Analysis
-
max time kernel
92s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:15
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe
-
Size
21KB
-
MD5
e2ab329f47ca52275fe77460d00da716
-
SHA1
dda35e2315bb69ec5bb96be604be4034b67a7d41
-
SHA256
aa84389732f1c42c53d5502abef1804ac4f51cbaf0d14daeebb678bb7ba4c9d3
-
SHA512
23b2f436fbfa056056dd4bfcec9998cd60a04fdf7b310aa6ad3a6238c34edff1565a1c1718bb96c517130d3f59176848717828c0cff1cbfcbdadfe1262e9030a
-
SSDEEP
384:Jil28pZyij4P1DBh4+Itd71DoSk4Nl1IJclGsjHlXGfLCBe/cTqH3Y:Jil2+ZDe9h4+Itd71En4Nl1pMsjHlX2z
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ielowutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025ab10e0a363ec45bc9a8081700ae1c800000000020000000000106600000001000020000000ae1af7ccde38220eff776b3ad71b03614a77ab07867c7a99a831bb373218c54e000000000e8000000002000020000000c5b4941ed2eb954c0c5c93918af1860962ffe24345e1fb1334bf6872306879cc200000006a3ad6fb82079bc190ddf596b5b6befc8d08a515c3e02c98ab705b95e7dc35d2400000002b05bf513a24fc104b79243d0286690b4995594bc399170fe4d9ab2fd9224a757ca0e3f389fe051441f196b44db486b67c906c2b15064ea37e80074a42bfab89 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025ab10e0a363ec45bc9a8081700ae1c8000000000200000000001066000000010000200000009dc9b53c4c8149cf339e78824adff692762db36fa675538f4b9217a31a503e46000000000e8000000002000020000000e8c359038b83dd38799fd4e7137ce1b431ffd7125a2e5d6a6acb018d25356f1220000000426e25d26d57875500390c97196f7bb6fabe75d33523c4a979ddb5c2f7cce26a40000000957a7abd68652d35f8d742220d7434391f817e01279740511e5b75991bc1848640941986004b431937c92cfb63b03db4dee24b64b7ce62a649be8121f97653f0 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C95A8302-D717-11EF-B319-622000771059} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31157028" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2648746673" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8030529f246bdb01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705c599f246bdb01 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2680 JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe 2680 JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3548 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3548 iexplore.exe 3548 iexplore.exe 3580 IEXPLORE.EXE 3580 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2680 wrote to memory of 3976 2680 JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe 83 PID 2680 wrote to memory of 3976 2680 JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe 83 PID 2680 wrote to memory of 3976 2680 JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe 83 PID 3548 wrote to memory of 3580 3548 iexplore.exe 87 PID 3548 wrote to memory of 3580 3548 iexplore.exe 87 PID 3548 wrote to memory of 3580 3548 iexplore.exe 87 PID 2680 wrote to memory of 2988 2680 JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe 88 PID 2680 wrote to memory of 2988 2680 JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe 88 PID 2680 wrote to memory of 2988 2680 JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe""2⤵
- System Location Discovery: System Language Discovery
PID:3976
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2ab329f47ca52275fe77460d00da716.exe""2⤵
- System Location Discovery: System Language Discovery
PID:2988
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:3092
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3548 CREDAT:17410 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3580
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD583e824a59a0f049547fce5f47a763d3e
SHA1c22d5c004d59efc4d5bf83d9012f9419154e89bc
SHA25663d9b7084e3042b25231ea447be350cc5b9e5c6f8c9e096b85d04bc6120b9d09
SHA512be008e7b6fd0516e12306e57af0a708c90b0be31d52dad4d91d7d312bc97a700775eeac74d83d73509775646fea3a90c0c8634997afab2959272f280e91b4532
-
Filesize
4KB
MD5b664b38d499b4379466e2d7ea4d87768
SHA18f86559f1d84fafa66dd297a597e8367e6f2b149
SHA25616c1ef6558c2cf557c10dc33a08bb7b4663ab7154d48651dc3de8a28113fff5a
SHA5123d8dc1bccae0aa3ca9aef97c6df171a442ee1602ad97d6ff601726a0537c1a25b2e2c213a003f56461526a3f8242dfbbff6d9ecefc150ffa739efb3386f118d4
-
Filesize
38B
MD51bb08e1de6d8206457ccb5be7eaa90a9
SHA1b895eee036fd4bbf20378b7bf71102fc1bf6de55
SHA256acbe661b5145045fa3f319f23ca6d6043cb176492d2f7bb291880d107ec47d48
SHA5124f905a5dac2249006262e93609428b8bb0305ca65eb61e2fe5e077db3e098e84a6cf4733b2d1a927f2f4ec2c2aa2ee7128b5cb735fb2aa922107612482e44f9a