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
Token: SeBackupPrivilege	2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1392	Installer.exe
2240	DesktopSwitcher.exe
2240	DesktopSwitcher.exe
1524	manager.exe
1524	manager.exe
1524	manager.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2240	DesktopSwitcher.exe
2240	DesktopSwitcher.exe
1524	manager.exe
1524	manager.exe
1524	manager.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1524	manager.exe
1524	manager.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1392	2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	30
PID 2064 wrote to memory of 1392	2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	30
PID 2064 wrote to memory of 1392	2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	30
PID 2064 wrote to memory of 1392	2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	30
PID 2064 wrote to memory of 1392	2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	30
PID 2064 wrote to memory of 1392	2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	30
PID 2064 wrote to memory of 1392	2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2240	2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	32
PID 2064 wrote to memory of 2240	2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	32
PID 2064 wrote to memory of 2240	2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	32
PID 2064 wrote to memory of 2240	2064	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	32
PID 2240 wrote to memory of 912	2240	DesktopSwitcher.exe	33
PID 2240 wrote to memory of 912	2240	DesktopSwitcher.exe	33
PID 2240 wrote to memory of 912	2240	DesktopSwitcher.exe	33
PID 2240 wrote to memory of 912	2240	DesktopSwitcher.exe	33
PID 2240 wrote to memory of 912	2240	DesktopSwitcher.exe	33
PID 2240 wrote to memory of 912	2240	DesktopSwitcher.exe	33
PID 2240 wrote to memory of 912	2240	DesktopSwitcher.exe	33
PID 912 wrote to memory of 1524	912	ds.exe	34
PID 912 wrote to memory of 1524	912	ds.exe	34
PID 912 wrote to memory of 1524	912	ds.exe	34
PID 912 wrote to memory of 1524	912	ds.exe	34
PID 912 wrote to memory of 1524	912	ds.exe	34
PID 912 wrote to memory of 1524	912	ds.exe	34
PID 912 wrote to memory of 1524	912	ds.exe	34

C:\Users\Admin\AppData\Local\Temp\0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\TempImg\Installer.exe
  C:\Users\Admin\AppData\Local\TempImg\Installer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:1392
- C:\Program Files (x86)\Desktop Switcher\DesktopSwitcher.exe
  "C:\Program Files (x86)\Desktop Switcher\DesktopSwitcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Program Files (x86)\Desktop Switcher\ds.exe
    "C:\Program Files (x86)\Desktop Switcher\ds.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Program Files (x86)\Desktop Switcher\manager.exe
      manager.exe 4
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Desktop Switcher\ds.exe

Filesize
56KB

MD5
40a73ca13250edb9c812c7bd7dc0988a

SHA1
a0ede27ab1243777aeac9e64b3e9835a8b74b0a6

SHA256
053978ea023044be1262edb716c02dd5bc96d54706788efa7e923bc4a85c9b68

SHA512
1d8a0643f2602f14abd5f5cf8589a1d6178144ae014fa5d5572b18cca5fb1fbaf306bf59c0fd2635f3f494da4866cffc232a9891cd2fc91b6f2dfeb8751debb7

Download Submit
C:\Program Files (x86)\Desktop Switcher\manager.exe

Filesize
104KB

MD5
5d2cd628225bf664d24988dca337a87a

SHA1
e68b276c477fc3b84bee5f00c0396a8ec65abc94

SHA256
7283c414a37fb0bc243994889f2910d9381513532dcb3b7d2a34dada7740ddb7

SHA512
2a02a977c1bd3f527cefe3f2e24324692c5254c96bf398a0395009f68b08b7cbad5ae45198cd6d037f1c386ae32a898a5e4077ecc60c36b3eb55d172050b8c01

Download Submit
C:\Users\Admin\AppData\Local\TempImg\vcheck.exe

Filesize
24KB

MD5
02ce8877565b7020ad6dd0857afb4cd4

SHA1
684435c0c0511a6fd7532496780bbcd6dd39b0d5

SHA256
4321b89de48a199b076a5a9e27dcd4f9f82365ef340f42ac29ecd18510f1e43c

SHA512
c9ab0fa25aa692ce270063f47403a4c40056e5f400ae1e254af00cc5aa37dc02d7cb47f19bf263027b2ab18dff78cb6f5510155e4509c3d99e8733e6c124de8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC830.tmp\iOClean.ini

Filesize
511B

MD5
9a1a6956efaa999fafc11830f40e3cf1

SHA1
6a8f5f196d7b61f8dff2f908975d6006a2d98a4e

SHA256
a8575154d5c0c0247c961a0947d11faa985d1952dea93b2e0d5b3b339ccb51f3

SHA512
6e38242c4790e2f2be61820d2629645fd7723f3fd069636a3459d512b63467686a6fde5d40db1a9b5a891a7822c1b6dec264600e043932e194256a6b75aba639

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC830.tmp\iOClean.ini

Filesize
502B

MD5
2c01be17e644920cef64bc6907958da0

SHA1
1572e8174d343d45c0dd356c255c6be918cf32cb

SHA256
4c3cc3dcc2d8a64652e9f2f2c1d85a16dd06d2084878f74d9255fd357e078737

SHA512
f65eaff8871133c2f6964bbb49ecce603b389823ff2d10638526967c2ce5b102ff9e2bae829644385752f69a505ffa192307a03c2a73ca453e28f5544901236f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC830.tmp\ioSpecial.ini

Filesize
537B

MD5
94f6aac3ac7cf2d1cbed3f3fb1238105

SHA1
82205a62e8064d74fd4f3a9b9b23a635d7a7dd46

SHA256
33399aa9fc5052ca9ad06d6e07fa896e636eabd77626b426c3cd26638f521239

SHA512
de04cfcb16c0cebe6aba12ebb941936d973f2b7c371b50a778e54f3a9b2dc2bdd77c87a252f6e28733f36c351a5d246fdc26a34844739373b106f1614822023b

Download Submit
\Program Files (x86)\Desktop Switcher\DesktopSwitcher.exe

Filesize
44KB

MD5
a76694c2803ab37f360eab89a7e4a03e

SHA1
92365903dbb68cbedb7048ecbe040cd75bc35593

SHA256
e4ff87c0d782acb590d38da5d8671c577df5c2db6458bac3a3687297d355793a

SHA512
9f1bad4a19abab432dde8d17b86ca4d309961638d8eb0c73ecbc0e7267462eb4a5e5b7eb8d0bafacb87217ee35efab4a5ef8060f4874d8b96a204153f5302011

Download Submit
\Program Files (x86)\Desktop Switcher\Uninst.exe

Filesize
64KB

MD5
11698468f019ceda9acb3a3e51114ef4

SHA1
88b221a2a26583dd208b3c236c23da3b0884dda6

SHA256
c4e209ccf7b7bd4225788a13036304c1d750790303877cfe4d09c6cf730f2c4c

SHA512
dabab9a4791bef8278ae3b8532d778ac5b6b5b9938ca94d10145bebd0f74dcd0d9b09680a89cfe79d93d8b8d61a7f02279aaa140f00f83446ff2068e7730d9b0

Download Submit
\Program Files (x86)\Desktop Switcher\Uninst.exe

Filesize
57KB

MD5
06e67b06ec3ac8fe90219d2d2e55fe0e

SHA1
0f3c439ca55b6abac124212f67eae9c26d0d199d

SHA256
bd06b582e1caafcc02609b48f53a3073e09b66ab3b5616f794632901f298e764

SHA512
597fdd76a0234692b83220b640d7455d697ab14a59ce4c28ca3b8b2c0fc6cef3d02ec07703961fe88d73932a357e2f78efebf694f0c5d870807a0031d3523bbf

Download Submit
\Program Files (x86)\Desktop Switcher\hook.dll

Filesize
120KB

MD5
6110c148434514d710e0c6f04addf8bd

SHA1
77259ad2742d417064fd69c732f8b988a50218cb

SHA256
ec38d249d770a93755b1ed60e365ded155468f45869f6ee7e6a0eda9f896ba76

SHA512
cff5ebb8516f7ecd8ca4d8b83f6e3d6058b386655adfabf47e041a99050b0b845b6f7fb838d1cd52349b088c211afb469ae091ffa376654bc3038ef633c72472

Download Submit
\Users\Admin\AppData\Local\TempImg\Installer.exe

Filesize
6.9MB

MD5
186b0136f303bbdfa28d4186073bea8a

SHA1
6cb4cf0098b71a486ff5deaf222b8ffafcde818a

SHA256
091088c5d1ee6da6b7584af2a7fd1315f5cd5b09789c3f375654f29b372bbdea

SHA512
b0f47bdba9914e1f114039b2a90e224a980fa5b83d7d1981a80592a84ea06760cac2a335e78b38323f71c4bb34e3590fe9b2123318e704a38d9bd083229688af

Download Submit
\Users\Admin\AppData\Local\Temp\nstC830.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
\Users\Admin\AppData\Local\Temp\nstC830.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
\Users\Admin\AppData\Local\Temp\nstC830.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nstCAEE.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/2064-267-0x0000000004490000-0x00000000044AF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads