b7c782895eab0b5d9609affee7f8eb97812a3fc872ced8d46d904b5280c7a80a

Analysis

max time kernel
95s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
Size

7.3MB
MD5

0ea029ddc6e0fd91a42f87d5313498ab
SHA1

8562130191ce59575e53bbd6ab39e2c66d82998c
SHA256

b7c782895eab0b5d9609affee7f8eb97812a3fc872ced8d46d904b5280c7a80a
SHA512

55274f33cbed3f55b55a7d86f1380fde627fe7a2429f399a8d0e042a375e558f9848d03bfb56ba6ae326f3e1326b683ce0b0e1281e916260fab076188d8f1ca5
SSDEEP

196608:FGH7x4Ar254tQEOD3YdPlDkpA3yn3MrN1Au:C7zrO4pOTEPlDk6ycxL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4900	Installer.exe
2836	DesktopSwitcher.exe
2436	ds.exe
552	manager.exe

Loads dropped DLL 11 IoCs

pid	Process
4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
4900	Installer.exe
4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
552	manager.exe
4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Desktop Switcher\tools\register_y.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Desktop Switcher\Uninst.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Desktop Switcher\DesktopSwitcher.url	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\DesktopSwitcher.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\Uninst.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\ds.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\help.chm	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\tools\register.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\DesktopSwitcher.url	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\Process.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\hook.dll	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\license.txt	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
File created	C:\Program Files (x86)\Desktop Switcher\manager.exe	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	manager.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023473-19.dat	nsis_installer_1
behavioral2/files/0x0007000000023473-19.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\SearchUrl	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\ = "http://www.forumswatcher.com/search.htm"	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.forumswatcher.com/search.htm"	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4900	Installer.exe
2836	DesktopSwitcher.exe
2836	DesktopSwitcher.exe
552	manager.exe
552	manager.exe
552	manager.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2836	DesktopSwitcher.exe
2836	DesktopSwitcher.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
552	manager.exe
552	manager.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4900	4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	82
PID 4940 wrote to memory of 4900	4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	82
PID 4940 wrote to memory of 4900	4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	82
PID 4940 wrote to memory of 2836	4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	90
PID 4940 wrote to memory of 2836	4940	0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe	90
PID 2836 wrote to memory of 2436	2836	DesktopSwitcher.exe	92
PID 2836 wrote to memory of 2436	2836	DesktopSwitcher.exe	92
PID 2836 wrote to memory of 2436	2836	DesktopSwitcher.exe	92
PID 2436 wrote to memory of 552	2436	ds.exe	93
PID 2436 wrote to memory of 552	2436	ds.exe	93
PID 2436 wrote to memory of 552	2436	ds.exe	93

C:\Users\Admin\AppData\Local\Temp\0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ea029ddc6e0fd91a42f87d5313498ab_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Users\Admin\AppData\Local\TempImg\Installer.exe
  C:\Users\Admin\AppData\Local\TempImg\Installer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4900
- C:\Program Files (x86)\Desktop Switcher\DesktopSwitcher.exe
  "C:\Program Files (x86)\Desktop Switcher\DesktopSwitcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Program Files (x86)\Desktop Switcher\ds.exe
    "C:\Program Files (x86)\Desktop Switcher\ds.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Program Files (x86)\Desktop Switcher\manager.exe
      manager.exe 4
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Desktop Switcher\DesktopSwitcher.exe

Filesize
44KB

MD5
a76694c2803ab37f360eab89a7e4a03e

SHA1
92365903dbb68cbedb7048ecbe040cd75bc35593

SHA256
e4ff87c0d782acb590d38da5d8671c577df5c2db6458bac3a3687297d355793a

SHA512
9f1bad4a19abab432dde8d17b86ca4d309961638d8eb0c73ecbc0e7267462eb4a5e5b7eb8d0bafacb87217ee35efab4a5ef8060f4874d8b96a204153f5302011

Download Submit
C:\Program Files (x86)\Desktop Switcher\ds.exe

Filesize
56KB

MD5
40a73ca13250edb9c812c7bd7dc0988a

SHA1
a0ede27ab1243777aeac9e64b3e9835a8b74b0a6

SHA256
053978ea023044be1262edb716c02dd5bc96d54706788efa7e923bc4a85c9b68

SHA512
1d8a0643f2602f14abd5f5cf8589a1d6178144ae014fa5d5572b18cca5fb1fbaf306bf59c0fd2635f3f494da4866cffc232a9891cd2fc91b6f2dfeb8751debb7

Download Submit
C:\Program Files (x86)\Desktop Switcher\hook.dll

Filesize
120KB

MD5
6110c148434514d710e0c6f04addf8bd

SHA1
77259ad2742d417064fd69c732f8b988a50218cb

SHA256
ec38d249d770a93755b1ed60e365ded155468f45869f6ee7e6a0eda9f896ba76

SHA512
cff5ebb8516f7ecd8ca4d8b83f6e3d6058b386655adfabf47e041a99050b0b845b6f7fb838d1cd52349b088c211afb469ae091ffa376654bc3038ef633c72472

Download Submit
C:\Program Files (x86)\Desktop Switcher\manager.exe

Filesize
104KB

MD5
5d2cd628225bf664d24988dca337a87a

SHA1
e68b276c477fc3b84bee5f00c0396a8ec65abc94

SHA256
7283c414a37fb0bc243994889f2910d9381513532dcb3b7d2a34dada7740ddb7

SHA512
2a02a977c1bd3f527cefe3f2e24324692c5254c96bf398a0395009f68b08b7cbad5ae45198cd6d037f1c386ae32a898a5e4077ecc60c36b3eb55d172050b8c01

Download Submit
C:\Users\Admin\AppData\Local\TempImg\Installer.exe

Filesize
6.9MB

MD5
186b0136f303bbdfa28d4186073bea8a

SHA1
6cb4cf0098b71a486ff5deaf222b8ffafcde818a

SHA256
091088c5d1ee6da6b7584af2a7fd1315f5cd5b09789c3f375654f29b372bbdea

SHA512
b0f47bdba9914e1f114039b2a90e224a980fa5b83d7d1981a80592a84ea06760cac2a335e78b38323f71c4bb34e3590fe9b2123318e704a38d9bd083229688af

Download Submit
C:\Users\Admin\AppData\Local\TempImg\vcheck.exe

Filesize
24KB

MD5
02ce8877565b7020ad6dd0857afb4cd4

SHA1
684435c0c0511a6fd7532496780bbcd6dd39b0d5

SHA256
4321b89de48a199b076a5a9e27dcd4f9f82365ef340f42ac29ecd18510f1e43c

SHA512
c9ab0fa25aa692ce270063f47403a4c40056e5f400ae1e254af00cc5aa37dc02d7cb47f19bf263027b2ab18dff78cb6f5510155e4509c3d99e8733e6c124de8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse8473.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82FC.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82FC.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82FC.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82FC.tmp\iOClean.ini

Filesize
511B

MD5
e50aa4ea429f2ea307eba810e8aa0077

SHA1
ae5b22af160fd51ae4fccd95800d64dbff76fff4

SHA256
3caa00ec36e003468b4e3c02d71c7f76a42f8ec8ff09e613754ea0c8c1e42fe9

SHA512
db3f81276612d234b5a3b01d0f41aa1fbafbc6fdb1510272fed5891c537b5a73802dd4b9a05da3dfb480b66d409a287b16f410535471205e270746c93b4d3f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82FC.tmp\iOClean.ini

Filesize
450B

MD5
55256efd8c1cc3d682a980f530bd3d32

SHA1
8aafb73d95d79eaa8f8ee8ed305f686f30e184e1

SHA256
54718e4239ee773bc7c7654371027b8366dc4d2475e42d47d8efe93ffe9a7d89

SHA512
c4479c5a35cfc69b2d14b636efc26c56b82d006f01a525ff9e3d64cc7c04572dd4a842613bc44adf2d2b34183734139b2a4901df5d53faa712c41fe20b19f00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst82FC.tmp\ioSpecial.ini

Filesize
537B

MD5
4edf33db7c5bd960a459f6c9d60c58ef

SHA1
d1588daa299c62df3292026cb1aeee34459b7945

SHA256
72fe04f7e564a19531403cd4d2188b65b7ef95640cd2f23cdacbaf61b1b1a3f7

SHA512
b1c08a3ba391ac73645672271453b3b108220a20a4f0f45b57f4af5d893cb29f29e7bd3387aad9128db8b662d5572c92b4bcd898f5bfc66684b67725a2678c64

Download Submit
memory/2836-239-0x00007FF8FEC45000-0x00007FF8FEC46000-memory.dmp

Filesize
4KB

Download
memory/2836-243-0x000000001BBE0000-0x000000001BC7C000-memory.dmp

Filesize
624KB

Download
memory/2836-244-0x00000000013E0000-0x00000000013E8000-memory.dmp

Filesize
32KB

Download
memory/2836-242-0x00007FF8FE990000-0x00007FF8FF331000-memory.dmp

Filesize
9.6MB

Download
memory/2836-241-0x000000001C210000-0x000000001C6DE000-memory.dmp

Filesize
4.8MB

Download
memory/2836-240-0x00007FF8FE990000-0x00007FF8FF331000-memory.dmp

Filesize
9.6MB

Download
memory/2836-256-0x00007FF8FEC45000-0x00007FF8FEC46000-memory.dmp

Filesize
4KB

Download
memory/2836-257-0x00007FF8FE990000-0x00007FF8FF331000-memory.dmp

Filesize
9.6MB

Download
memory/4940-255-0x0000000003360000-0x000000000337F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads