Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 04:42
Static task
static1
Behavioral task
behavioral1
Sample
55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe
-
Size
42KB
-
MD5
55890b1d134154075271bd0b860cd2d8
-
SHA1
f50629248347c42c43dab378cc9963950da140d0
-
SHA256
02e235ccc12f14cfbffbe3abd8c79b2f53634cd6ebc39dda4c39e9b9b28bf604
-
SHA512
46a78634272127b9a8556fb6eb584141ab56b65ffd486d4566a6ac5eae84d77eaea77ab480c125d2a7c48a7d1006894c95f978e96dfecf649c996ce40e510fba
-
SSDEEP
768:MUBkQmoq5/DkgLTGLqWJ1W/SYEoTjerNDp4rZOawQfRZw7nwWXtRn:FGNQgLyw/SxoOZtIAabZAwW9Rn
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3704 winlogon.exe -
Loads dropped DLL 1 IoCs
pid Process 3704 winlogon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\winlogon.exe" 55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\winlogon.exe 55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe File opened for modification C:\Windows\winlogon.exe 55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe File created C:\Windows\ie-zook.dll winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ielowutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1176384029" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7189BCE6-8D0B-11EF-B319-E26222BAF6A3} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31138072" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90297b461821db01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d0000000002000000000010660000000100002000000005d6b37a7042cd2ca91d207e23f67930f4ff42010978a267a9065f094dbc06ce000000000e8000000002000020000000dcff4c42807c2407bf4c9732487af9d599eecc7a2716fb762a249c138964737e2000000070c406bdc87ff9f6ef82f13fa8d322ec663cadb619351dd151d9f235dfa93c4b400000008bf560589fc1fa519a6c806cb30d71485f5afae96ee6ea36572ebe5922259ace448469154055ab8db1a5c4db26b77248a4011e97b7e95ebb52144035d5306b5f iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 702e82461821db01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31138072" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1176384029" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d000000000200000000001066000000010000200000001be0b964e24201107b682388bf3127d3a91342559312cc0277346df01065ddd2000000000e80000000020000200000003b8573e46705b3a50327def0abca0a53e37cfe455ce26a49d35ab088db47d05f2000000091fc5ffc5538a19b8103b814b7e866ff45fea352fb79eb4143397015efaeed2840000000c9dca58388ef1f4626c1ac08f2c8a7c20dae26a81e2db6686145f93b4e799569be36009ff7bec70fe865f428bebb860475a27d0466ec467a6fafde47ec009453 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 892 55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe Token: SeDebugPrivilege 3704 winlogon.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4528 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4528 iexplore.exe 4528 iexplore.exe 4816 IEXPLORE.EXE 4816 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 892 wrote to memory of 3704 892 55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe 87 PID 892 wrote to memory of 3704 892 55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe 87 PID 892 wrote to memory of 3704 892 55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe 87 PID 4528 wrote to memory of 4816 4528 iexplore.exe 90 PID 4528 wrote to memory of 4816 4528 iexplore.exe 90 PID 4528 wrote to memory of 4816 4528 iexplore.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\55890b1d134154075271bd0b860cd2d8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\winlogon.exe"C:\Windows\winlogon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:2696
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4528 CREDAT:17410 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5bace891b441c0da1e64a012d7d475cd5
SHA180d93cf047c6503856d213e04d4812bcabdafded
SHA2563b028d13a43b5c87efa4c2d192a1d17e0ea61b79256383a5202134eaae8d96eb
SHA51254d2e4a7b8e4df6a3fbb5481966c198a924d6cdb79da41bc2f1748c91c32828e7e6a22b458d507eade3168e838ca7776ba3eba042ab300713511ab73d8747bc9
-
Filesize
42KB
MD555890b1d134154075271bd0b860cd2d8
SHA1f50629248347c42c43dab378cc9963950da140d0
SHA25602e235ccc12f14cfbffbe3abd8c79b2f53634cd6ebc39dda4c39e9b9b28bf604
SHA51246a78634272127b9a8556fb6eb584141ab56b65ffd486d4566a6ac5eae84d77eaea77ab480c125d2a7c48a7d1006894c95f978e96dfecf649c996ce40e510fba