aa84389732f1c42c53d5502abef1804ac4f51cbaf0d14daeebb678bb7ba4c9d3

Analysis

max time kernel
92s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2025, 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe
Size

21KB
MD5

e2ab329f47ca52275fe77460d00da716
SHA1

dda35e2315bb69ec5bb96be604be4034b67a7d41
SHA256

aa84389732f1c42c53d5502abef1804ac4f51cbaf0d14daeebb678bb7ba4c9d3
SHA512

23b2f436fbfa056056dd4bfcec9998cd60a04fdf7b310aa6ad3a6238c34edff1565a1c1718bb96c517130d3f59176848717828c0cff1cbfcbdadfe1262e9030a
SSDEEP

384:Jil28pZyij4P1DBh4+Itd71DoSk4Nl1IJclGsjHlXGfLCBe/cTqH3Y:Jil2+ZDe9h4+Itd71En4Nl1pMsjHlX2z

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025ab10e0a363ec45bc9a8081700ae1c800000000020000000000106600000001000020000000ae1af7ccde38220eff776b3ad71b03614a77ab07867c7a99a831bb373218c54e000000000e8000000002000020000000c5b4941ed2eb954c0c5c93918af1860962ffe24345e1fb1334bf6872306879cc200000006a3ad6fb82079bc190ddf596b5b6befc8d08a515c3e02c98ab705b95e7dc35d2400000002b05bf513a24fc104b79243d0286690b4995594bc399170fe4d9ab2fd9224a757ca0e3f389fe051441f196b44db486b67c906c2b15064ea37e80074a42bfab89	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025ab10e0a363ec45bc9a8081700ae1c8000000000200000000001066000000010000200000009dc9b53c4c8149cf339e78824adff692762db36fa675538f4b9217a31a503e46000000000e8000000002000020000000e8c359038b83dd38799fd4e7137ce1b431ffd7125a2e5d6a6acb018d25356f1220000000426e25d26d57875500390c97196f7bb6fabe75d33523c4a979ddb5c2f7cce26a40000000957a7abd68652d35f8d742220d7434391f817e01279740511e5b75991bc1848640941986004b431937c92cfb63b03db4dee24b64b7ce62a649be8121f97653f0	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C95A8302-D717-11EF-B319-622000771059} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31157028"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2648746673"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8030529f246bdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705c599f246bdb01	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2680	JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe
2680	JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3548	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3548	iexplore.exe
3548	iexplore.exe
3580	IEXPLORE.EXE
3580	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 3976	2680	JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe	83
PID 2680 wrote to memory of 3976	2680	JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe	83
PID 2680 wrote to memory of 3976	2680	JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe	83
PID 3548 wrote to memory of 3580	3548	iexplore.exe	87
PID 3548 wrote to memory of 3580	3548	iexplore.exe	87
PID 3548 wrote to memory of 3580	3548	iexplore.exe	87
PID 2680 wrote to memory of 2988	2680	JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe	88
PID 2680 wrote to memory of 2988	2680	JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe	88
PID 2680 wrote to memory of 2988	2680	JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2988

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3548 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5a279vn\imagestore.dat

Filesize
4KB

MD5
83e824a59a0f049547fce5f47a763d3e

SHA1
c22d5c004d59efc4d5bf83d9012f9419154e89bc

SHA256
63d9b7084e3042b25231ea447be350cc5b9e5c6f8c9e096b85d04bc6120b9d09

SHA512
be008e7b6fd0516e12306e57af0a708c90b0be31d52dad4d91d7d312bc97a700775eeac74d83d73509775646fea3a90c0c8634997afab2959272f280e91b4532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OIPZWEW8\fav[1].ico

Filesize
4KB

MD5
b664b38d499b4379466e2d7ea4d87768

SHA1
8f86559f1d84fafa66dd297a597e8367e6f2b149

SHA256
16c1ef6558c2cf557c10dc33a08bb7b4663ab7154d48651dc3de8a28113fff5a

SHA512
3d8dc1bccae0aa3ca9aef97c6df171a442ee1602ad97d6ff601726a0537c1a25b2e2c213a003f56461526a3f8242dfbbff6d9ecefc150ffa739efb3386f118d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.bat

Filesize
38B

MD5
1bb08e1de6d8206457ccb5be7eaa90a9

SHA1
b895eee036fd4bbf20378b7bf71102fc1bf6de55

SHA256
acbe661b5145045fa3f319f23ca6d6043cb176492d2f7bb291880d107ec47d48

SHA512
4f905a5dac2249006262e93609428b8bb0305ca65eb61e2fe5e077db3e098e84a6cf4733b2d1a927f2f4ec2c2aa2ee7128b5cb735fb2aa922107612482e44f9a

Download Submit
memory/2680-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2680-1-0x0000000002180000-0x0000000002185000-memory.dmp

Filesize
20KB

Download
memory/2680-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download