Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 04:41
Static task
static1
Behavioral task
behavioral1
Sample
16338afd5edef572b39d99223d59b186_JaffaCakes118.html
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
16338afd5edef572b39d99223d59b186_JaffaCakes118.html
Resource
win10v2004-20240802-en
General
-
Target
16338afd5edef572b39d99223d59b186_JaffaCakes118.html
-
Size
155KB
-
MD5
16338afd5edef572b39d99223d59b186
-
SHA1
57032ff6eb98ded16de915b2ac9e2dfe41e37273
-
SHA256
8759bdae06611ce65673624cca4191f67d858b963a9042b018e6b68daae1183d
-
SHA512
2a7b5a7cc7b7381dd4e904f51e24fe7a01e67e8822b4a796bfe47f0f1eb2d301402c6f34c7649de70afd7bbc99cc07e14a677251bd1bd96255c39ef3c6d92f9c
-
SSDEEP
3072:iKmxYJHPpW+9yfkMY+BES09JXAnyrZalI+YQ:iJsHPA+IsMYod+X3oI+YQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2680 svchost.exe 2408 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
pid Process 2612 IEXPLORE.EXE 2680 svchost.exe -
resource yara_rule behavioral1/files/0x00300000000178b0-430.dat upx behavioral1/memory/2680-434-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2680-437-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2680-436-0x0000000000230000-0x000000000023F000-memory.dmp upx behavioral1/memory/2408-445-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px31BA.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2B0CA7B1-82D4-11EF-B6DF-4A174794FC88} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434265211" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2408 DesktopLayer.exe 2408 DesktopLayer.exe 2408 DesktopLayer.exe 2408 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2656 iexplore.exe 2656 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2656 iexplore.exe 2656 iexplore.exe 2612 IEXPLORE.EXE 2612 IEXPLORE.EXE 2612 IEXPLORE.EXE 2612 IEXPLORE.EXE 2656 iexplore.exe 2656 iexplore.exe 2044 IEXPLORE.EXE 2044 IEXPLORE.EXE 2044 IEXPLORE.EXE 2044 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2612 2656 iexplore.exe 30 PID 2656 wrote to memory of 2612 2656 iexplore.exe 30 PID 2656 wrote to memory of 2612 2656 iexplore.exe 30 PID 2656 wrote to memory of 2612 2656 iexplore.exe 30 PID 2612 wrote to memory of 2680 2612 IEXPLORE.EXE 35 PID 2612 wrote to memory of 2680 2612 IEXPLORE.EXE 35 PID 2612 wrote to memory of 2680 2612 IEXPLORE.EXE 35 PID 2612 wrote to memory of 2680 2612 IEXPLORE.EXE 35 PID 2680 wrote to memory of 2408 2680 svchost.exe 36 PID 2680 wrote to memory of 2408 2680 svchost.exe 36 PID 2680 wrote to memory of 2408 2680 svchost.exe 36 PID 2680 wrote to memory of 2408 2680 svchost.exe 36 PID 2408 wrote to memory of 2880 2408 DesktopLayer.exe 37 PID 2408 wrote to memory of 2880 2408 DesktopLayer.exe 37 PID 2408 wrote to memory of 2880 2408 DesktopLayer.exe 37 PID 2408 wrote to memory of 2880 2408 DesktopLayer.exe 37 PID 2656 wrote to memory of 2044 2656 iexplore.exe 38 PID 2656 wrote to memory of 2044 2656 iexplore.exe 38 PID 2656 wrote to memory of 2044 2656 iexplore.exe 38 PID 2656 wrote to memory of 2044 2656 iexplore.exe 38
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\16338afd5edef572b39d99223d59b186_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2880
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:1192969 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56e78d4badafe9689c05c7a7d8b5905c3
SHA16e3e93eb6d5de742194a7de410304d30d93dad4b
SHA2567e2f8d6cdc8cdc0c6a9a54ec378bcd7fdef186fbd9b5b859281387da70cd81cf
SHA512bd730960c7574f8160d074c97f4aa3d0babac00d0dad9f44dae56849799d89ab95a4f33bbaf173961d24f199a65189a9d54eff496687bb05f821dfa95e6e0286
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56373d1e3236c9802b54b2db732b4b6ea
SHA1bf317c07485f329e8718adbbfe815403a167519d
SHA2564aedeb96ce35e5f518dd5a2fc263a782202d37598667f18cecde4292fe8f684d
SHA512177f3e1966fa62f7c64c6aa2194a4e60939164e9457c43887c0cd4129270d5729f821cc860f2073d96bc1703842b9184020d5af1f4c7fc497374f54ff4ac4d5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f48a939bb19ef26ed127b9fea21de03d
SHA11243b747da93e27dd2f4c242782e617ba0dc68d3
SHA256158626592dbb0d2bc2484a410ffaa9675417374ff5a71fdbe44591dca6be7a92
SHA5128c38c001e7ad96f5ec343e368f6a27864d5b85bf75fbf6becfd8a66e863f69324b27753703a7f9083e97de5a4c77807fc889265149776e605755b51402ff5cdc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5220493774e331f524dd48af59cf89d35
SHA13a8b2caf4212579a10a0222f7347f4948deb6eb2
SHA256479cb8e4d73294ba77b3d0760bf82f45f91cbbf4608a61e1371633fa75dd943e
SHA512fe6e91670e1769dd6a7f99871dde2c4231a72a6ee128f41f9588ba0445a9ad3f08eb5ba3a2267a92bf5cb1191f29365303dd9b01a779cebabeec3e6367abab47
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5968f22cd5d093c36898e82ee49d566b1
SHA11dfc8b089adbec5f3ca6a1ad10c83381f00c0b49
SHA256f44b968dc56f848eef5870d673e1da6aea16ffee14a7f600497740a83988263a
SHA512cc3446914f9cbcf22bdeadd28cd22341d6185a5d6e79aefc5e9385cdb00424fd141f41090b122f0374bd848301910d9cb8df487b4c8d2a97f5df05689c983bcb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD544182f9a98d6d6c0385027a7a269e540
SHA15cc2072a308e28e687250a247fd33c1f19192782
SHA25655dcca7c43b43a3c2ae67b81f956968b48196fcabc77a7028a3d33a03db3c7d5
SHA512145d97964de6d2ffddd7e0ebba959c669106b378313910db6f78b9ed6aa8bf33db88dc701b58922841804b0ff7a8df0af380f02f3b12dce8ba5b8f7cd3b1db24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD503626b3c23c7d1a3ccc07cde4d23314c
SHA15eff2d57172ce736002cb6e16727f2fdcfefee89
SHA256d99a6b759ab5b3230f49d0b26078b7262071b75b732efa52528a70b1dc149ef6
SHA5129f726fe1f650e73f0484f6c7d74e5700268a0a22ccd0b60679fcb2df63c1611b92089251c5b5843c3f0c8c7403e245a8a760d648068d0dec2bfd27c9890529e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52414f591f53041019ec244b968b2ca64
SHA1e98eabb2dfda0fbcb38a2a9c7f3fcf8c80822e28
SHA25642c21ef7e4680dd5217df2c1e9556687e856e8187dad12d85e28e0d8f8dc5f0e
SHA51256418912aa8a51017c85517296f09c5f5eff0c3c30ab6bc9509a476a43e6b23d336555ddd7c433eb1eeba24d409a2b3c40d2410b390247fd44fb11401c111060
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5415333f89b4c5a9eeee837f9de9df5c2
SHA1bcdaf81278f544fb42cfbf4917148ec783884b15
SHA2560b399a83d442782c9b4624bc4abcbdb974104a0385220506c9ea976e9bbc97b8
SHA512c7002c35822f088b6d69c59dd9f49be0baceb6adb6dc7daa9466d5f958e5aa921b88d97458a5a46b564be0954e018331b0bb480f60d9067246a37b8af7021ee9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d9fa5e6152f7e00ae1659be4a6d88620
SHA1ec83d6d9ef1cf692a04d1be09a8029156b7e316b
SHA256096728be347b01645d3dd3f9b8b08637182694181212b8c788ed86a3697ac5a2
SHA5120988a1e8d8414949888cb0ba853d9ee59aeeec609242ba8a9c57aacfbcd916911a1bd1502061e1947b09b2d1c54032fb605fc549352fd76fea2033a03314e387
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a