1a3f8caad129ba23d361cc874d2b6a9cd2b237426d627ec50399332de6399305

Analysis

max time kernel
93s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26894f8c16a724b3b92c47bb2ad008c1_JaffaCakes118.exe
Size

1.3MB
MD5

26894f8c16a724b3b92c47bb2ad008c1
SHA1

b9e10f49636e54ffbc82c3f4ca6a4e37c6a40d16
SHA256

1a3f8caad129ba23d361cc874d2b6a9cd2b237426d627ec50399332de6399305
SHA512

7143dd298e50a5d707d08c39b3e1f831ae2d002a4a7b37a0a9cda90936cc8057933f3e9c008ac2be0c39f1fb133c45ba98796e093dbfad10594fbc21ad18beb1
SSDEEP

24576:hTCMXuthC1jc1a05AuL7FyA/5JCgFeRmX2lSHEt0KvG8iiN/7X7VIwF0M:hTC4uOVcY6JL7M8CEimGlSHU0GGw9TJR

Score

7^/10

credential_access discovery persistence spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	26894f8c16a724b3b92c47bb2ad008c1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	updates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Tube Increaser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Tube Increaser.exe

Executes dropped EXE 7 IoCs

pid	Process
1788	irsetup.exe
388	updates.exe
3668	Tube Increaser.exe
3724	Tube Increaser.exe
4720	irsetup.exe
1948	Tube Increaser.exe
5052	alg.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Application Layer Gateway = "C:\\Program Files (x86)\\Common Files\\alg.exe"	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3668 set thread context of 1948	3668	Tube Increaser.exe	92

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c9d-3.dat	upx
behavioral2/memory/1788-11-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral2/memory/1788-87-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral2/memory/4720-111-0x0000000000400000-0x000000000057F000-memory.dmp	upx
behavioral2/files/0x0008000000023ca2-109.dat	upx
behavioral2/memory/4720-130-0x0000000000400000-0x000000000057F000-memory.dmp	upx

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Your Product\Uninstall\uninstall.dat	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\Uninstall\IRIMG1.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\Uninstall\uninstall.dat	irsetup.exe
File created	C:\Program Files (x86)\Your Product\Uninstall\uninstall.xml	irsetup.exe
File created	C:\Program Files (x86)\Your Product\Uninstall\IRIMG1.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\Uninstall\uniAA3A.tmp	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\updates.exe	irsetup.exe
File created	C:\Program Files (x86)\Your Product\Uninstall\uniAA3A.tmp	irsetup.exe
File created	C:\Program Files (x86)\Your Product\updates.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\Tube Increaser.exe	irsetup.exe
File created	C:\Program Files (x86)\Your Product\Tube Increaser.exe	irsetup.exe
File created	C:\Program Files (x86)\Your Product\Uninstall\IRIMG2.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\Common Files\alg.exe	irsetup.exe
File created	C:\Program Files (x86)\Common Files\alg.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\Uninstall\uninstall.xml	irsetup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Your Product Setup Log.txt	irsetup.exe
File created	C:\Windows\Your Product\uninstall.exe	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26894f8c16a724b3b92c47bb2ad008c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tube Increaser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tube Increaser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4876	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\IESettingSync	Tube Increaser.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Tube Increaser.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Tube Increaser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Tube Increaser.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1788	irsetup.exe
1788	irsetup.exe
1788	irsetup.exe
388	updates.exe
3668	Tube Increaser.exe
3668	Tube Increaser.exe
1948	Tube Increaser.exe
4720	irsetup.exe
4720	irsetup.exe
4720	irsetup.exe
3724	Tube Increaser.exe
3724	Tube Increaser.exe
5052	alg.exe
5052	alg.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 1788	2612	26894f8c16a724b3b92c47bb2ad008c1_JaffaCakes118.exe	85
PID 2612 wrote to memory of 1788	2612	26894f8c16a724b3b92c47bb2ad008c1_JaffaCakes118.exe	85
PID 2612 wrote to memory of 1788	2612	26894f8c16a724b3b92c47bb2ad008c1_JaffaCakes118.exe	85
PID 1788 wrote to memory of 388	1788	irsetup.exe	88
PID 1788 wrote to memory of 388	1788	irsetup.exe	88
PID 1788 wrote to memory of 388	1788	irsetup.exe	88
PID 1788 wrote to memory of 3668	1788	irsetup.exe	89
PID 1788 wrote to memory of 3668	1788	irsetup.exe	89
PID 1788 wrote to memory of 3668	1788	irsetup.exe	89
PID 3668 wrote to memory of 3724	3668	Tube Increaser.exe	91
PID 3668 wrote to memory of 3724	3668	Tube Increaser.exe	91
PID 388 wrote to memory of 4720	388	updates.exe	90
PID 388 wrote to memory of 4720	388	updates.exe	90
PID 388 wrote to memory of 4720	388	updates.exe	90
PID 3668 wrote to memory of 1948	3668	Tube Increaser.exe	92
PID 3668 wrote to memory of 1948	3668	Tube Increaser.exe	92
PID 3668 wrote to memory of 1948	3668	Tube Increaser.exe	92
PID 3668 wrote to memory of 1948	3668	Tube Increaser.exe	92
PID 3668 wrote to memory of 1948	3668	Tube Increaser.exe	92
PID 3668 wrote to memory of 1948	3668	Tube Increaser.exe	92
PID 3668 wrote to memory of 1948	3668	Tube Increaser.exe	92
PID 3668 wrote to memory of 1948	3668	Tube Increaser.exe	92
PID 3668 wrote to memory of 1948	3668	Tube Increaser.exe	92
PID 1948 wrote to memory of 3988	1948	Tube Increaser.exe	93
PID 1948 wrote to memory of 3988	1948	Tube Increaser.exe	93
PID 1948 wrote to memory of 3988	1948	Tube Increaser.exe	93
PID 4720 wrote to memory of 5052	4720	irsetup.exe	94
PID 4720 wrote to memory of 5052	4720	irsetup.exe	94
PID 3988 wrote to memory of 4876	3988	cmd.exe	96
PID 3988 wrote to memory of 4876	3988	cmd.exe	96
PID 3988 wrote to memory of 4876	3988	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\26894f8c16a724b3b92c47bb2ad008c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26894f8c16a724b3b92c47bb2ad008c1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:653858 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\26894f8c16a724b3b92c47bb2ad008c1_JaffaCakes118.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-2878641211-696417878-3864914810-1000"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Program Files (x86)\Your Product\updates.exe
    "C:\Program Files (x86)\Your Product\updates.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" __IRAOFF:654882 "__IRAFN:C:\Program Files (x86)\Your Product\updates.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-2878641211-696417878-3864914810-1000"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Program Files (x86)\Common Files\alg.exe
        
        "C:\Program Files (x86)\Common Files\alg.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5052
- - C:\Program Files (x86)\Your Product\Tube Increaser.exe
    "C:\Program Files (x86)\Your Product\Tube Increaser.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\Tube Increaser.exe
      "C:\Users\Admin\AppData\Local\Temp\Tube Increaser.exe"
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3724
  - - C:\Program Files (x86)\Your Product\Tube Increaser.exe
      "C:\Program Files (x86)\Your Product\Tube Increaser.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\PROGRA~2\YOURPR~1\TUBEIN~1.EXE
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3988
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\alg.exe

Filesize
32KB

MD5
1a7c89b423b0ea055c88df567aed676d

SHA1
44c023bb04870bda07576a2330ab44d5ac7ab4bc

SHA256
9fb9dba9bd7b85c48fb4f7b9c0f839784bee292418d000984e2fa22e1e2b9a03

SHA512
bb1c9a6d2a39448e479631d309f7499698d93e7edfaa66627b51f2781f6a3bd2c44b58b039c71ebcda64c010b0db81efa5cb41a6bb755001902895cf49926df7

Download Submit
C:\Program Files (x86)\Your Product\Tube Increaser.exe

Filesize
108KB

MD5
61c3525b4acb2b1e196df9a098505b64

SHA1
c0b5f04efc80af7c71827dbc840a034d31505884

SHA256
9b072f5db95eef0e15553497c72b39f35777b05e20a2fe6ac4e853f946fbfae6

SHA512
40697454af6d0893ab95f308422221f13f3dd39f7b398f34d7ad5f372321b3a4b5faa5472e841b23c614c5381be862d322b284359a0132d67c5f9583af205659

Download Submit
C:\Program Files (x86)\Your Product\Uninstall\uninstall.xml

Filesize
6KB

MD5
978e3da47e2706983628bad8731b1d73

SHA1
60ec83ab24ecc90814dad2579889b764173bdc0f

SHA256
22e5e5367b4c43401399d18c414a28d305120a67589ad6bc61f0f5094d743093

SHA512
6994e798628f989af83a6db4197ca5c359834903820bc7a6723b796c84b39bff610783267b2dd0c6c33f19a450f6e7d8f7f7bfd66ace9d1befbba1cd9e85bbeb

Download Submit
C:\Program Files (x86)\Your Product\updates.exe

Filesize
675KB

MD5
f0fda7be6d41410c0c8cc46a461ec0d7

SHA1
026778461924cb8aa68121a519c09eb64192e1a4

SHA256
6c6dd0385104635e6fe40a8d583806a6d6689eef99ee6c34a140f54d06b73746

SHA512
95191d98a625e517b8e057e88734e7106518fec09368e3ecb247eafab63507c7d58c2cb5bba2f5f948e94d76631d5ecf90b75874aa7295bc0dada9c4e1f4ea9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tube Increaser.exe

Filesize
69KB

MD5
c016ee709ab74fe9df77a27b7222d267

SHA1
d1c26fdb784bf6367b9902a1ed3a9800fc4b41de

SHA256
d91a8981f9649ff8222225b70aef5ebf51d2e5d11876f1a457e20808635a6687

SHA512
3a65429a3bc0682531ad91eda041673120528d8ae7aac2518697ae194dc24880e2ccc5722ae4acee18f6f92fbbee712e5d97ccad15e099e6f3a0dd8e18fd376c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

Filesize
2KB

MD5
af18f3f894be69733e04750b236e219a

SHA1
8e552822666e75f5b6054787e827ff51d3425a2e

SHA256
4ba385aee9eae013c9cdeb58fc1023475b003d085d84c1707fd7bfe1901238fa

SHA512
4ac3416323376aae7043b030bde30da02d339773c539815a1e9fe4ee2384fbe8132d83f68a054ee254424134a3994e47749b20ac0f3f69ada77e1c28120c4cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
562KB

MD5
2a6851974cff57bee62a83c52ce68863

SHA1
c3b22bb00c555274d6413ae48e3ed82103462ff6

SHA256
d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1

SHA512
25e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
98KB

MD5
b7f9218355f149061bc5cbabf605dde9

SHA1
edcfc72f7de9be8d8d258649547fca29b4105642

SHA256
efec700c088e7f6e6c2213ec40c815359f8136b4e65e104030005c0c600c6a72

SHA512
09e61f2d7ee089ef0f2963147f86dc86ee348a35b441b53b8257ea686b07571089cf283a9420ec320f8ab1c5083475098ee7fa3619b49978b262946745052e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
563KB

MD5
76da2c7c124183acf74251db2a336a79

SHA1
e3af0b141c37fe8db95397970aac0f9545e8b45a

SHA256
77a0ee56b68c5524c79201bc045aed9c212a90f4f28d5f08a8c15507df94aad0

SHA512
b160aa92810da8dc71cfffcc5ee0eeaf3058dcd39a0b1c0f02fd03436d011d9f50b46c0bea984cf3ee732162601e3a140b408655c647ff00654fa59d8fb2a8e4

Download Submit
memory/1788-11-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/1788-87-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/1948-110-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1948-107-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1948-124-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3724-133-0x000000001BCD0000-0x000000001BD6C000-memory.dmp

Filesize
624KB

Download
memory/3724-132-0x000000001B800000-0x000000001BCCE000-memory.dmp

Filesize
4.8MB

Download
memory/3724-134-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/4720-130-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/4720-111-0x0000000000400000-0x000000000057F000-memory.dmp

Filesize
1.5MB

Download
memory/5052-131-0x000000001B250000-0x000000001B2F6000-memory.dmp

Filesize
664KB

Download
memory/5052-135-0x000000001BF80000-0x000000001BFCC000-memory.dmp

Filesize
304KB

Download
memory/5052-136-0x000000001C040000-0x000000001C0A2000-memory.dmp

Filesize
392KB

Download
memory/5052-141-0x00000000204F0000-0x0000000020C96000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads