95e60c4f1ba0708d5208eec41a99fbf58deffb9a9766dbb90fc4db5bea0b726b

Analysis

max time kernel
126s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 15:53 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
Size

955KB
MD5

0f79e01bbc0b725d5f112ceb7bfc1767
SHA1

d3c20174b6fa2004d70e1f43fc8455bde8878706
SHA256

95e60c4f1ba0708d5208eec41a99fbf58deffb9a9766dbb90fc4db5bea0b726b
SHA512

5bd368234109171faff374994e6cceccf0f15fd047d166efbab865b0b8c10ee9f4a74ddb6240c128a3a1b16081cd81a16f5ccac792dcde0e35e1368f1b4775ab
SSDEEP

24576:wwq12Pf3kWw+7DtaUHvVq2Nnl72SYJwsL8WWOMk0:G2PfUWw+9aQoGQKcWOMk0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2636	BI.exe
3016	BI.exe

Loads dropped DLL 15 IoCs

pid	Process
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
2636	BI.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
2636	BI.exe
2636	BI.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
3016	BI.exe
3016	BI.exe
3016	BI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2636	1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe	30
PID 1716 wrote to memory of 2636	1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe	30
PID 1716 wrote to memory of 2636	1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe	30
PID 1716 wrote to memory of 2636	1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe	30
PID 1716 wrote to memory of 3016	1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe	35
PID 1716 wrote to memory of 3016	1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe	35
PID 1716 wrote to memory of 3016	1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe	35
PID 1716 wrote to memory of 3016	1716	0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\nsjA70B.tmp\BI.exe
  C:\Users\Admin\AppData\Local\Temp\nsjA70B.tmp\BI.exe { "json_send_time" : "3/10/2024 17:53:58:454" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "444202" , "user_type" : "NULL" , "result" : "Success" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "0" , "build_id" : "00000000" , "dm_version" : "1.3.7.9_NoStatic.130521.01" , "bundle_id" : "01c14dd7-dc2e-485a-aa85-67ccfc55af32" , "machine_user_id" : "{064310DE-CE12-49B6-B1F3-AF9974A8BDE6}" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "A5F04A7A-006C-4755-BB1D-D8FAABB731C7" , "publisher_internal_id" : "61" , "publisher_id" : "Conduit Long Tail" , "publisher_account_id" : "ConduitLongTail" , "order" : "1.0" , "phase" : "Init" , "Is_Test" : "0" }
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\nsjA70B.tmp\BI.exe
  C:\Users\Admin\AppData\Local\Temp\nsjA70B.tmp\BI.exe { "user_ie_security_level" : "" , "json_send_time" : "3/10/2024 17:54:37:829" , "internal_error_description" : "HttpPost result: try1- SendRequest Error; try2- SendRequest Error; try3- SendRequest Error" , "internal_error_number" : "3" , "is_parallel" : "0" , "mrs_id" : "" , "vector_id" : "" , "rule_id" : "" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "444202" , "general_status_code" : "2" , "duration_details" : " InitPluginsDir:0 initializeParams:124 load_BITool:0 send_BI_Init:32 load_DownloadACC:15 retrieveUISource:0 unpack_webappfolder:0 unpack_icon:0 RetrieveMainOfferKey:0 unpack_OpenCandyDll:47 load_webapphost:0 unpack_ProxyInstaller:0 navigate_loadingUI:530 navigateAsync_constMainOffer:0 BuildUserProfile:16 retrieve cid:0 callService1:14711 callService1:12012 callService1:12012 " , "phase_duration" : "" , "error_details" : "Failed communicate with the DistributionEngineService. Inner Error: SendRequest Error " , "result" : "Error" , "user_operating_system_bits" : "" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "" , "user_ms_dotnet_framework_ver" : "" , "user_acount_type" : "" , "user_ie_version" : "" , "user_default_browser_version" : "" , "user_default_browser" : "" , "user_service_pack" : "" , "user_operating_system" : "" , "revision_number" : "0" , "build_id" : "00000000" , "dm_version" : "1.3.7.9_NoStatic.130521.01" , "bundle_id" : "01c14dd7-dc2e-485a-aa85-67ccfc55af32" , "machine_user_id" : "{064310DE-CE12-49B6-B1F3-AF9974A8BDE6}" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "A5F04A7A-006C-4755-BB1D-D8FAABB731C7" , "publisher_internal_id" : "61" , "publisher_id" : "Conduit Long Tail" , "publisher_account_id" : "ConduitLongTail" , "order" : "2.0" , "phase" : "InitComplete" , "Is_Test" : "0" }
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3016

Network

DNS

ude.conduit-data.com

BI.exe

Remote address:

8.8.8.8:53

Request

ude.conduit-data.com

IN A

Response

ude.conduit-data.com

IN CNAME

as-jazz-1974986062.us-east-1.elb.amazonaws.com
DNS

offering.service.distributionengine.conduit-services.com

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

offering.service.distributionengine.conduit-services.com

IN A

Response

offering.service.distributionengine.conduit-services.com

IN CNAME

origin-distribution-offering.conduit-services.com

origin-distribution-offering.conduit-services.com

IN CNAME

offering.service.distributionengine.ams.conduit-services.com

offering.service.distributionengine.ams.conduit-services.com

IN A

195.78.120.173
DNS

cms.distributionengine.conduit-services.com

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

cms.distributionengine.conduit-services.com

IN A

Response

cms.distributionengine.conduit-services.com

IN CNAME

origin-distribution-cms.conduit-services.com

origin-distribution-cms.conduit-services.com

IN CNAME

cms.distributionengine.ams.conduit-services.com

cms.distributionengine.ams.conduit-services.com

IN A

195.78.120.172

195.78.120.173:80

offering.service.distributionengine.conduit-services.com

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

152 B
3
195.78.120.172:80

cms.distributionengine.conduit-services.com

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

152 B
3
195.78.120.172:80

cms.distributionengine.conduit-services.com

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

152 B
3
195.78.120.173:80

offering.service.distributionengine.conduit-services.com

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

152 B
3
195.78.120.172:80

cms.distributionengine.conduit-services.com

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

152 B
3
195.78.120.172:80

cms.distributionengine.conduit-services.com

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

152 B
3
195.78.120.173:80

offering.service.distributionengine.conduit-services.com

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

152 B
3
195.78.120.172:80

cms.distributionengine.conduit-services.com

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

152 B
3
195.78.120.172:80

cms.distributionengine.conduit-services.com

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

152 B
3

8.8.8.8:53

ude.conduit-data.com

dns

BI.exe

66 B
205 B
1
1

DNS Request

ude.conduit-data.com
8.8.8.8:53

offering.service.distributionengine.conduit-services.com

dns

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

102 B
215 B
1
1

DNS Request

offering.service.distributionengine.conduit-services.com

DNS Response

195.78.120.173
8.8.8.8:53

cms.distributionengine.conduit-services.com

dns

0f79e01bbc0b725d5f112ceb7bfc1767_JaffaCakes118.exe

89 B
184 B
1
1

DNS Request

cms.distributionengine.conduit-services.com

DNS Response

195.78.120.172

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\httpErrorPagesScripts[2]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjA70B.tmp\Failed.htm

Filesize
6KB

MD5
4bca38bc78f5e8283655b1dda3d81b2c

SHA1
b1e61db910ebc37bcbf4650d773d727b15fc8554

SHA256
16b03f64adc522298a636a117869d821379e341314704a4eb7e2263689e76d91

SHA512
6b4559f2f658835ca3a5a8772f424415838990fd7b22ce9452577c6f1e92c8776fe8f25e2747e91dcf59b390084d82bc48f3bfaafb242c3374b0e98e81db3509

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA70B.tmp\BI.exe

Filesize
75KB

MD5
1adf1396f52601d12f1223f403e5626b

SHA1
f9cba0fa24ff2e8e046c56986e8e4216a7a9f44a

SHA256
6661a06ada916833eb5dcc802513c2936e902cbd5acd9884519c99c2f5a7d670

SHA512
eaa583bede82c2b2544108669e8d4e998150a0cd11a79bb6b20f3daeccf06abcc8642debde08612d9690a0636d50b996a8b9da8c2bf16cdeeccd963c6a08362b

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA70B.tmp\System.dll

Filesize
17KB

MD5
a4f38d1c7a480f5da1bb8097b8b939db

SHA1
b3129c2a0e61881381463f5e0cbbffa573daa845

SHA256
e1180e1e3344c7536150275e33de53dc1dd1a3ca03be66c4d4875fe5bcd4e436

SHA512
fed89f7ee9364fc2f4b9f82c4563713497043947e98dbb03e7d755681adf3ae661aba80d08e59988a23695fc64481b69d9842b7ec7d2b572cc872c4c9957febc

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA70B.tmp\webapphost.dll

Filesize
738KB

MD5
6613cd74e6bd049b4f9b9295a17ae4fd

SHA1
138c5a96b6012f46b88e8b60aac9a365852b9e8b

SHA256
65b7afa0c263db4e3ff726247d5864ae4463c7618bd9756e486a2c206e97c09f

SHA512
906fc13c560cd8f302a3e1b2302071bb64bba05176319d1ba8036524a2d2d5982f20fd10b8dff945bbcebaace1872697108f1da0174c439f34c3a788b48754fb

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA7B6.tmp\inetc.dll

Filesize
29KB

MD5
dccdcb124064a1d9a5eb12232348b898

SHA1
f294fac154cb1c6c18fe054ac584f767594b93fb

SHA256
37adc0183d94ae6ca1895643423dac0c97750d7103e6b00c14299dfc4ad2271e

SHA512
bd89bcd513bb7120db80e1115b4caceaa18c4ea863fe29b232002d447c3813133ff2849fcb2d4df45e3ff67e0e0d9d340d61060b9c74045b17efa5b1c1f5b05e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.