socgholish | eaf6c1315788497fa7de26ba151de4a3dd3c66f8d7424add7a2c373bca5c71e6

Analysis

max time kernel
132s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b963eee948d3e2a6d39c678e4fa2c3e3_JaffaCakes118.html
Size

245KB
MD5

b963eee948d3e2a6d39c678e4fa2c3e3
SHA1

9db5e409a1be3554637e3fd08d96e1b88bedef4c
SHA256

eaf6c1315788497fa7de26ba151de4a3dd3c66f8d7424add7a2c373bca5c71e6
SHA512

448a285dd50211a79a4f401fba1a6aae0391689cb7cba53129cea7242c355d9ed86f95f26700f3faf28171b4877ca96c2a3c60a4419f808e2fbd9e296f26aeb8
SSDEEP

3072:+kcITclgtyOSFjLj2qDO2qDk0zwd72ttuPtuUIOq+IDC7jdR0lod4hWDOc2MzElw:+kZTcXZ0z/kPkUIeL7jdR3E+PNrN

Score

10^/10

socgholish discovery downloader

Malware Config

Signatures

SocGholish
SocGholish is a JavaScript payload that downloads other malware.
downloader socgholish
Socgholish family
socgholish

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DFE87421-B0D3-11EF-8B64-E6B33176B75A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439322819"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2744	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2744	iexplore.exe
2744	iexplore.exe
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE
1780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 1780	2744	iexplore.exe	30
PID 2744 wrote to memory of 1780	2744	iexplore.exe	30
PID 2744 wrote to memory of 1780	2744	iexplore.exe	30
PID 2744 wrote to memory of 1780	2744	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\b963eee948d3e2a6d39c678e4fa2c3e3_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
7eeb5dbe4223e7b5d2002871a6b7652e

SHA1
7977eef04aa1957796456026c6d31a6341a45c2a

SHA256
e56fa8910a15d5512f50d0b8abf6bd7f92011495becebb062cc504c7f84c6573

SHA512
d72d14330309a29862253d8a87c48483d3e709f5c9e2c0dea1ed777e57168a02732678a4fda65c4d505ee2a81451b8f1da473cf559e622e42b10408845bd789b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
8bb89e7e73bcd67acf48d4d8b73cfda8

SHA1
5f70b0d0d5d8f6cf0f178a6ee53231ca699a8f8f

SHA256
54bf3b0f073f91320d3f702e223251d6b5289a446f7522ba312125b40d4b99e8

SHA512
12eddc290bd19f9690d142636d063b668bcdc9a1d46813e128b810f2128aea6bf85403de500d971f11da75942a1dcb62383b2c6fd1b36744ec3cbad1007f2cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e7ea71391de09444ce63e51203b2785

SHA1
907fe37a44f6c62869f5c6d88ff5f794f7ddc87a

SHA256
7ea424e7b26fecd529709f951156d83ff00c1fa587088e6fd389f6f0d8763d31

SHA512
7e0559d9519819c889cdbe3fb50d4cf8caca7f1cc5969a7a70ecb41bc3e151cb6713d7b62301c0ce6d8b71eb046fa9010c094d19431f51421d6b5bfa3a004fd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cefe5e41f01b481d0053bba424b96c7

SHA1
5a70fbf1ab838dc40bd25d8b9dc77c59d264204b

SHA256
89ff1c001c29d7fb809ef8306719ec26ce4dbec4aa728f3b07aa13da99430be6

SHA512
c95966ca6d676714314f5c275de3a06fb9293ea0d8b4a4525da81328da28acadc20cdd4eab24367088a7458c62e9d1e7742006132a3a9ff4688a0e932a18067b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3874c80979cd2c975fc66058022c346

SHA1
a9c7c26cd42b2227b901f4d3fbb6af037c40ae5a

SHA256
dc53916ece7f0a337a8d76f43e2848b78060190704710abe08bf34ef8827a804

SHA512
b020a46dc6ae1e2d4358edaf5aea89a0c8ec377d9fe0e0ee4828bd5b73a21af971419b01d4cbbdd5c9164442c27f4e60e66e7e3bb5529f13917d914c83ba626c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
389da8ea9dfa5b3fc3c7c83f73e8c0a4

SHA1
e314f26a5f0a70141f29e415e839081495f10484

SHA256
20c8d33eecc16bfc5f7a3a370c5b33ad109e89367215e70bdf2df7cfa9a10777

SHA512
56e788fe18f895bdedf95b23a37ad0cacef485c50796eb02cc25b6c055667c9d5ac310a6c90954a175bdbb93266ec0875d17a87af5baa3553d012fe291a661bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a877ebfcef2c839dc6c26bee5ee0935e

SHA1
ba654d811252eba8ab7261b29861fab566c225f4

SHA256
d86cbf51039ff36f6bb55c2b7cc887834e7ed58da3196bc9d346082be3561f63

SHA512
f07551557036d60f4d03db246d2f1b33ddebb900f5af8b79b3b15c30f4eaead3755065a414709d1caf88d073e3ef843eeebd9b48f333664f3c39fbe6139bec3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0674037739668e66dd6cf2fe06468e57

SHA1
6064d263cad0396c2f9840f35264eb0cab5235bf

SHA256
8dd2d0ec7df3ce2691644c5c20131958aaab812fdc9420f3a1e1407acf1b9da1

SHA512
c182208ec5910a5b6883a607aa89d41798f4ed0bd47c3f4c96fc3ba3ee4db05c6d52bb02a693ccf2a4852b4ca17f8206e1ad38659d422939864f4a934e365060

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d41b2aeba73391ad6762544db7bc634

SHA1
a9e46530c7f170ed463f733869e1024c752ee43c

SHA256
687274b29f2d5374b3f7afb597bbd93e4e0c031830b763e29574da5a743a5c21

SHA512
a86a417b1053cbc98455d2413bc5c949d7457bff8d40132dd75df97047158d8f6c8b2018c4bfed9c58a77b9c5612755204f4286730568cc4f3b6be487a049349

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b53fe4d188c791414b55d30872bb3611

SHA1
58750d3ef6021d9746eedd32b0c3a9b3c1e69ff2

SHA256
a031e22d6f8c7e089803c324ec96c5b9d3274ba20b57d36bc1c728a77f037da4

SHA512
3cf6df600b57b218cb960d2ca03d498be811317f87f0a04f396972fffa4a39fa84350a1193f787eb5080989012fd9b5ae3397dd3cbc2d1c8822ccc43375e867c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1c8ff831f256609d54f0eab18c8a0a6

SHA1
29a6e7ec73fde5c1ac26a313560f4c4311b7d16d

SHA256
6f6af236b1484f2f3dd9a03a264fa40803977bf7df1385e794aa3f8cc29fb495

SHA512
13a63f968631a753484ad148a43dd1d7dbdba740875871f8080640b11aa3d04ba548418b6a81538c483e721d0cc262116a9a3e361b941aac2aa90321ad11d461

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16308eb96c3aee9d8cbea31ec90db591

SHA1
36da7a61c9826b105265c5ef49c95d10a98133bb

SHA256
aa52a27208e2ef54952b1664bbf8c9a191d6437d6e94aaa278cbe6cc3bbeb4f5

SHA512
b6764f1dbfd3fa4a7c4524af8107538972dade6870087778c649771454fa6cd341d70e192571ef4b3fd74a2f4e3e276dbfa05ff77499d3340ebac173798da175

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
446dca29cfffdfed78fe890ad2231331

SHA1
db7fe4359b64c0ac6463edff3c2fffe430fd8a30

SHA256
67d3e1c15d04bb175b6fc5deb063eecf9058d10d950a476ef645b0be520be1f8

SHA512
dcb8ed1e0bb6922b82e45a331825197349b23942ee3e159ef8a62a23b7a5119c9f433f14f82282cae0757210824c06cb3156c3a67855290c020be48c8ebd957c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5531161672549531d778cd47b8517f5d

SHA1
72b543f0a00e358a17db9f7acd547a187a8e7138

SHA256
6d5620dc016fad0043f713aebda8e9c9bbc611675cb6d27389a632badde323c4

SHA512
7eca7e64f952e0f64fbfbae214607c0781cea314dd77d9f0f2168ab9e2e44b0a60e253691477bf4dde01367e9da799aa1efd5fcbb937d61bb29042c389f7b289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\f[1].txt

Filesize
40KB

MD5
bd11aa218cd33d50102506b0633107f2

SHA1
0ba6fae9a2464cb8d057ab2f28052bcb2d651595

SHA256
ebd748eed7f77fc7a05a2fa8666d5f07a10c562468300c73382723f87959082e

SHA512
112d5ec3216e91cbbc7fcccc0088e8d202f918b7b3878828320d7db6618cb2648dc3054fbf12b61f77a13ac3e431cb86b0d71340d5f261d9e5e6378f13443e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7B88.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7C08.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit