socgholish | 2ce04c9b830b240e8817906ba19b16d427942f8f9cecd6385c506110fc92f8be

Analysis

max time kernel
143s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec04de185d1a2f46cce3ece0db3d266b_JaffaCakes118.html
Size

77KB
MD5

ec04de185d1a2f46cce3ece0db3d266b
SHA1

280793f36fa856b5697232a4fdcd9f4306b59020
SHA256

2ce04c9b830b240e8817906ba19b16d427942f8f9cecd6385c506110fc92f8be
SHA512

083faa106bbafb0efeb125c421a5bdc1ce2d1039d9107ec573e1849f94333e8aa217215ce2a2cc3559fb5ed1c473ebf7be4b9e65e9b0328191cc91f814524f0b
SSDEEP

1536:9p5pBoNzHFkZvNu1z1seeeebKJOHITNs9tua:9p5pBoxlY1gNs9tua

Score

10^/10

socgholish discovery downloader

Malware Config

Signatures

SocGholish
SocGholish is a JavaScript payload that downloads other malware.
downloader socgholish
Socgholish family
socgholish

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440263143"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C1CEE71-B961-11EF-9A25-6E295C7D81A3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2168	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2168	iexplore.exe
2168	iexplore.exe
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2912	2168	iexplore.exe	30
PID 2168 wrote to memory of 2912	2168	iexplore.exe	30
PID 2168 wrote to memory of 2912	2168	iexplore.exe	30
PID 2168 wrote to memory of 2912	2168	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ec04de185d1a2f46cce3ece0db3d266b_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
a931067a960e76a1444b30e9f8a078d6

SHA1
d31c6a7e2c53e17f13009db92d310415840d2dff

SHA256
039d805d03acae9836c48a1bb4203707309304cc790868ade71994f3dfc47433

SHA512
309f7a712540afdebbbbfc75172fc2e82458de267de14555bbbadf4cd08bfa346c96664351243c9b0e9a9d3f7eb3e18732cc92a0221352624ca2cac2ff2a2067

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
333b2108e122bc7ae10b3d83a5768d5f

SHA1
135981d218f33fdd73e9964898b5fe5ea25fef67

SHA256
ecf80e3382b74a4b6e3e50f9266afd4262be408a70debaf2a25eeba00a379b61

SHA512
fd23fd5100ccc945472a9fbf6991917e922e2e88115f634687ede6567f9c7457cf5a936eedf22f04e1720a3edd6c78b35a7b4a8f2fc9fceab10dfcb23d9e61c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d113a5e19bcaa3a13549338b1dc99665

SHA1
ff1c4cb27c3c0dae4b00f7d701f0939feebe2979

SHA256
137152dd2b99d1abf6c74650ae5f9318a38b5440e185513f3fcc7c1567f3142e

SHA512
40fd14a7e835f48ae2a9c2e6512bf45d84f432469706724f7ba988187c49fe93277ecb16f31bd7ff2c9a6782d2df6aebfc73a705b839b078294a5029f34fa8a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18e1339b2b09eb6017f8c2a2df88048d

SHA1
67e0cebdf4e81fc44468897ee1c1747f64cc8ee6

SHA256
66277737298838a58d269a22c3fb33687db2b3c9bbd6d63feeb0ba53678388c0

SHA512
9ab8b5d5824be685249e73896b0bc49f1c3cf174b95fc6ee86cce01ad6b80bdbbc6b98f9550f0070796bb7f6b10fde194396712342c1b9e26c16011c43a8eebd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2eb49b6901ff29285b3706b9c95d6c29

SHA1
d14eb91c074c7ba5201e3e5dcc98f811042e8dcb

SHA256
d91c96dc70745a74c9787ac1a4e824a43b06b77ebc787e7c5898fd9f332e59b2

SHA512
432894c52d5886c4c0e4021374defe93cb9eab55fb85a34b1c2d0d19637ca9ed348abe3736f5678a04443be9bafafd7fe112898b36e18e12bf1a622c9769c2fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c51e80c5be4e81eb30c162b136821f70

SHA1
9d702e72aef40c0578451d8e3de651659a3ef025

SHA256
f2c54c21dae17e01d6a2d8d25fa42844bcb1655cacafe24793d98d8090524fc6

SHA512
5c14aefd8d7a6755ad6ca015259d6ec357c57e9137df24696da09ff890ca4595b99aa9002d8126531399a9845f5c928fc10f8240837a62e193230cac04e6d6bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e84d1d91390c54e3687cb45dd870e9f3

SHA1
784d6340eae168aa8636b364d1a49e6628925aec

SHA256
5811b0cd377902a480806fbdb92bde176846537e613521055a6893040da8bb1d

SHA512
7ced5fb9940c26b5120fd173a96680a42c51f755c764cbca003eeaa3f7d1fa27d70517ff443e75daac1658e3194c934201f0cc627669a04d6db8c77a21cf8a76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
216210da52bb741aea203ce581010982

SHA1
d1cde01d91244c51367826d79f9dee2911490bb8

SHA256
ef329c272e560ac11e8cdb02963f6866df46ae814af55402905bb5d704097f7c

SHA512
7137f499ed6f7e547aa5ac075d7e5dcebced2e5d2e638e03a1728cd024a5125ad7b80dad664c21696d9cfa9c99cfc0180cb2de3eedbc5722a9cdea6306c57596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0df72f0b9bd1323a1440aca54e5fce20

SHA1
b4e15dd0aa055b36beb67c4c9d9328e1d22cceae

SHA256
e7d492068089645cd99d5e17cfd3aedfef4bffb848c37875da25245c0de051d5

SHA512
9f2a183280e613b381ed08cc99e5b71774dd58967cc37fe70ad93c98906165b52a94dc5690667b3c19183be693329b135a6d5dcb6b7b79f7ca56286a0cf4a949

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
017de41c9f8e8d370ac0afd4883ca9ee

SHA1
5f106b603be9d6c6298cb7150b44ce6cc4f48869

SHA256
3b77ed7d5ea8ab8ff1a0058a69be7d395cf9bfc59ece1877e2152476dca11fb9

SHA512
a8e669efe85fb54e17c5af27cccbcce571b5d56938c364224c353e63368b1a6c244bd3e4bf3be16e6011f1770dd9b1f4fd8adab2ccc5ec3c7de7a8887a42ca35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d98bd0d7eb1e920027db47e8a77116cc

SHA1
955173e48572480eb8b9ddc49d1ae1f1549a968e

SHA256
c04738ad4d35b417b34c44c1d2d4e36db759176822b88f5709c787d009d28f29

SHA512
6ef2562a42d9e1db0e53443ad1913f5c584cef1815b2558ea0180a3ab33db388f62fd090f4334c6458ad79b7f69379a97c4496223b341b5d140141bb8b028e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabECFE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarED20.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit