f5fc522ee7ea42699bee0f64510ecf5194f073a4029af9995a2f236a144a7b59

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe
Size

45KB
MD5

12deba0b037118181b7c0f6277baaf67
SHA1

46fc4fb95d3a2720669ded9d0506506619c1118b
SHA256

f5fc522ee7ea42699bee0f64510ecf5194f073a4029af9995a2f236a144a7b59
SHA512

96487cdf72f76fd70a1034e86adb6ae8380807c19eb65a1b72d6d3370cdd3386b735751132123d75706e22ba067d8148ce340c25749b385b5ac07e705bf77bb7
SSDEEP

768:Q6MDEOgk6guQrhO23k7/9sppE0iKFz89519yFSUKhJJ16c5Qbdk1Kj30ZRfJLJVS:gExDPQ9l3ky88x8vTJJ16mQbdUKLwRZe

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
1696	svchost.exe
2824	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\taoY.ico	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pop1.vbs	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\tencent\StormLib.ncq	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe
File created	C:\Program Files (x86)\installer\svchost.exe	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\installer\svchost.exe	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135300"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1032329664"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434800971"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1032329664"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0018cd3d4416db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1031391942"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135300"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135300"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135300"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00fad13d4416db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{68FF8E6F-8237-11EF-8D5B-4E01FFCF908D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000262c84e5c2a8b24db398d3ff1cc73570000000000200000000001066000000010000200000008cc325b240e594a99f3061631417bcfebe839ad23de979d95e1c49e376d82dd5000000000e80000000020000200000000053a46872cd495820a6c6720a2c3a484e8579f38f7ff35ac206d1f8602b3b6c2000000013d6a519fa09055096730fceb63c07987b9b276502eabede3c1bc94ced32429e40000000c02490254349856e11a788f57f24a55042b33ba327a04c7cff37ce96aa0459826992e456ae9e348c04c1e1ca68626bdba51d16fe5fe6457c62543242c81b146c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000262c84e5c2a8b24db398d3ff1cc73570000000000200000000001066000000010000200000002386ddadf132e45a9950bb130e0383e15f4e5a094d5a1f529c69348efef96c87000000000e80000000020000200000003bcd50d435b031e22c43f6df12a6649d191a5c0e826f16852b3ab858954e4b3920000000a82e63082714f33f453250832ae1c016cd7f54c3f657b736467981ebe04984dc40000000cb419161daaec382c9b5e8076ed33fc9400290ddc5cd9679697708609fdd244dfcde876236506bbc475eab3f007ba8769b3341a32f9678b38812b2738cc2aba0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1031391942"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ncq	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ncq\ = "JSEFile"	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3104	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3104	iexplore.exe
3104	iexplore.exe
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 1696	1272	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe	82
PID 1272 wrote to memory of 1696	1272	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe	82
PID 1272 wrote to memory of 1696	1272	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe	82
PID 1272 wrote to memory of 2824	1272	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe	83
PID 1272 wrote to memory of 2824	1272	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe	83
PID 1272 wrote to memory of 2824	1272	12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe	83
PID 2824 wrote to memory of 3104	2824	svchost.exe	84
PID 2824 wrote to memory of 3104	2824	svchost.exe	84
PID 3104 wrote to memory of 1656	3104	iexplore.exe	85
PID 3104 wrote to memory of 1656	3104	iexplore.exe	85
PID 3104 wrote to memory of 1656	3104	iexplore.exe	85

C:\Users\Admin\AppData\Local\Temp\12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12deba0b037118181b7c0f6277baaf67_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Program Files (x86)\installer\svchost.exe
  "C:\Program Files (x86)\installer\svchost.exe" "C:\Program Files (x86)\tencent\StormLib.ncq"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1696
- C:\Program Files (x86)\installer\svchost.exe
  "C:\Program Files (x86)\installer\svchost.exe" "C:\Windows\system32\pop1.vbs"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.95081.net/1.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3104 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\installer\svchost.exe

Filesize
144KB

MD5
ff00e0480075b095948000bdc66e81f0

SHA1
c2326cc50a739d3bc512bb65a24d42f1cde745c9

SHA256
8c767077bb410f95b1db237b31f4f6e1512c78c1f0120de3f215b501f6d1c7ea

SHA512
3a38e62dcb925411bc037335e46dfdd895c12a52ac43c47ef38db42d41d8358dfc2b1081a361367911d60ec5a3350ca734cf70ad57b21d39b23cfdec35b0aced

Download Submit
C:\Program Files (x86)\tencent\StormLib.ncq

Filesize
9KB

MD5
671584bd11cff35064c545a7d9599de7

SHA1
273a7ed0bdf66933f6f8c49ed8483d241d273472

SHA256
23f3698310efc119ef079650deec34abacf853eea78eabefd179836c430828b7

SHA512
f8b597fab65f7316768ce24e41f0218da116d2f42affd088ad59113a968900be70c72b07f4206374d1e1e6177406af747e06482c56e91443832fffb3fa216795

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
db7c83e09ebc4317f2bf2df7f66b8513

SHA1
29d58ef43f72ce7cf79ce6109d038a6c9b4873f0

SHA256
1ae4c8aa37bf433bc5b3b45e017c95bf843c7dbbe348c78c7ab6f3cad0fda4b8

SHA512
6eb46ae0c3e091ba13b1c0e3fb6de568882940df7968d0e1297568ea5356a4691f2a869c7c9ac9e9642bcc2e4e1388d00b15c663276143e8cb5015ab89c27867

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
1da86e32de6de9cfc6e32dc392250832

SHA1
f1f07281795bcc9488f5ce70cfd796e01bba5532

SHA256
317c55d246507268f7db9cfc0d785a3ba32701ff66880875b1f109a95a7711f3

SHA512
f3b64e12e9b3cb92368e8142744f76bdba33709b2a3466ed1ae8a14246c4371bd00cfd151e357d37d763022ea6e96359edfb252414d9e197d28d3be734436826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFF5F.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\pop1.vbs

Filesize
216B

MD5
1fe47a988c978d68e86019de56b29bda

SHA1
6904ea05d6d22e1d5fac34dd28d8455a37cd8820

SHA256
58ef16f24f50009390d92e9bd4172c02f3e4c213151bbef7033bad535ea41f43

SHA512
6f8a401d310243ed54b68c10c582808a5d3f5ea89746b5d9cc67df7d11bec6fd2467b726df9c0198f21b8c5afd1d2bbb75405c8693cd2b1451b179ee0fbc45c6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads