Analysis
-
max time kernel
139s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 14:31
Static task
static1
Behavioral task
behavioral1
Sample
42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe
-
Size
12KB
-
MD5
42b472468ba8285fc112000fb4ccdcb6
-
SHA1
4968cdcf095dd692adc293b67693a693f9f06299
-
SHA256
1eef43e969d24dd17fb74b5bdc65772a7e2f81a1c98d14b84d51f3f6ec6139a3
-
SHA512
00f65dcfc3203a0ffc7e44565decab0585d3a3ff2c121d031b48095b31d68c1bd9ceb3087cb82161542625aea07a4eb9edf37b57123334d7db539ecc22407296
-
SSDEEP
384:Hroov4WF6H5CxYbMCFasT1Y2cQPIKhH6lIQS+tdNG/C1:zXF6ZUN4UyIKuIQN9G/C
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation internat.exe -
Executes dropped EXE 1 IoCs
pid Process 4944 internat.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: internat.exe File opened (read-only) \??\M: internat.exe File opened (read-only) \??\O: internat.exe File opened (read-only) \??\R: internat.exe File opened (read-only) \??\S: internat.exe File opened (read-only) \??\Z: internat.exe File opened (read-only) \??\A: internat.exe File opened (read-only) \??\G: internat.exe File opened (read-only) \??\I: internat.exe File opened (read-only) \??\P: internat.exe File opened (read-only) \??\U: internat.exe File opened (read-only) \??\W: internat.exe File opened (read-only) \??\B: internat.exe File opened (read-only) \??\N: internat.exe File opened (read-only) \??\T: internat.exe File opened (read-only) \??\X: internat.exe File opened (read-only) \??\Y: internat.exe File opened (read-only) \??\E: internat.exe File opened (read-only) \??\J: internat.exe File opened (read-only) \??\K: internat.exe File opened (read-only) \??\Q: internat.exe File opened (read-only) \??\V: internat.exe File opened (read-only) \??\H: internat.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system\internat.exe 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe File created C:\Windows\system\internat.exe 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe File opened for modification C:\Windows\win.log cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language internat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f071e0e5451edb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137349" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137349" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3702162933" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435681277" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3700287805" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a51000000000200000000001066000000010000200000007efd90c2c176a9e62abc914b6b263a0c8a2e5d4fa2db7d3fdd7afb94a3a006bd000000000e8000000002000020000000fc586aa1b4c8f01e8504e0dc307ac3c64f22d291e7ec5cbab4a9e7eb657a4a5a2000000086fe0266ee0056afd695cb23faf9bba67313b87721185b1b4649e918c334b03a40000000fa24c9f39e52f4ef4562a7345c6d9ceb8d8ba8b751ac96c6179032aeec5d7b3d9f3ca2c2e7e4fa81144c8ea90e6ecdda0a5e3a9b55da6c0744b67fdcaf19f194 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a5100000000020000000000106600000001000020000000e93938e5032ffc219b84138062707e0e5fd37b5a8d7bb7b47c6b6cfb67d15d0c000000000e8000000002000020000000e20d7c4728b3efdcf780685e3c0181fbc974c19fd53f7afceedd17f8c6d83cbd20000000e041c87766a3ecfdf5215705c785664f17282ae9e05d077fd15e1bfd9403f4fe40000000b490d7615935b155b6ddd0c34c173a7db88e689b88c1406d29ad95d14689f3fe16c861fb6045595aa58af77b0b8acc46b2adc2b189d37017189209112086c04c iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{08350F3E-8A39-11EF-AEE2-CE95CE932DF6} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3700287805" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31137349" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0e7e9e5451edb01 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1076 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe 1076 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe 1076 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe 1076 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1076 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe Token: SeDebugPrivilege 1076 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4444 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4444 iexplore.exe 4444 iexplore.exe 3688 IEXPLORE.EXE 3688 IEXPLORE.EXE 3688 IEXPLORE.EXE 3688 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1076 wrote to memory of 4944 1076 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe 84 PID 1076 wrote to memory of 4944 1076 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe 84 PID 1076 wrote to memory of 4944 1076 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe 84 PID 1076 wrote to memory of 212 1076 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe 86 PID 1076 wrote to memory of 212 1076 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe 86 PID 1076 wrote to memory of 212 1076 42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe 86 PID 4944 wrote to memory of 4444 4944 internat.exe 88 PID 4944 wrote to memory of 4444 4944 internat.exe 88 PID 4444 wrote to memory of 3688 4444 iexplore.exe 89 PID 4444 wrote to memory of 3688 4444 iexplore.exe 89 PID 4444 wrote to memory of 3688 4444 iexplore.exe 89 PID 4944 wrote to memory of 1780 4944 internat.exe 95 PID 4944 wrote to memory of 1780 4944 internat.exe 95 PID 4944 wrote to memory of 1780 4944 internat.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\system\internat.exeC:\Windows\system\internat.exe /sleepDown2⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://web.21575.com/103/tj.htm3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4444 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3688
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c dir F:\*.exe /s /b >>C:\Windows\win.log3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\42b472468ba8285fc112000fb4ccdcb6_JaffaCakes118.exe.bat2⤵
- System Location Discovery: System Language Discovery
PID:212
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
212B
MD5fe368711f8e73be0fd395870104fb401
SHA122dfc242a3eb6c31e8f4acb25f0210fbe68a2958
SHA256466f85861fe394c3fa91cfbaa46d8ef3320676f0894c4d45606caba995f17d61
SHA512dae745955e532af5e646875e004f77eb2288aec14b83270c1ecbda90f4ccc56f53d98e5ff762694581c751013fda990459c81534545c1945bda8f9c73601b7a7
-
Filesize
12KB
MD542b472468ba8285fc112000fb4ccdcb6
SHA14968cdcf095dd692adc293b67693a693f9f06299
SHA2561eef43e969d24dd17fb74b5bdc65772a7e2f81a1c98d14b84d51f3f6ec6139a3
SHA51200f65dcfc3203a0ffc7e44565decab0585d3a3ff2c121d031b48095b31d68c1bd9ceb3087cb82161542625aea07a4eb9edf37b57123334d7db539ecc22407296