Analysis

  • max time kernel
    71s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 01:13

General

  • Target

    80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe

  • Size

    581KB

  • MD5

    80fc7464938eecb59386e65898b56e7f

  • SHA1

    6dc880153500ab7359090c2d1256d38651b85f14

  • SHA256

    eabc70968d6828deb319a3dcf934bf5ddad355b8f3f065a8e95363f554876908

  • SHA512

    cf9cec379dce3c99efa6d76270064c345376684c7c211a5bf2ea5088613dc5d296e4bb26a22a05b56c1197671be9a9781b1e5d0cd8b7f0d3842929d75448557c

  • SSDEEP

    12288:uoMDtCi7NFlZnNqZ9xGrLpZ0ZHEqtgb0U7:ufplNFgxG5eZngb0s

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
      C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.97199.com/install2/?sl3
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2928
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2128
    • C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
      C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\newsetup.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2288
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\1.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2616

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          1176b4ec0ed1059223f3183bff27f028

          SHA1

          7337e307a9128ad51c1657b6329dbeeee5a6a9d2

          SHA256

          91460622f837f632a73bd459aa5b1d4cb807e94bf3d56996646fabef042b7ead

          SHA512

          e4400ff9f31bb0435b424f813a2fe3d3b01ab4da63c199107e55084759a9e0ce23057369725030f71560bd27c5c511610cb5608538ebd6a5e794e700f283b728

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          ba9d7d5dd889f782540dec5b9b3c85d9

          SHA1

          fda3e49a3be02f7a6bc65eaea6a818c472039a6b

          SHA256

          cd665040ee41eef0196ca74f87ff730d6dfe0aedbeb357fdd638f03567a075b2

          SHA512

          675a2fa99351b63116db48f5302adf0dcd4bc61716538a4dc9b14e9e55efeeb393123a8c38b28590583cf264925b39aada220699991c9432e8f868c90be4a764

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          87c8ac59f5a86b717e4e9281a555d723

          SHA1

          cabdaeed004d2e8e2239f7840b26cb912ae489c6

          SHA256

          296223ac1d8da339fa723cbdf486313e9a4f7158f56b6ab8c250998c7f40bf81

          SHA512

          e0f76f1decede9f7dea1943a373486892c15cf9907505102aeed8cd342f14008c52773f83f10004ccb8e509e607ebcc8add3644e733ac8d12fa45566ea31c8dc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          af21eaf747237241f2cbcc5240a9de8c

          SHA1

          1f06e00490889860fbafcd0a0a3c331c12577177

          SHA256

          e7bb1bb5ab256be48b06134827c62c6d2532f354d4d29da131a2126dede8603d

          SHA512

          04256d46f79ff5bf5f285dd5b35901805b5bb336699e93b395099b31e7c3400c372bc30baa288faff7c1f68cee522fb8f3baec59194b7a2a4d04f0237cc2de5e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          ff907857a338f2edb8721a775577e2cb

          SHA1

          9c777e893756182f81e1e20cf4348850f35b0eeb

          SHA256

          995cec860990617770cfed0242cb25bba3d785b3572443711566653e410aadea

          SHA512

          862d37ccdfeef0ee17509bfdea5238371a1877781734170a08e29a83e4bea61bc0189a898edfbaa579bf5d731f77069dbed543a9b5842cb88a6523a1c4088e59

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          f5fdf19d4bdba8901c9a808a0a0bfb62

          SHA1

          c22751f32f7334896b6a12d2a95f3bc06c0edca0

          SHA256

          9f708b940f0054579642a084b652bcd9ca3be7bd9b2d4840bf3a1b03ac96b611

          SHA512

          7440677575d53f48a49c5bad035c171554af6b1eb106cc5a5b2a870075624dc53f703e464a8393cc327166cd07c8f614fde8fcdab2c6e9abb01961585022e66d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          791ed552629e091584e7c8d4c4500d4f

          SHA1

          b238ce08a91f7643670b5f76b8688fc5ff6d82a6

          SHA256

          c6e0ced78cf9019e97d938615c371aeae39d3799b598fa14a2055b8c647e1fac

          SHA512

          d145dd08600a34ba68388c43c634e5843eb805baeb4e68914aff3ad4b172be4b72d9661a5b01b70b53541313d5e1afd8eddc836b6d646dd05e66642a17ee02e7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          4ee802144c006aa2a85a6a2341870ce9

          SHA1

          24484f1aaed772c8ee7dc7a815a7565f763f9625

          SHA256

          9e14d6bdf63cce4ced3b2cff6401e94c4e386fb246162c265f6bce5b9fe2ae26

          SHA512

          a6e838256f0776def6165d8f769ca43e0861e6a44453f159f2463dc04232e7c132b957c68bc6e5b7662355d344db8b1b34951dfc99fa0afdf10ca9dd1ed642a3

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          7b2ed0dfc07a6cc65e71e9a6a87dd3c2

          SHA1

          4776a05c55f99dd900fdc180f81f81a4f5324d41

          SHA256

          412186df6415a5ada1bfbf62c9dfdcdc53777e1c7b84c86fa8d22f5bd9844b9b

          SHA512

          bd5ff8363dee50d372cd9040c0be87539ab7407f4ea67da3caaab03dff5663e9076b2d7427139fdc1faf97e1dc52d4fca8c3d3d38d9659bb7dbfc217347880aa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          851c138bc794044de7b3474b1c11703d

          SHA1

          5c9010d4c9de5c9f8fb9442251f488da5d653796

          SHA256

          95db4f350105fc035850a2f8b528ef80893938c939b958bc4e5e03bba6badac1

          SHA512

          000473a23ec5ac8a343c87e229a6a32c51a6eba73779da19c01ea94d5dc1a93abd28ef551583bee3a905fb2a34b5d27b4a0c88b9eac04bdfa4d8c9d851ebc30f

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          c9fd66ae9def3378092aafe2e403325c

          SHA1

          6e01837155567e1899e440ead7ba88299cf86efb

          SHA256

          3829bc1da6d680363ef472abb4cdd072429cc066a8203935ce221961e7aa8963

          SHA512

          5477c888f99db209a4eae3172322938f4040783acb04071d89e93aad37faf429e951935931be3cdd974df8efa7a5dbe56a0d3cdeb2d30075836b2ce079f0f36c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          1a90bddaa68c5e1da7bd770ca36fe82a

          SHA1

          860d94f4d0959ab781509e59a03c47d1be4564b8

          SHA256

          a7a3c0a7f559fda6214579462fbe47a9e4c864c28d3d8ecf51c53a57b55facdb

          SHA512

          80e2ffff5466f889d8e52ea09149673b2dc469d521557878a48d248540b574bdf3c5aae967ee325671479ebf1f29b0f341cdca34218abbf7de78d50358573982

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          2cc5f97be92d4a060feb807f006d9c37

          SHA1

          ca2d8b3d21d753bdd17bb232bdaf1b4e273ba6cd

          SHA256

          64b1fe516cc88cac0107e1cc22536f26c51f191b1693b3390f8406865f9b6694

          SHA512

          151b8cc0b8ced588ffd8dc20df80052ea430d90277d7f2c725f09583efc0fb4b485b2d8cbf93260abd94441e904c30dae8156ec245d2f33b56dd7b3560e0a4d7

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          11fb50c29e038a80f69398bb5f6946a4

          SHA1

          9b8f6a9056312e3f85a1adae2a4547291f754451

          SHA256

          5987512b242b927346f155ae90d6f83aae82e83763c617a6366c96197c898ce0

          SHA512

          c5bf0ccf96a4f69a8caf00cc3e173526019681bcc4d8d92df6583f080d3c67420542aaca47dd52709d6ee43650c0ffcba2f879f28e1c1e4db548d053eea18980

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          3ab20e4ea771a31a8389a97d392cc2e1

          SHA1

          009f16758c996fc7a5027e12ce851114d6199d21

          SHA256

          10e9882e36989f50e8162fb9bfd2e6ecaa320ebdbe0d120c4eeaffe54c23ab5a

          SHA512

          c35fb006135c4c3d29bc445e6da2aedf2f8b1fcecadcc017e9808306a972ae5c93fccc810d81d13e6a1645a3f314084526d2d7c4186e4801231de8345e39747c

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          7fea8f9aa981356f46dfd486ae82b5e2

          SHA1

          1a89103748df0885a3062495b0022ed5b44bad8c

          SHA256

          f15f8a5d395e7b428674baac0499e6249f4122b2da65e4ff5d312335f834dfc6

          SHA512

          acfb1e5bdd19f2fd00902b1fc21dbcae9fa71e5994e6ca79b2d29def30e57b2f02f133572c28864404b779cb71bb5bf5437d9a2deb41ee0dca1415b1e2bf1a95

        • C:\Users\Admin\AppData\Local\Temp\CabEFCC.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\TarF08C.tmp

          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        • C:\newsetup.vbs

          Filesize

          651B

          MD5

          4736e7158c27f244482f5a614b9dbdae

          SHA1

          d3a0e95a81e9e3ec95cfd596b25749a0e24e27b9

          SHA256

          b8229bc8d6b0013858fb9599cb510afa4566a439164b2c7444c449540a124acc

          SHA512

          cebf895dd3ec3822c42b78bac49c685b063cb5afcbcfb3850b073cb118d086c5fa75ec50b6e73d90e14f2c6b595752ad87910b8cf27378424d72a9ea309bf824

        • \Users\Admin\AppData\Local\Temp\nbfile0.exe

          Filesize

          467KB

          MD5

          74869a0346ab36bbba85022612505121

          SHA1

          2cd02f46f2f9f46eaf15fce40a3bf4781f80cf8a

          SHA256

          6de866b5c8abb1db9b2be231b365c1aa029118fbc58823f443f00e3a33dff18a

          SHA512

          723812083113cff82aa5e2243759c572518865e351cc81b7c2b85a05557862dbbd7a98b964ff6f3aa3802bb5d4dab01a14147211495fc5803d9ddb7b715f4de5

        • \Users\Admin\AppData\Local\Temp\nbfile1.exe

          Filesize

          52KB

          MD5

          c4ddf11ebdbf9d8397d710d2cb4e2fab

          SHA1

          8008c97e7d6ff92deb3e1755a614f4afedca92b9

          SHA256

          67a632049e45c25de35b533659624ca24f8e70447abca015bf5776ce6cb3ded6

          SHA512

          3c9be7b92208e8c0f57ab8048108714e06b2aa896a479f61637a93a9eacb4818fcb25ce3d4e1a24086558daeae65d4b482b2c1cfba3df202c396e2bc218362e9

        • memory/1552-11-0x0000000000020000-0x0000000000022000-memory.dmp

          Filesize

          8KB

        • memory/1552-10-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

        • memory/1552-16-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

        • memory/2076-8-0x0000000000360000-0x00000000003EA000-memory.dmp

          Filesize

          552KB

        • memory/2076-7-0x0000000000360000-0x00000000003EA000-memory.dmp

          Filesize

          552KB

        • memory/2076-29-0x0000000000400000-0x0000000000497000-memory.dmp

          Filesize

          604KB