10666748e8acf3269a93f868301eeddcfb4a2f3228e2ea1328f8a519d6bce7e2

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f340583a4ee284caf16e05d3cc00024_JaffaCakes118.exe
Size

158KB
MD5

0f340583a4ee284caf16e05d3cc00024
SHA1

b56222d2f9f5e0d688340d0ac3a6473f72129d32
SHA256

10666748e8acf3269a93f868301eeddcfb4a2f3228e2ea1328f8a519d6bce7e2
SHA512

11b280891b386a049564f270e4e04412f7e6a9f1c8ede0bb0584c67405df329862f1b823da69550da90f2b9def9543d208ff007e651c619c03ec538115c94e01
SSDEEP

3072:4TEGsN2+2kmBWLhHrXYnj3NJbVI3Gbf0Yd6zCNrtehH/CsQgSsDxd:KsNnVUSrGzLbVI3+KCNAFBQO

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2152	Zfetaa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\K8CE6CA1JO = "C:\\Windows\\Zfetaa.exe"	Zfetaa.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	0f340583a4ee284caf16e05d3cc00024_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	0f340583a4ee284caf16e05d3cc00024_JaffaCakes118.exe
File created	C:\Windows\Zfetaa.exe	0f340583a4ee284caf16e05d3cc00024_JaffaCakes118.exe
File opened for modification	C:\Windows\Zfetaa.exe	0f340583a4ee284caf16e05d3cc00024_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zfetaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f340583a4ee284caf16e05d3cc00024_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	Zfetaa.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\International	Zfetaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe
2152	Zfetaa.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2152	Zfetaa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2152	2452	0f340583a4ee284caf16e05d3cc00024_JaffaCakes118.exe	30
PID 2452 wrote to memory of 2152	2452	0f340583a4ee284caf16e05d3cc00024_JaffaCakes118.exe	30
PID 2452 wrote to memory of 2152	2452	0f340583a4ee284caf16e05d3cc00024_JaffaCakes118.exe	30
PID 2452 wrote to memory of 2152	2452	0f340583a4ee284caf16e05d3cc00024_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0f340583a4ee284caf16e05d3cc00024_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f340583a4ee284caf16e05d3cc00024_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\Zfetaa.exe
  C:\Windows\Zfetaa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
372B

MD5
16db844341c43843a47a8d6553326d76

SHA1
eca1c26afad48fb4b890ecf7045ea69fe8e04f03

SHA256
c487fa0a078d2f207319d55dc3e5b8cf807de37d4bc7bee578c150013a026dad

SHA512
7ed5e2f62065d1ec3cb17b9d0f612a90c34d1e757a5aca8bc554af701b5198c48d4ac77e73df89e0f3b1db2ff39344188cdc6f9b0fbbb4e8943528404ae2d023

Download Submit
C:\Windows\Zfetaa.exe

Filesize
158KB

MD5
0f340583a4ee284caf16e05d3cc00024

SHA1
b56222d2f9f5e0d688340d0ac3a6473f72129d32

SHA256
10666748e8acf3269a93f868301eeddcfb4a2f3228e2ea1328f8a519d6bce7e2

SHA512
11b280891b386a049564f270e4e04412f7e6a9f1c8ede0bb0584c67405df329862f1b823da69550da90f2b9def9543d208ff007e651c619c03ec538115c94e01

Download Submit
memory/2152-11-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-48215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-48226-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-48222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-48221-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-48219-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2152-48218-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2452-9-0x00000000005A0000-0x00000000005DA000-memory.dmp

Filesize
232KB

Download
memory/2452-48216-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2452-48217-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2452-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2452-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2452-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download