26722e4f73faf4b6cb40be70c083edbd5909605c2d52fe36bd7bf3e03c9f3ac8

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe
Size

1.1MB
MD5

140d1584be53de1240a8ccb72b484b84
SHA1

0d2d7cea89be204be3a25aca223832653f5144b7
SHA256

26722e4f73faf4b6cb40be70c083edbd5909605c2d52fe36bd7bf3e03c9f3ac8
SHA512

f86a685c34174183ee79f08238f0a7933d3b9e85a80144a0c665a2771933c663c9b352911b83d119429f629942c02d33da7e9259930b1079f10fc242065bc2e0
SSDEEP

24576:Plhx+fBjtQII5/BZEzOpe/OSTFN2PXCXKCKrY78XCQewz7vY9FJh1:7xkttQN5Gwe/OSTGPXpTJyQJIFf1

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2192	HTMLPassword.exe

Loads dropped DLL 2 IoCs

pid	Process
1868	140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe
2192	HTMLPassword.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTMLPassword.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	HTMLPassword.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	HTMLPassword.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	HTMLPassword.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ahp	HTMLPassword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ahp\ = "HTMLPassword.Document"	HTMLPassword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ahp\ShellNew	HTMLPassword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ahp\ShellNew\NullFile	HTMLPassword.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2192	HTMLPassword.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1868	140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1868	140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe
Token: 33	1868	140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1868	140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2192	HTMLPassword.exe
2192	HTMLPassword.exe
2192	HTMLPassword.exe
2192	HTMLPassword.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2192	1868	140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe	30
PID 1868 wrote to memory of 2192	1868	140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe	30
PID 1868 wrote to memory of 2192	1868	140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe	30
PID 1868 wrote to memory of 2192	1868	140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe	30
PID 1868 wrote to memory of 2192	1868	140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe	30
PID 1868 wrote to memory of 2192	1868	140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe	30
PID 1868 wrote to memory of 2192	1868	140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\140d1584be53de1240a8ccb72b484b84_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
- \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Cyes\Sandbox\1.0.0.0\STUBEXE\@PROGRAMFILESX86@\HTML Password Wizard\HTMLPassword.exe
  "C:\Program Files (x86)\HTML Password Wizard\HTMLPassword.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Cyes\Sandbox\1.0.0.0\META\@PROGRAMFILESX86@\HTML Password Wizard\HTMLPassword.exe.__meta__

Filesize
32B

MD5
5873b0e2f88db7f76c6bd0e39069b466

SHA1
2eaac21b72d6677b6f1e342a488d2a1b58d49b92

SHA256
b568ed56865150f34e95e94b4b430c1c1178d5150e851ac3678d75fe3a3a2de5

SHA512
d4137085d5fce222ff3d365eae4330695e4a80011470d671b77a7f61a3d7cffdf7cdb9eab7308b93bc9bb2d036c78afe3f6db0a3647e5d3350b1ac8e24458d81

Download Submit
\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Cyes\Sandbox\1.0.0.0\XSandbox.bin

Filesize
16B

MD5
80d1567206b15139f5131c708a7917b9

SHA1
d6b1ea0b130cf388fb7fdc57f7b246364d68b97b

SHA256
1220f85a73b0e51391d39de432b2d93da4d9435cfcdc84e1324b0a082f33568d

SHA512
bfdee7f70ef1bbbad14ad4a35bb54c4c294ef767e1f8b2cc9734aa226b956dc720800fb29aa8f6d14a395efedad101c6de9bb12037fa4fcfa97e1b173b317036

Download Submit
\Users\Admin\AppData\Local\Cyes\Sandbox\1.0.0.0\MODIFIED\@PROGRAMFILESX86@\HTML Password Wizard\HTMLPassword.exe

Filesize
664KB

MD5
c4d58285353e1d33dc9b597d87c3d500

SHA1
bc051e123c6e52421592efc85d6f188c21d78631

SHA256
37be306e2c1dce47230bf9bff18f7bd924a75132ad3e9102a493d0a8d73cfb6b

SHA512
d75ec4ed37bc8bad715b080c1c7fcbf1728966f0c4a2f6b67d1fc5d8817020e35aa2369ddca517e6c1687528c8d53e6f6341f6d6e24073a490d46d7a7a27d13a

Download Submit
\Users\Admin\AppData\Local\Cyes\Sandbox\1.0.0.0\STUBEXE\@PROGRAMFILESX86@\HTML Password Wizard\HTMLPassword.exe

Filesize
17KB

MD5
be78348fbc1aab0258c1358927228a59

SHA1
4338e041a4f7003dc06e7c647ad7620604ae9dff

SHA256
42975f96fbc0d5249320a47dcdef21adcd4d9fe30aa8c16388ed96d1a0823e5d

SHA512
1c61db4fa3b305425ff54b786e325c01c4a2bcc929b9604e84f1a840866c14241ca5522a12c15e8ecfe01e28e4350496fff782605f9387481d28002028ea4687

Download Submit
memory/1868-17-0x0000000010000000-0x000000001002C000-memory.dmp

Filesize
176KB

Download
memory/1868-16-0x0000000010000000-0x000000001002C000-memory.dmp

Filesize
176KB

Download
memory/1868-13-0x0000000076490000-0x00000000764D7000-memory.dmp

Filesize
284KB

Download
memory/1868-20-0x00000000014C0000-0x0000000001545000-memory.dmp

Filesize
532KB

Download
memory/1868-19-0x00000000014C0000-0x0000000001545000-memory.dmp

Filesize
532KB

Download
memory/1868-18-0x0000000010000000-0x000000001002C000-memory.dmp

Filesize
176KB

Download
memory/1868-0-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/1868-12-0x000000007649F000-0x00000000764A0000-memory.dmp

Filesize
4KB

Download
memory/1868-15-0x0000000010000000-0x000000001002C000-memory.dmp

Filesize
176KB

Download
memory/1868-14-0x0000000010000000-0x000000001002C000-memory.dmp

Filesize
176KB

Download
memory/1868-2-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/1868-28-0x00000000014C0000-0x0000000001545000-memory.dmp

Filesize
532KB

Download
memory/1868-4-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/1868-57-0x0000000076490000-0x00000000764D7000-memory.dmp

Filesize
284KB

Download
memory/1868-10-0x00000000014C0000-0x0000000001545000-memory.dmp

Filesize
532KB

Download
memory/1868-11-0x0000000077250000-0x0000000077251000-memory.dmp

Filesize
4KB

Download
memory/2192-37-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-43-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-31-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-42-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-41-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-40-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-39-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-38-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-36-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-35-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-46-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-45-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-44-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-34-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-33-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-48-0x00000000005F0000-0x0000000000675000-memory.dmp

Filesize
532KB

Download
memory/2192-51-0x00000000005F0000-0x0000000000675000-memory.dmp

Filesize
532KB

Download
memory/2192-49-0x00000000005F0000-0x0000000000675000-memory.dmp

Filesize
532KB

Download
memory/2192-52-0x00000000005F0000-0x0000000000675000-memory.dmp

Filesize
532KB

Download
memory/2192-53-0x00000000005F0000-0x0000000000675000-memory.dmp

Filesize
532KB

Download
memory/2192-54-0x00000000005F0000-0x0000000000675000-memory.dmp

Filesize
532KB

Download
memory/2192-32-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-58-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-65-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download
memory/2192-71-0x0000000000400000-0x00000000004AD000-memory.dmp

Filesize
692KB

Download