c944533889d62a38fafb826b2b4d091fc6e07fc022aadf7a46d4decbf1d47c5b

Analysis

max time kernel
96s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 15:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f72c98cc5cd34ecfbc0d18f7d89560d_JaffaCakes118.exe
Size

131KB
MD5

0f72c98cc5cd34ecfbc0d18f7d89560d
SHA1

9bf39636a27431bf4414398c49bfcc05dcf801f5
SHA256

c944533889d62a38fafb826b2b4d091fc6e07fc022aadf7a46d4decbf1d47c5b
SHA512

736158e0dcd91804c2f48a901982875c40c188b9d712d023f44af83b53f542af69d5fd9c3d5ec141302452ff0cffdd7cfe7daa180060f1f0489ed4c21b37df47
SSDEEP

3072:q2pGkrt8qhPFivC7iIRPuXr60OheCVJTp5tZprP+bFmqZBbvasTI:qVe8qhQ6BPX0OB7Ab/ZBbvBI

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\INET = "C:\\Windows\\system32\\INETSRV\\inetsync.exe"	setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	0f72c98cc5cd34ecfbc0d18f7d89560d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4040	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IInfo\InfoMgr.exe	setup.exe
File opened for modification	C:\Windows\SysWOW64\IInfo\InfoMgr.exe	setup.exe
File created	C:\Windows\SysWOW64\IInfo\InfoNet.exe	setup.exe
File created	C:\Windows\SysWOW64\EbayIcon\ebay.ico	setup.exe
File created	C:\Windows\SysWOW64\EbayIcon\ebay1.ico	setup.exe
File created	C:\Windows\SysWOW64\INETSRV\inetsync.exe	setup.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4576-0-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/4576-27-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f72c98cc5cd34ecfbc0d18f7d89560d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{DE60714F-AC17-427e-861A-FD60CBDF119A}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{DE60714F-AC17-427e-861A-FD60CBDF119A}\Default Visible = "Yes"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{DE60714F-AC17-427e-861A-FD60CBDF119A}\ButtonText = "Ò×È¤¹ºÎï"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{DE60714F-AC17-427e-861A-FD60CBDF119A}\MenuText = "Ò×È¤¹ºÎï"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{DE60714F-AC17-427e-861A-FD60CBDF119A}\Icon = "C:\\Windows\\system32\\EbayIcon\\ebay1.ico"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{DE60714F-AC17-427e-861A-FD60CBDF119A}\HotIcon = "C:\\Windows\\system32\\EbayIcon\\ebay1.ico"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{DE60714F-AC17-427e-861A-FD60CBDF119A}\Exec = "http://adfarm.mediaplex.com/ad/ck/4080-23171-9517-195?cn=song;icon;hp&mpro=http://www.ebay.com.cn"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{DE60714F-AC17-427e-861A-FD60CBDF119A}	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 4040	4576	0f72c98cc5cd34ecfbc0d18f7d89560d_JaffaCakes118.exe	82
PID 4576 wrote to memory of 4040	4576	0f72c98cc5cd34ecfbc0d18f7d89560d_JaffaCakes118.exe	82
PID 4576 wrote to memory of 4040	4576	0f72c98cc5cd34ecfbc0d18f7d89560d_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0f72c98cc5cd34ecfbc0d18f7d89560d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f72c98cc5cd34ecfbc0d18f7d89560d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576
- C:\temp\install\setup.exe
  "C:\temp\install\setup.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\temp\install\setup.exe

Filesize
44KB

MD5
3365c2f44539dadcc5861a1a554643a9

SHA1
70b6ac5c12d759d84d4cfd400cf702f419824b25

SHA256
e488f9a05d591eae081e897546ed124c5849cfed64a8a6d7fa41d21608796987

SHA512
af3cd2529b332caf63536aac4768ddab3a0b61864a112ea439f92a4d5ea0cdacf62f7e67cf69f4a7f6d828f9782a46ef29dc3ffb740e1b081a009bad61922b03

Download Submit
\??\c:\temp\install\InfoMgr.exe

Filesize
32KB

MD5
21b3491f3b03870632b10ab1e9e8982b

SHA1
ca4ec1ecb0e9079e7d8b9b71a8d24ca2a60b6e66

SHA256
eeba1cde5a958a3a6bfe0b0503665c26c612ce4ee5f1b20ee8a2dff1ce6f5a6d

SHA512
a34fdfbdc4540c72814bdaae917a8d30821dffb6892e389b63e6b71a6bef0e162561d5ae128ad959dd981c01c5e3f7a922ffaae85ff6f7b2cc0230971e7777ee

Download Submit
\??\c:\temp\install\InfoNet.exe

Filesize
32KB

MD5
797cacb308ea18595d954a8496d96436

SHA1
d7e4616c1771c27166e172794e303b18c86050aa

SHA256
61688cf496b3f48acbfec077c9d40b4ba4c9e98a822cc772f983b3fe5d7c6f95

SHA512
9d8f882cb3e1d5116dc269822e055e5bc364032ae89d4218d7c9e83debdc2a513fd4040f882e1888eef930f7d6710949a0078f28de584d2fe5b37bda036c4e8e

Download Submit
\??\c:\temp\install\adunwise.exe

Filesize
36KB

MD5
5ebc120ed1cbd47fe1dd736aeb040385

SHA1
2c7c521b9cfff444cb5dd3f23eaac8b49dcb4d00

SHA256
9a324304fe5e61d7ccab3d1dd3e2ed5d1f3bf2db0b3bbb71e442e84334b1f0c9

SHA512
c1521fcd329d1e6fe1b8734e10ac791e7d7c60d2cd8ea31631ed9c5e4f4c2cce91ed9d172921e08cfb3995741967e1104002eb4b38066466dd7f54cf5b83d97c

Download Submit
\??\c:\temp\install\ebay.ico

Filesize
4KB

MD5
ecc2bff26554009ea9edfc8379d5740d

SHA1
dbfa743d64a8c3f0525178bc67ec387e792db431

SHA256
1969427d2c5887ff989fd68d876204f5fa8aebee1f886ffa4f968d32a66dcd15

SHA512
170ed7912407c82e5fe0042c0c7d3c4860f499617f242177a8c3b494840baac5f9a7f25817d3dcb9d314d58e2fa4bc73ee8c1c59f0e7697b2ce6bcb6ea498ec1

Download Submit
\??\c:\temp\install\ebay1.ico

Filesize
4KB

MD5
df7d589280f8634177b8b4947aa8dde5

SHA1
fa70cf37bb9bfefddf243228a6613415e6d18abf

SHA256
80f087d69fb24b9ddeeebba9338dbeee67c5e0df351f12357cb9ceea0c393899

SHA512
8985faffe3462e149502148a99437d3bd3d810ecc63acbe93c965e6468b1e34fa204789a99cf71f3c0d6cb042aa0905a576d45e37b0a739864abc89d804a6c03

Download Submit
\??\c:\temp\install\inetsync.exe

Filesize
28KB

MD5
1bf321bde230a272ba9e22f781d88c67

SHA1
4e1c7154328e83d23ef5562cc690f2239222a9ff

SHA256
b5ea76a2634d2e4d7115211104254c8f0f17f7b7a44b7710e8fc720fc62fa0fe

SHA512
9c21ecea7fceb4e9d571036bde7f944db1dd96974120fd110a8781e8847aae83d8136ad81f4dc8dea208018868129e6691b201041cbf6744bf6f2ef2c5f17bcb

Download Submit
\??\c:\temp\install\setup.ini

Filesize
314B

MD5
94bd1160f5e7918097542082eb29fd89

SHA1
b16ba1725344b9aa06f5fe4690743a7c00e2ba67

SHA256
2baa2682992462886d70ff7ad621b0ce55fa5b806f9437833f058765ed120cf0

SHA512
b20b0d35301b7352a3bf0f3d69e9733c8d16e50669f501440d348fd355dc8802e7726c65c3566037a5f342d0df4ec161f19a739e2ed4148a1bc59b2f396e216b

Download Submit
\??\c:\temp\install\web.txt

Filesize
97B

MD5
258ee083ce83fa66b6a11f05bfe38cd3

SHA1
7c6c53bf8b23c40e5ae89a1742817d24f6e3f1ef

SHA256
8e22527da6fbdb36033790792261862194421ab3a1f6ae5c6e6260dd0dd1c9dd

SHA512
edb4e6c2d79d64b1a8acee357cf83dc4771fd0155b00fc80d152c58b77257bad9934dae0a218e91293be2315c721deebb03d4d343df7ad41f51f2760685793a0

Download Submit
memory/4576-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4576-27-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads