Analysis

  • max time kernel
    144s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/01/2025, 12:04

General

  • Target

    JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe

  • Size

    679KB

  • MD5

    e69c5c6b034d010bb57126bf82813198

  • SHA1

    e1b6a6df0d5a5296efa64e313a4627eef92fe746

  • SHA256

    72f754ea837eebc99d547481ad5d74d4722269363d04bef454a35c2d3b699c4e

  • SHA512

    eac5c1c505391fc91a9b052c97579e64f9038d35705caa0a26c4e1cc5ab4b3f89d7b287050785d26c633b2ab2753efad8d85ba9b4e0bb8dde00907d8a85c0a4d

  • SSDEEP

    12288:AmJihrl03EUWue9S1gbmA8s64WhAmqupX0XKM4Yza2USiZzyjtexUQG3yB0vYsSW:AmJK6Ba9Sgbmd4CcqX0XJzxUSiZzyj8M

Malware Config

Signatures

  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2916

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_0C493B6872FE216C47DE50A9F8E11760

          Filesize

          5B

          MD5

          5bfa51f3a417b98e7443eca90fc94703

          SHA1

          8c015d80b8a23f780bdd215dc842b0f5551f63bd

          SHA256

          bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

          SHA512

          4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

        • C:\Users\Admin\AppData\LocalLow\alot\toolbar.xml

          Filesize

          29KB

          MD5

          94cd2434f802cc1d795d5fc2965ad827

          SHA1

          bcd3ca114373d07b84aa6e2d2e249ad9d80838b9

          SHA256

          82c4b7fc52038a34414fb8f7fb328289e0516f3a5e209f12488417236772794d

          SHA512

          4c94214015beb2cb6914605b1d4acc10470299f3d4dda7c2c6cdd2fde5ed663a77bc7da3f9ba65876a7712eaaa0c3e80026930e8a4d9ed6bfba00428e145a134

        • C:\Users\Admin\AppData\LocalLow\alot\toolbar.xml.backup

          Filesize

          28KB

          MD5

          e6a20b68ab7ebfa534eb020e84aacfe6

          SHA1

          5e1edd6166e586bb72f759104edefc754f344d33

          SHA256

          2001499108e66e5ac01a657149af97e71e1f8c584c4b9d1c44757b598a24da74

          SHA512

          9991a8bd8f0832e0b8333abf378479a163afb18d2a051791e6e9fb023f46f17865ccb13900121c1c40f302c9449ac4f79f142bca2a397d6b41016191d77c6fb7

        • C:\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\eula.ini

          Filesize

          2KB

          MD5

          a34c3aeca76e7bc74297a272d7c34522

          SHA1

          cabe469ba2681d487fafdf8bd92bf6899e134bea

          SHA256

          e11cee5be2b9ea2a238d0a1700af18a231f13cff5a86468bfcdd3c6865a6ac3b

          SHA512

          62c08dcb7f06674568c3bd794cf823dd1850d3179e334688727b7484f517a11e3f7de91298bf9889ccf13701b2999761ab874978204b42a9be6db24d7fbfd032

        • C:\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\eula.ini

          Filesize

          2KB

          MD5

          1bfc333220308823791c96d52ab9bee2

          SHA1

          7672c3f7aa2459baba59b7d8c6a3172feb6c4899

          SHA256

          83b0f42ccf3172baf19897138a6c2b2a670b58e7e81e35e0172f92c1462dd6a3

          SHA512

          c531fc3f2f8f4125d9def6901177c40f2386693443a76c3a988d808c0ca6d5a427360ff93f55ec29dfb398e5923f50618e9fabd11ab6bcf4f49f42f51292f751

        • C:\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\eula.ini

          Filesize

          1KB

          MD5

          6a82b6a0fe6138096e549bef053ca02b

          SHA1

          af3bba863d0e78d85a3fc9da7ea3da1f1ff5c2c3

          SHA256

          974ff69ea21ffc3f5cb32db5536eed7d685120726eb6413c2040116a5016b26c

          SHA512

          c425cf0a340b44819ffe65a3da58f790223956d0da13a1176e6fa9f3a4a61da057b1cf2515b3cf7be8105c4f9279bec81d7589ee41373dc2d3d142289397294f

        • C:\Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\eula_en.html

          Filesize

          11KB

          MD5

          f8aee788c2a09699cd4d607e1db670c8

          SHA1

          6457b766f043d901a6dd204d00626c4bea02d503

          SHA256

          503477569d8a48c47c4febbfd4ae6d3cb036856432c8212dcb0226580e7034c9

          SHA512

          424ef5a4f2653b27b3ca921c35e5e36f28c41ddfe9bcd6b5aba7968d87129826770777fbbfcdc78fce8512c1dce819be0e355282d4a729580591ff296a751162

        • \Program Files (x86)\alot\bin\alot.dll

          Filesize

          812KB

          MD5

          acb423998044f7dcc904a43419ef2d78

          SHA1

          7fec3d6d444c8f3fef32b6634901fd010b0295bb

          SHA256

          03707a3959ee86ab624d805a399b839d9b2949875f79940026f63a96e6be740f

          SHA512

          f037a03564f3608dc69deef46aa63b9250721f4c16aa882054b8eae8a34842a2f7b39910abe47141b549e276b9316ad731056674b9c76bbf5991158ec2c6170a

        • \Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\InstallOptions.dll

          Filesize

          15KB

          MD5

          6e663f1a0de94bc05d64d020da5d6f36

          SHA1

          c5abb0033776d6ab1f07e5b3568f7d64f90e5b04

          SHA256

          458b70e1745dc6e768d2338ccf3e6e86436488954ca3763472d8ffec4e7177e4

          SHA512

          2a037c39f3a08d4a80494227990f36c4fef2f73c4a6ad74dcc334317a1372234c25d08d8b80d79e126881a49fa4b3f2fffe3604c959d9ceceb47acc7192cc6a5

        • \Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\System.dll

          Filesize

          11KB

          MD5

          b9f430f71c7144d8ff4ab94be2785aa6

          SHA1

          c5c1e153caff7ad1d221a9acc8bbb831f05ccb05

          SHA256

          b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655

          SHA512

          c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099

        • \Users\Admin\AppData\Local\Temp\nsj9F1F.tmp\installhelper.dll

          Filesize

          127KB

          MD5

          91b0372096274dbd47395aa8b28ffedb

          SHA1

          05d79ba090439c2898d8ad480355c08091acee55

          SHA256

          0411ab18ecb0d3d6292eabb89b4c8e41112b3e0be272b087555c2cb8cb0bfc28

          SHA512

          c40b9eace25b6c871eee9b4186181268de7463c4fe1c4c19372413989489fa891ebd528175d15df031dc768613a81c619acce0981a4c29d475e795d18b1aff08

        • memory/2916-158-0x00000000003F0000-0x00000000003F1000-memory.dmp

          Filesize

          4KB

        • memory/2916-198-0x0000000010004000-0x0000000010005000-memory.dmp

          Filesize

          4KB

        • memory/2916-197-0x0000000002750000-0x0000000002751000-memory.dmp

          Filesize

          4KB

        • memory/2916-280-0x0000000003560000-0x0000000003632000-memory.dmp

          Filesize

          840KB

        • memory/2916-314-0x00000000003F0000-0x00000000003F1000-memory.dmp

          Filesize

          4KB

        • memory/2916-15-0x00000000005A0000-0x00000000005C3000-memory.dmp

          Filesize

          140KB

        • memory/2916-335-0x0000000010004000-0x0000000010005000-memory.dmp

          Filesize

          4KB