Analysis
-
max time kernel
80s -
max time network
80s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 07:43
Behavioral task
behavioral1
Sample
1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
1a7a529b672d2d2487e58058145b03ec
-
SHA1
d5fa4cccb347be0275cb1298255622daaff1431f
-
SHA256
47cb3620b4a793bfcb4a3fa3a0ea0800515b2c31e0599cb5ea2acc1f4b881da6
-
SHA512
c5e91bdc5ccc1bda1e8f6f018f7fb8a933ecab90cb9f3cc2dd672b02fbbad4b115fa638b2ee9467300865237e8789c5f0b1c778fe05dae5020e9033fd052cacc
-
SSDEEP
24576:zAUgy2I8Zl3vtMphbSb6MEW5h3nsoAnHnWy+by0eKMZ6oky:zd9FoWphZMdv3soAHAKKPoD
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/1992-0-0x0000000000400000-0x00000000006AF000-memory.dmp vmprotect behavioral2/memory/1992-1-0x0000000000400000-0x00000000006AF000-memory.dmp vmprotect behavioral2/memory/1992-3-0x0000000000400000-0x00000000006AF000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
IEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0887a678acbda01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bd2b5d2c6d91e4f8f2c8e8b7d41a41500000000020000000000106600000001000020000000dc7d046e5699eed6946278056bbd85346dde55ef1b04e88b9063cbdabd21a932000000000e80000000020000200000000f7471d74b28632b23b424e3d115ab8f79162d65b733434cb300685db2c6a533200000009472c2aa64e6db6824fcdad05b6fc7d45a2f8400f1f9c898b982361972c8181840000000a47302372623431fc31d09698a5f89eca9b982cec3d907aab1c073c06c0af2830270ea27160fad9848e1657e5002f55c2d02f0d6906ff5a3c3b1f49c78d74df5 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{96880133-377D-11EF-BCA5-C2748A3A93CE} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425981667" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exepid process 1992 1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe 1992 1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 264 iexplore.exe 264 iexplore.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 1992 1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe 1992 1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe 264 iexplore.exe 264 iexplore.exe 2172 IEXPLORE.EXE 2172 IEXPLORE.EXE 2172 IEXPLORE.EXE 2172 IEXPLORE.EXE 264 iexplore.exe 264 iexplore.exe 1176 IEXPLORE.EXE 1176 IEXPLORE.EXE 1176 IEXPLORE.EXE 1176 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exeiexplore.exedescription pid process target process PID 1992 wrote to memory of 264 1992 1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe iexplore.exe PID 1992 wrote to memory of 264 1992 1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe iexplore.exe PID 264 wrote to memory of 2172 264 iexplore.exe IEXPLORE.EXE PID 264 wrote to memory of 2172 264 iexplore.exe IEXPLORE.EXE PID 264 wrote to memory of 2172 264 iexplore.exe IEXPLORE.EXE PID 1992 wrote to memory of 5052 1992 1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe iexplore.exe PID 1992 wrote to memory of 5052 1992 1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe iexplore.exe PID 264 wrote to memory of 1176 264 iexplore.exe IEXPLORE.EXE PID 264 wrote to memory of 1176 264 iexplore.exe IEXPLORE.EXE PID 264 wrote to memory of 1176 264 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a7a529b672d2d2487e58058145b03ec_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.cfdami.com2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:264 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:264 CREDAT:17418 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.cfdami.com2⤵
- Modifies Internet Explorer settings