Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2024, 10:20
Static task
static1
Behavioral task
behavioral1
Sample
56e5a816d9393cadf752442d1ae700d2_JaffaCakes118.js
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
General
-
Target
56e5a816d9393cadf752442d1ae700d2_JaffaCakes118.js
-
Size
2KB
-
MD5
56e5a816d9393cadf752442d1ae700d2
-
SHA1
b95e699376a1c70489a01c914761d8c80cb72408
-
SHA256
7bf0de9197af4a86686d04f4c1c2bfdf09cf6ba7e97b88be5fd027f170a11ddc
-
SHA512
031e9c523e4d389d110e40c8c9975d8c3d4d634d736fbf0bf25ffeb519bd935a9c26b4b1edecefea7da506ebafa6e8ecda3fc45a45b3307bd055dca568bc0202
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9ED8E551-8D3A-11EF-91C3-EE81E66BE9E9} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31138119" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f5567c4721db01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1942952734" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1942327640" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31138119" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1942952734" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31138119" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31138119" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a246000000000200000000001066000000010000200000009dc5bbb401cfece8c8062cf7f518987d35f168895d5649b9daebaf5e2cc813a3000000000e80000000020000200000001cec17cc6bbf17bc53711ee9f0f77ce34a34c13c03df4bc81208ff57cc0f13a42000000038a6f1196d450fd75d7db57c767cf8d2becffcb4de200b474d1382bacfd8019e400000008645ffd6f7963eb148d8f0a8d057442b34a3cb0c6514aa891761d26c4520e5f4050fa85e6631b679e927b5e3fa495d0ac37de89e6e421024c3e1f2a4b11ed8e3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436011813" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1942327640" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 904d657c4721db01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a2460000000002000000000010660000000100002000000030d7cd68ea883bc9d9e4d064fdfb4c7dfd8c5ffbe6e9a3321c278fac3b08c784000000000e8000000002000020000000eff93833664ecb6b336a5d20c842ef7c3396dc7c2d75ecf3906f786ef6d14e0a20000000bec73a4e317345549aa70d1ab31476eb79c659e21f611ed9517224e2adf819b7400000008f54034485ee510c050b22b2eebd053c57aabd4dd6b7916482243fa4463cfbcbe07440c3dab51409674fb41b9c271df124310905ce1301da0f659e775e24cb77 iexplore.exe -
Modifies registry class 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\Shell wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\Shell\Open\Command wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\Shell\ÊôÐÔ\Command wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\Shell\ÊôÐÔ\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\Shell\D\Command wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\Shell\Open\Command\ = "C:\\Program Files\\Internet Explorer\\Iexplore.exe http://www.6071.com/?tt" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E} wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\ = "Internet Exploer" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\Iexplore.exe" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\Shell\ wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\Shell\D wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\Shell\D\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\Shell\Open wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\Shell\ÊôÐÔ wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\ShellFolder\ShellFolder = "10" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86AEFBE8-763F-0647-899C-A93278894D8E}\ShellFolder wscript.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3428 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3428 iexplore.exe 3428 iexplore.exe 3932 IEXPLORE.EXE 3932 IEXPLORE.EXE 3932 IEXPLORE.EXE 3932 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2068 wrote to memory of 3428 2068 wscript.exe 84 PID 2068 wrote to memory of 3428 2068 wscript.exe 84 PID 3428 wrote to memory of 3932 3428 iexplore.exe 85 PID 3428 wrote to memory of 3932 3428 iexplore.exe 85 PID 3428 wrote to memory of 3932 3428 iexplore.exe 85
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\56e5a816d9393cadf752442d1ae700d2_JaffaCakes118.js1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://%36%30%37%31%2E%63%6F%6D/?tt2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3428 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3932
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee