615c219d9619bfdbe14dcb8cf20e848131098594d44dc7c643a22afb22c85da9

Analysis

max time kernel
138s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/02/2025, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe
Size

324KB
MD5

d028d02bab14c16c8750751b33891b9d
SHA1

a2b7862b85c5d89dbc037638e27a8a403f6a0496
SHA256

615c219d9619bfdbe14dcb8cf20e848131098594d44dc7c643a22afb22c85da9
SHA512

838b51d45145b143adee254bf206caca1c085e3bf42c8853bde98565c67c0514437ebd92586472d74eb8471dd71647714924e0fe2cd5a9d471f9d2158f13b20f
SSDEEP

6144:rGg7mBN13nrOBafV2HuCY1q48z/DFGLsPuJyp5bGSn8kNrMKFX2wdXh2Hvvs1XFw:r0AoEJrM2OEX+67rOEgPYpc3rPU

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 2372	2276	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	30
PID 2372 set thread context of 2836	2372	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	31

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "445340283"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5668FCA1-E78E-11EF-AF60-7ED3796B1EC0} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2836	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe
2836	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe
Token: SeDebugPrivilege	1788	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2592	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2276	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe
2372	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe
2592	IEXPLORE.EXE
2592	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2372	2276	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	30
PID 2276 wrote to memory of 2372	2276	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	30
PID 2276 wrote to memory of 2372	2276	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	30
PID 2276 wrote to memory of 2372	2276	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	30
PID 2276 wrote to memory of 2372	2276	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	30
PID 2276 wrote to memory of 2372	2276	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	30
PID 2276 wrote to memory of 2372	2276	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	30
PID 2276 wrote to memory of 2372	2276	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	30
PID 2276 wrote to memory of 2372	2276	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	30
PID 2372 wrote to memory of 2836	2372	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	31
PID 2372 wrote to memory of 2836	2372	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	31
PID 2372 wrote to memory of 2836	2372	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	31
PID 2372 wrote to memory of 2836	2372	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	31
PID 2372 wrote to memory of 2836	2372	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	31
PID 2372 wrote to memory of 2836	2372	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	31
PID 2372 wrote to memory of 2836	2372	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	31
PID 2372 wrote to memory of 2836	2372	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	31
PID 2372 wrote to memory of 2836	2372	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	31
PID 2372 wrote to memory of 2836	2372	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	31
PID 2836 wrote to memory of 2744	2836	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	32
PID 2836 wrote to memory of 2744	2836	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	32
PID 2836 wrote to memory of 2744	2836	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	32
PID 2836 wrote to memory of 2744	2836	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	32
PID 2744 wrote to memory of 2592	2744	iexplore.exe	33
PID 2744 wrote to memory of 2592	2744	iexplore.exe	33
PID 2744 wrote to memory of 2592	2744	iexplore.exe	33
PID 2744 wrote to memory of 2592	2744	iexplore.exe	33
PID 2592 wrote to memory of 1788	2592	IEXPLORE.EXE	34
PID 2592 wrote to memory of 1788	2592	IEXPLORE.EXE	34
PID 2592 wrote to memory of 1788	2592	IEXPLORE.EXE	34
PID 2592 wrote to memory of 1788	2592	IEXPLORE.EXE	34
PID 2836 wrote to memory of 1788	2836	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	34
PID 2836 wrote to memory of 1788	2836	JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d028d02bab14c16c8750751b33891b9d.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a714a28563e814d6473bc24114978338

SHA1
eb4932983f96609c44485d9adb62d1a12de8a6cb

SHA256
730cf8222c5d3f6e31c77ae33195c6713af2ee62943e8457e66b81ce6fd12c5c

SHA512
7ac475c0f80cb411aafb238b510b5b447b6b01fa77bf08a231afbcc3044919b60e06eebd6f56e70fb1ca9320bcf354fb7ac7564924645023578800f0dee715a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9df04bd915f8080083ee168a1eef315

SHA1
9e22d4918740e00d9f7fef1892affbb83fab7e26

SHA256
2358b23f6b2daa4170334b4ee5cf569c6c5428ee5cfafcda4f666d0f7ad03dab

SHA512
46ead4c19550ba9a8a13a0baa59ba1aa7ec67d55d6d54027bf58c6fdd980d6f6ddabc51a9c20ff9ebe5513f05d601f5810b5d7e2d5b17e7f85ad655e7be1dfb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f5c831c3e668133477786dcb75dd90e

SHA1
726ff47254ce21056973a1d5a0e22623077577eb

SHA256
6fca57144cb56563c4db27427bb4bcd42eaa3ee6b2162095ca0a7d2d953cd248

SHA512
faeb8f95e6549a4eb20612cbd937540422cdfd2602a46bfcaf3214c09c2fa6eab4ffcda46bd7d510d971b58b7e976acb3733b6d671f08fed78306e2f9286db7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6136.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6149.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2276-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2372-15-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-5-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-7-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2372-13-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-34-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-3-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2836-31-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2836-26-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2836-24-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2836-36-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2836-37-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2836-41-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2836-45-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2836-29-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2836-35-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2836-22-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2836-20-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2836-18-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download