1dc7a2a9342ad70698ea3358048dc17072faff8fd90201ee80344bea5000d610

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
Size

1.1MB
MD5

b0aaa8a5948c20836ba7b590cd451551
SHA1

0bf5d01289ba0a8aa9b7d0da45e04eb1764f8b57
SHA256

1dc7a2a9342ad70698ea3358048dc17072faff8fd90201ee80344bea5000d610
SHA512

7f0d08417d1b2157fefa9a70c129fc6a124fdac3089b6ba3e18701cdc0c011d78512df85e9f1b3697b8c3cb813fed615ee73581aaa903012cd618f592df26848
SSDEEP

24576:80Men6rCMVvdVjwADt34svKIL5Ia6qdHsLS23i0iDHvJR7wGGgg:dMepGvE8o4KItIafdHwrkDHvJVW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

installstat.exedzl_924211.exe

pid	Process
2608	installstat.exe
380	dzl_924211.exe

Loads dropped DLL 8 IoCs

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exeinstallstat.exedzl_924211.exe

pid	Process
2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
2608	installstat.exe
2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
380	dzl_924211.exe
380	dzl_924211.exe
380	dzl_924211.exe
2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

Drops desktop.ini file(s) 5 IoCs

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

description	ioc	Process
File created	C:\Users\Admin\Documents\backup\desktop.ini	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Documents\backup\desktop.ini	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File created	C:\Users\Admin\Documents\backup\User Pinned\TaskBar\desktop.ini	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

Drops file in Program Files directory 6 IoCs

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\msn.jnk	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\msn.jnk	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\in	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\t	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\t.jnk	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\t.jnk	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exedzl_924211.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dzl_924211.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
behavioral1/files/0x000a000000019442-142.dat	nsis_installer_1
behavioral1/files/0x000a000000019442-142.dat	nsis_installer_2

Modifies registry class 2 IoCs

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jnk	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jnk\ = "lnkfile"	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

pid	Process
2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

pid	Process
2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2144 wrote to memory of 2608	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	31
PID 2144 wrote to memory of 2608	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	31
PID 2144 wrote to memory of 2608	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	31
PID 2144 wrote to memory of 2608	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	31
PID 2144 wrote to memory of 2608	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	31
PID 2144 wrote to memory of 2608	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	31
PID 2144 wrote to memory of 2608	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	31
PID 2144 wrote to memory of 380	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	32
PID 2144 wrote to memory of 380	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	32
PID 2144 wrote to memory of 380	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	32
PID 2144 wrote to memory of 380	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	32
PID 2144 wrote to memory of 380	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	32
PID 2144 wrote to memory of 380	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	32
PID 2144 wrote to memory of 380	2144	b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2608
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dzl_924211.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dzl_924211.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\SIGNUP\msn.jnk

Filesize
1KB

MD5
4ed5b3820f605da7b0c8dd7b51856cfa

SHA1
6c52079872f5a7896e90a036fffe79b428719f24

SHA256
c82bb3c76787ef695b8b023dfd34ee675550cd66b9e17652d1217a59d1b8ee14

SHA512
0fbf6b5b372c72f5202b5b3d31e0d87ca71d784e03179bf64a6361fcc68ac636a26e88c82805d62f4d6d335ca3989397dca10e3d3dd3be1d6eb389a01755e73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst22AE.tmp\ioSpecial.ini

Filesize
573B

MD5
5f4a6028f913c4296e160a2d3014a404

SHA1
abd0422a0efcfd8e7e20cc6b41ac131cdf0a85dc

SHA256
bfdf3eda8850d7708ee498d43401b12d917cd371bf6756b7489ce2b0d73685e0

SHA512
ab65ec90cf63a5f07557dd3443a4f0793e48ac21144a01fab4a093a524c332febde1a2db758fd7376581fe09f6c3a9c14c44ed26f9739ad257563ebfa1df2e95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.txt

Filesize
2KB

MD5
95d254e9ded04863410bfc8dde9be631

SHA1
7e65da9e2b99a5a15563cf3d1aed59fc4963971e

SHA256
eb4dbae0e71eb9b70c60954661b8b3e24df8f8d6a009851ea75fbb55ecaf8c18

SHA512
0582e35b96000a875ec5c0cd9bbcf4e75b694f0d97df3887cc383c81c7d3a5dca3ea327545cd720bb3440c2ab2467faba63ee327924b13f6728f783db9fc88b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.txt

Filesize
1KB

MD5
93ef6eb81a8a4dce88b776b5be08eb47

SHA1
ccc69323a154d4a8b0b01d63bf14d807f12ffbc4

SHA256
bc8ab056ef776a3e4221d3fd58e3193fb1a2d95226aec0baddf6c0717affe849

SHA512
e95e427a4007adfd747cb9eb59f16406b5e4aaf5f3e57181406df6c6fb4b8b0224e1843288bedb1d239a54a8df484f608b00002f42a3f3a73bc2c7c089bf094d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.txt

Filesize
290B

MD5
9a79c9e1ad63ed2e7932536570775b9f

SHA1
db556bc8dc2e60d0a5aef1bfba930a6fdceb7cca

SHA256
20badd15197ef7f52351c378a6b9204863cc114dbe1034bf86180e7e74810f86

SHA512
1a03b9e4696ccad4ff23c4dcacc86d633ef3dbb7e1822552dd57da9bebde444dd30882849659f5e05547ff6acb880e8a3077275c860214c0bab1f4581dd7fde8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.txt

Filesize
272B

MD5
e14f6ef5e8dc4c628fe28ac893e9309d

SHA1
f29803c16d3e11a196d62026279b72854c4d751f

SHA256
6142a68127514d4919f584a7541c242c9af5e471fcdb6065d40133439e8421a1

SHA512
94a23c241bd39bffc9a3eca5c9ddcf4099edbddfaafe997335ffd85825dc9e56884077768ef0cd7ae40c631489932529ea8c7d6dcfc0549c32d15d818589fb5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll

Filesize
528KB

MD5
b9b3b41e4d144b886af1cada8251d16f

SHA1
b18724bab7f10d1b3876ebf5f96e6b5dc97211dc

SHA256
fe094423639deae8fea8859935b611006c107a2e571084498820b21ebcc38626

SHA512
d99fe8b54dd16466c140849bbbdd394d481bb6f350fb8e21ce88e390f92d8970c93c654be9094f93a0b87570b3ba0bc3f28127eae2f96b6bc2455b83be2c6579

Download Submit
C:\Users\Admin\Documents\backup\User Pinned\TaskBar\Google Chrome.lnk

Filesize
2KB

MD5
33a1435915d20a53dc9de5f66a5ab422

SHA1
bfe45766a469770df59611d33ac9ee7680092d49

SHA256
b5cb0a16a129df29dc3e1bd5587d4c4e22bd99cc5eade8b288fc3d13dca07dd5

SHA512
ab282e1a283511f60bef6331e1cffdcfc67428c8e830ad296d536197edf1e607a36bf63de65c2e22adff6f90124976d7b93ca5e4a86e4e148b831967889edb6b

Download Submit
C:\Users\Admin\Documents\backup\User Pinned\TaskBar\Internet Explorer.lnk

Filesize
1KB

MD5
be45e6db72073cd8962a6c14f3ebcfe2

SHA1
4bab8cc844c00482c8055bf777cbacd360c593b3

SHA256
6b99d2d9640370556739f3743eb121f68e01912282b5a85d3b361a0b00122b16

SHA512
de52aeb482fe7d0eb103883c8ea232aa2579e53a3af13fcbfcd6eb3a7da2e407d41938303da5eeaebbe76338706192aac2ebefdb7a48ed2c1166cd0b3f38aece

Download Submit
C:\Users\Admin\Documents\backup\User Pinned\TaskBar\Windows Explorer.lnk

Filesize
1KB

MD5
47b2e1c4ddd5fa161f4e7314222d7a29

SHA1
f8e0a57ad324aa0ce6eafcbee54361cfc3fac7a4

SHA256
20b9ba1869ed5d109962522c7c9a09e2675c457edd780f3723d33f9b40475772

SHA512
07c8e9fcc6441c45540ced17802aea9fc84197733cc13af77516813c3beb346ae2748445ae99318309cbdc2da8e69e622dd91e658b7e9ba27d424eae6f5acf1b

Download Submit
C:\Users\Admin\Documents\backup\User Pinned\TaskBar\Windows Media Player.lnk

Filesize
1KB

MD5
a187bf07b37b7672c63603d06fd6d2cc

SHA1
594d50cc43d7d882c1fcd60ae4b1f55d26bfb28e

SHA256
2577fead4a5e5ea58ff040b49611e63ca8215d5baee3e9f05a3e5abc47b2a241

SHA512
3faf9673233b6db85459df9309c75fb8e3106ee1c0550ad269c98c3533020f0f7ef28ac7a4809890b92f1eb6d5fc54bf2c2c2aca64f673627a85d289f3c045cf

Download Submit
C:\Users\Admin\Documents\backup\User Pinned\TaskBar\desktop.ini

Filesize
211B

MD5
e11e5a356fe79a77992baf3c6bedba79

SHA1
9e3eb3b6ddda8664dc17e3140223be3a0ef41fc1

SHA256
e9bbc871326524376aff5aa95076f6562d8416bb94876ed4e6d5668c3c20b1ac

SHA512
ec7f3ecc14fcab007033bf0743b9f83c8c558a0b4e6e7de490ab1021a1dc447e0f41c2c859b5e8f7fe76d9095518f643dd59be972b6760e63bd71916749d3fc8

Download Submit
C:\Users\Admin\Documents\backup\desktop.ini

Filesize
221B

MD5
98f06d1ff12463d6501ed8632c175f09

SHA1
dcf02254aec6a9bba2109d794d8588ae360edffe

SHA256
904fd61710a5a3121fd23bd1de0ed56e9bcf435d643737a07b76aac9ec450b6b

SHA512
c9cd8f4f6be5f057dce79795bd59f2bd8e1fc74a8c960f83cac8f2587591cf0f5caf31cc3d093184c560bbc839154dcc835061c0a99d8fb153b99286a933fca6

Download Submit
\Users\Admin\AppData\Local\Temp\nst22AE.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nst22AE.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dzl_924211.exe

Filesize
240KB

MD5
f48f6b45f3e2bd243342833088125da2

SHA1
6df69ee997c29bd9e302d2791db53ecdaa28a999

SHA256
6b193a8a230c40922af714f86d8372235cb8a15609430d9106a5441ea3fe9290

SHA512
c678c00e35e9a24d13a77e596bfc6562fc1f10523d2b53de29e29ab290fdeee8ac98f40ec9b9663f0b2c790c32d6ab514b9e5e5c06e3aa940dd8ff4cd8c430ad

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe

Filesize
44KB

MD5
7c30927884213f4fe91bbe90b591b762

SHA1
65693828963f6b6a5cbea4c9e595e06f85490f6f

SHA256
9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

SHA512
8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

Download Submit