Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 23:28
Static task
static1
Behavioral task
behavioral1
Sample
8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe
-
Size
66KB
-
MD5
8e05cbe103ccdc30592a0f7551c77781
-
SHA1
c1338bc2b8fe26607b38ee2ced878fad6ef023f2
-
SHA256
7b00f4851573bb3baf248a20cf5f519d04f9a8bc8bd693406b9075557a580e08
-
SHA512
de23680b9ca2ef75add1c78ab82297387efd69595eee73c12347b4665afb2957ae332bef4223f7b01cd01b26a9c037bc1931bf0c5bb95db30997c5508d0d570a
-
SSDEEP
1536:rbuESRmzl+k+LsZ44Ck5pKV4bzfbQGvfTPfrsyUwAvfue8ee:rfl+r4DpKV4GXfue2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3836 pinch_ICrypt1.exe 2232 pinch_ICrypt1.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pinch_ICrypt1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3836 set thread context of 2232 3836 pinch_ICrypt1.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pinch_ICrypt1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pinch_ICrypt1.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31141459" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1503960536" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141459" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31141459" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a51000000000200000000001066000000010000200000007fa3a87d667fa8512ddacf91b4bab894d1e9379499adbc611951cb2c01a3c3b4000000000e8000000002000020000000dde6e6ab3e4e97b6eee279c1b4c36a6afefd8361d345c3b6253e28597e9777a420000000cd55fd972e8d94544821caafe15051f2207acedae545b4d017456cc8736db05a400000006e268c413560130c7c671b46c7d5f462ff0aa2b1435899458c540bd5238562d9c22d9fe2931ee9e5781b0ac2ac5bbac5a0582555a1bef869bdcca8225afc64ca iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8472CED6-9A46-11EF-AEE2-E26222BAF6A3} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437446288" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1503960536" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0f9a659532edb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141459" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a5100000000020000000000106600000001000020000000f97ac84be2f4051335cfe6ffaa596da7b0221952dd48814cc0edcd8cbadb489e000000000e8000000002000020000000d3ea78745d282bc519745dddf9647c8b64b6a7179f6072a6202466108805603f200000007db4d0ab59dc26258128a2c90fd990bf90ca3b945e2dbffbff7e1808294e8061400000009dedd5c9b30ef1e5d0612dc9710ec94306ef7e49338da93294ab35199b87b284666406e00022554311afb6a6ff4633e50187422aaa4e26ab552b90a89c414878 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1500679522" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1500679522" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05c9d59532edb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings 8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2232 pinch_ICrypt1.exe 2232 pinch_ICrypt1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2232 pinch_ICrypt1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 400 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 400 iexplore.exe 400 iexplore.exe 1612 IEXPLORE.EXE 1612 IEXPLORE.EXE 1612 IEXPLORE.EXE 1612 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4840 wrote to memory of 3836 4840 8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe 84 PID 4840 wrote to memory of 3836 4840 8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe 84 PID 4840 wrote to memory of 3836 4840 8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe 84 PID 3836 wrote to memory of 2232 3836 pinch_ICrypt1.exe 85 PID 3836 wrote to memory of 2232 3836 pinch_ICrypt1.exe 85 PID 3836 wrote to memory of 2232 3836 pinch_ICrypt1.exe 85 PID 3836 wrote to memory of 2232 3836 pinch_ICrypt1.exe 85 PID 3836 wrote to memory of 2232 3836 pinch_ICrypt1.exe 85 PID 4840 wrote to memory of 400 4840 8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe 86 PID 4840 wrote to memory of 400 4840 8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe 86 PID 400 wrote to memory of 1612 400 iexplore.exe 87 PID 400 wrote to memory of 1612 400 iexplore.exe 87 PID 400 wrote to memory of 1612 400 iexplore.exe 87 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pinch_ICrypt1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e05cbe103ccdc30592a0f7551c77781_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe"C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exeC:\Users\Admin\AppData\Local\Temp\pinch_ICrypt1.exe3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:2232
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\542941.gif2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:400 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD519d708493ad4a370288ff5a144985118
SHA188363e78ecaaa248beb6933a5bf9209455ae459a
SHA2566b7564f59f84e38a5fec4d3b7e6fa4fd5c8eb5ebbf77fd536b8ebbd4926fe905
SHA512899bbac7464f4813ac93b566889c25a3f8a5ee372560c43a725d1bbbdc538684c534816aa9c06714c07c0efe48b11d26fea49b3879e88cbb9b377b627fecfaf2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD53bb3bde5ca9684bcfad65c1cc1e82618
SHA11f0a1ade374d90a3954d66e55a93fc19a2d9c440
SHA2564a6a9a14981b3cbf02d080eef44ef4c357abcb9062dc15b6e9124a03f27a4f8b
SHA512144b3801cbf195006607cd68dfcbd61640e2fee4b29a9417ec96fb15504a70a41ee3b5be86c82a6ecef7f7fa2a8ac37189392844ab24d0768927c75fb358f5da
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
2KB
MD58eb1ef360497967f27dc35bc7f5c0ce2
SHA1271c181ed96278b060b945094708fe72a7b57403
SHA256ea117ee202b51ebe3c07867d21a03da1d34257ce48407f4898d432ab960a8b87
SHA512759273df0dfa6580c2aa56368879472efce01f967a9b0e489c9a5b271e7b392fb5cdb1f576613f75424037a9b7f64e656410fa4239ac06a2b771d03968051634
-
Filesize
62KB
MD59ec694b94c8a5d6a0fd8f35f7d6df84b
SHA1f43e7a2301c759e72f75f715f27efb7e531f51da
SHA2567d6968458310cb5051f4d706fb4890c200ca637f037fdf370b9125e134dbc458
SHA512efe796c0921008d1465e8e40bb4e519ee8b6a6343b76f8727a04bfccffacf0953faf49facd803c555072d32c0edd74de073bbf66f19c7038a41ec07d81ded313