edcb20c4866a9bb4d39179a8d8709db43780b82904a02f5fe7a3825f1ad232b5

Analysis

max time kernel
94s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe
Size

341KB
MD5

2df035196145068fe24c8d7438e0b00d
SHA1

53ae34982eaa6c3110ba3b63e8fba38f17dc6ebc
SHA256

edcb20c4866a9bb4d39179a8d8709db43780b82904a02f5fe7a3825f1ad232b5
SHA512

7eaaa617c5e2b3cf5640f750f17c77cd464a3da92e5d6e32ebd9a562047605c93e5822aa068c231fc1ec3d1ef6a463a8afdd5217f892a849c9cfa565a6e0721f
SSDEEP

6144:2+npuvh2skM2pH04MD41iszT4YWECSQxu/9n33WzvM6n15Qpb2StFKpF5pL5:kQ/JpH04MD4vX9nSoWzHop6SbKppF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4360	seupd.exe

Loads dropped DLL 3 IoCs

pid	Process
4360	seupd.exe
4704	2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe
4704	2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Firefox\searchplugins\google_search.xml	seupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seupd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023ca5-2.dat	nsis_installer_1
behavioral2/files/0x0008000000023ca5-2.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}\FaviconURL = "http://www.google.com/favicon.ico"	seupd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}\SuggestionsURL = "http://clients5.google.com/complete/search?q={searchTerms}&client=ie8&mw={ie:maxWidth}&sh={ie:sectionHeight}&rh={ie:rowHeight}&inputencoding={inputEncoding}&outputencoding={outputEncoding}"	seupd.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\SearchScopes	seupd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}"	seupd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}\URL = "http://search.search-star.net/?sid=10101046100&s={searchTerms}"	seupd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}\ShowSearchSuggestions = "1"	seupd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}\SortIndex = "0"	seupd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\USER PREFERENCES	seupd.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}	seupd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE4C2C37-EDC8-4C00-B864-3C38CF3BA834}\DisplayName = "Google"	seupd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1108	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 4360	4704	2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe	85
PID 4704 wrote to memory of 4360	4704	2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe	85
PID 4704 wrote to memory of 4360	4704	2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe	85
PID 4704 wrote to memory of 1108	4704	2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe	87
PID 4704 wrote to memory of 1108	4704	2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe	87
PID 4704 wrote to memory of 1108	4704	2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2df035196145068fe24c8d7438e0b00d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Documents and Settings\All Users\Application Data\Update\seupd.exe
  "C:\Documents and Settings\All Users\Application Data\Update\seupd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:4360
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 60 /tn "Updater" /tr "\"C:\Documents and Settings\All Users\Application Data\Update\seupd.exe\"" /ru "System"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Update\seupd.exe

Filesize
307KB

MD5
143daa59ea3c3adc09b8e08be4d796fa

SHA1
378adfe3038e7e25a02fdf0db8acc845fd6c0461

SHA256
44ffa994a1cb265688af7f7fa4862aac022a9a95b6351032aa98e101159eab86

SHA512
f38aef36e7a7a34cc3073ab1f3334c6040b1b4a4604f181e22557d5faa758db36b8d671c3366fb4b1d9810a118f06426708fe0d22764f6084070cde3b506617f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCA08.tmp\registry.dll

Filesize
16KB

MD5
24a7a119e289f1b5b69f3d6cf258db7c

SHA1
fec84298f9819adf155fcf4e9e57dd402636c177

SHA256
ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1

SHA512
fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmCA27.tmp\NSISdl.dll

Filesize
14KB

MD5
9c90c746adae5171c52b932080113331

SHA1
2eb66e61ad38a33aa6e6c245e84e0a78dfcc5460

SHA256
5b7be83ff4f023eba8d2d7ab972b067a904adc71f56a50cb367619cd116d0e92

SHA512
fca06b4b39fdd76002487a4f9a454bec5507b2355a0e4e2dfe044e2def52bbd01aa5d2a0077703f7b8814b248743fac2b84fd37f611e04281f7e5c428e245565

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmCA27.tmp\nsExec.dll

Filesize
6KB

MD5
cdff6b8f9523b6ef9f20fb5f9e90f1a5

SHA1
b25f6e0a19b41ff0a12de8e98e3005bc119d34fa

SHA256
80b2740fb3a21ffab022a96ce6b420019072f8ef3a048fd9dea4a5b64498c0c8

SHA512
62585c6a6103aed10f9a79c016df8cb630c3e37715542b5f26aa1a910771540c9b323ddbba3329db0ecf524143f7a27b782e198ce944317f764be6b9d04b792e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads