759af97199698d2633c07176065bc5069110e1dcff44a87c4a8d3aa4bb043529

Analysis

max time kernel
133s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42d77b24f5d7c3efb034d674cc95e441_JaffaCakes118.exe
Size

57KB
MD5

42d77b24f5d7c3efb034d674cc95e441
SHA1

4b7a8f12b17e47edc719ff6d1f82f7da49d4976e
SHA256

759af97199698d2633c07176065bc5069110e1dcff44a87c4a8d3aa4bb043529
SHA512

2bb549f3c8fd247ec6b0935332fd203fbce0179df97be7a011195d27ee124b6e1fdc4a00c15b0fbf7491e8b5f8391339cd14c543d563a6543d2563bd068763d9
SSDEEP

768:9u88JmsOFMi3tYncdlDkQQa17xNnzvbEZ4LWv/RWjebG5KgsBTh8j:9uXmXWc/4fatDzMfHsp5Kph

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42d77b24f5d7c3efb034d674cc95e441_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27557A21-8A40-11EF-94A4-62CAC36041A9} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435081229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2388	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2388	IEXPLORE.EXE
2388	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 3028	1724	42d77b24f5d7c3efb034d674cc95e441_JaffaCakes118.exe	30
PID 1724 wrote to memory of 3028	1724	42d77b24f5d7c3efb034d674cc95e441_JaffaCakes118.exe	30
PID 1724 wrote to memory of 3028	1724	42d77b24f5d7c3efb034d674cc95e441_JaffaCakes118.exe	30
PID 1724 wrote to memory of 3028	1724	42d77b24f5d7c3efb034d674cc95e441_JaffaCakes118.exe	30
PID 3028 wrote to memory of 2388	3028	iexplore.exe	31
PID 3028 wrote to memory of 2388	3028	iexplore.exe	31
PID 3028 wrote to memory of 2388	3028	iexplore.exe	31
PID 3028 wrote to memory of 2388	3028	iexplore.exe	31
PID 2388 wrote to memory of 3048	2388	IEXPLORE.EXE	32
PID 2388 wrote to memory of 3048	2388	IEXPLORE.EXE	32
PID 2388 wrote to memory of 3048	2388	IEXPLORE.EXE	32
PID 2388 wrote to memory of 3048	2388	IEXPLORE.EXE	32

C:\Users\Admin\AppData\Local\Temp\42d77b24f5d7c3efb034d674cc95e441_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42d77b24f5d7c3efb034d674cc95e441_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42976b2798c9cd284c1c4afcc01d3e8c

SHA1
5328f89820403ab03d626208865191302b147eac

SHA256
cea34a230dcd761c6128a0c0d1952d18d4ac2fcac2bf8be8d6e969fa3bcb2e0b

SHA512
b49760bc36534ebfb274c488f313cb90ea53bd93a38f5c4a2911cb1dc86fd7cdb16db28363c24e3b5f077d3a60efaa9224da0f4bd1accb035a18b9cebee9bd8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98051547ccd02c3decf5f60aaca7fa07

SHA1
a180778615e0768f65465137c5e04829d26320c4

SHA256
1282150a385c827e63bfe13250ebc472f459b2524145090a13c4662bac100b36

SHA512
95dcfc8a8264ef625306add788aece9c01cc30f82f3ebe035fbb13177ddb4f8035a97f6b1024b941e6f9b14f866712c7dca1d2126bd23693bfa2adcf9f6521fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efdb2ae70848e37481bdf7156b7eba98

SHA1
1faa916bc51b7f708bd1afc36f2b514806125dfb

SHA256
e0f6234fa6a01b5523614072c81b6938954e5cbea3b7a96de1930ccaf1cae9d6

SHA512
836ed0e0fbbace1671fa43258d4256e7d90ce20b93aecf51b993390fd30f0fe59540e12cf835e51be966df74fc10ce514bf24e0da826eb20de7380872d01d812

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a3201542e0a819ca7248410bd73ce52

SHA1
0daa3ed22cde8f834df926893b74afeea53357c9

SHA256
488c4a15d864f9d2a4136cb15c06015e7fbe693192633a6b7c164b204b128e4b

SHA512
4a17ec722315c5fe1556ebeae09123b2f3ed3fab7cb2f20637be8a7ab99dd82b4bb511956fee88c1292d54b54298f5f42ca82dd7a655db9882cd8266e3f4d08f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3378f1e4a75acb1e74b2551247781a50

SHA1
594970dcf8fe5a5691a9898c465e76a857efcdbe

SHA256
a65f70adb0352f9dc1a32b332e0a81b6aeb2aee9d45c79f04c4dff2e70c85f63

SHA512
d998bfe38d40050b911383d3bc9beb2e081e6c73e8d1f23030067d834629841c3f42f9dd19efc610575490c40be0a2fef85806a54b269b420c2e6c08f3c05136

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0820db942ced491d138f9ded1115b99f

SHA1
cc7b31a78471c6db55471e7ea02e5a0603ae3585

SHA256
925c6bea17532f8f924614c7b24ec7bdc4c558795d05704b46492d6a0cd71ebc

SHA512
ae8020a82f70e1d16238ca367970e1490ca31a4e2170fc2f38fb2078f78510e6b966683b3eaf46cfe7bcfacea5c787df9c0e10d7dbf13bbf41b187baf6583f61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8e7bc48e658efb3ae3f0c86cff2848d

SHA1
c323c9c1e55d88be2ec95796c2ba1a68d97d7ca6

SHA256
074f529c36beea443b69a9402f25627f69a5b3010343a1107ae63eb54250da54

SHA512
90328cecfc092b455a3c0dcf14b54a1b972278f4fef5f7701c5b8e38a5d5340690c2d53bf0e9d9a7bb74e9b458e8f60b0fcbcb49c578d3d2af939b85581ddc9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0020f83a3eb5886ee9dd1ce9d41c97e8

SHA1
ce295fcdaf49a9e0f8b7f49713b7f1f45da07b68

SHA256
dde4d7ac0356bdda2b583789c73a8370e3d4f2964d8f124e769af3071a23af2f

SHA512
ca8cfd58d7d817ae5221b3815f333f9f5fa5473f24672b7d113b8f3d45404ce07d60c5b7cdf82ca19ddce4881d179816d443d2d3dddef0f2c5a5587be4e35ad9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e3dd4266c46f39e466256c0a44f61c8

SHA1
6ab20869a056fc1120b17d9637628b7b0567ce89

SHA256
b8d956c6bbb6c49e49094d14829dabb9a5a14c7e08cdf427add80b14aebc6365

SHA512
a5bedd6366bf2219f77f48e7479ff42258e6d9a46d11432067e16d052d197c67b8ca95a7fdd472630c8307866774ed6ead1a08daae96c03b68a4f047539694d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7c6b7477b655ee68082ee5f9f1d8ebd

SHA1
79605cbc17ea0aa6881240c43e0e1d1266510700

SHA256
614c35ea58c55b134e4e38f9028f5ac3974ff7a88f285a295be5a308cff8cfe0

SHA512
7ff56014cdd407e5a807dc6f12390c7961147b13a52c113b8cac3cbeb7fcd5af1344efdcb713fd0b38227cecddaa54ddb539f1e86bd746c51548dde845188b83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78a541a32223b7c9047779866a6e0a11

SHA1
3e68624061edf8f1b108387bed20b1b186508335

SHA256
389925fdcadc79dd158737323c09325e34dbbab9ed85bace481c222e4410a38f

SHA512
9713c79b879c31e2ab58c796cb1d8123410e92837e040762ce75f7c3a56bd4090fe505c2185c6d49515557f480a9689abd9434b768f5c2db1969bf8724956d58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
884ed82f98c73ae143229e1859493c2c

SHA1
3e6a24eea3ce3672d444f243f9dd03b08b5f9776

SHA256
fb864942bca34a9c30fe718cfce63996165955b2064537a9241c5fddbc47059b

SHA512
f825c947dd13b54244ef3a3ce2611652f3c4a5abd566e446ee220cb813f1d197e5b8265ab661f6c9666e546579cc01532dd7150fbf4000efd54457970a41e317

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b7eadd3c8613a3e2da37606b831eda4

SHA1
e7e8a68708d55800a9a0134f3c2b2888f1a2ab87

SHA256
d93861d8cde4543bc84c1ce3b8a10bf29ec5f816d6d12b7c4bdb448f13b63104

SHA512
10774d1d947139e970e0698b740008558ca2f9506d1ebeaf6ed76cf2f271fcf86ec02c293df422c2f2966cb81e6583981e2e65db0d96f04c4b469e7eaf3f141e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aeed88ac4be49fcd005132e55d18ebc7

SHA1
4092a2f0ce0b53aae804cd38dbb868d27dd92968

SHA256
2f9cf78c50c52bdee251dfcab93aedb51ed5ba0c11be8c7793203d09e0a98673

SHA512
3c0ae3ee437ae7ccf08cd4a360624c39e05bdbb850ecc77bd19164ebb9e1703f786823233d3805ade65ef6537d43079209c0077d708837694c9b72b9a3ad5989

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC130.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC1A1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1724-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download