386f8485fce6bd1f830d9140d3f5bb511602329a7a7dbdc84c4b94e16d230c84

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
Size

142KB
MD5

e76b27d839080f09789186de45769ef2
SHA1

8a12174e7ddaf0a2915373f8305bb73b7c4fd8ee
SHA256

386f8485fce6bd1f830d9140d3f5bb511602329a7a7dbdc84c4b94e16d230c84
SHA512

9a347aebb726244fbd7a4a2614e431dace3b58fca7cb0f985cd8a8248f7387fd0e1083609f93e9879bc4a6fa263d5aefdf4e37d3723363d8a086ae3efed7706c
SSDEEP

3072:VidQMhEpc9B7zqW9MsmUg5X3+R2BeaiEygGd4G4aDg+:MqMhR78UsFBGNM

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\winchk = "C:\\Windows\\system32\\winchk.exe"	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysCFG = "C:\\Windows\\system32\\syscfg.exe"	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "Cocksucker"	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName = "Cocksucker"	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe

Drops file in System32 directory 58 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Shared\BlackICE PC Protection 3.5 keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Dransik classic account unlocker.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Battlefield 1942 keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Sophie Sweet (screensaver).exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Norton Anti-Virus 2004 keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Nero Burning Rom (5.X + 6.X) keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\syscfg.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Window Washer 4.8 keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Office XP keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\GTA Vice City Universal NoCD patch.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Playstation 2 emulator.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Panda Anti-Virus Titanium keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Mirc 6.03 serial generator.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Retina vulnerability scan keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\DC++ ShareFaker.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Norton Anti-Virus 2003 keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Visual Basic 6 keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\syscfg.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Tawny Roberts (screensaver).exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Krystal Steel (screensaver).exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Carmen Electra NUDE (screensaver).exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Norton Anti-Virus 2003 crack.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\windows\SysWOW64\progman.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Visual Studio keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Microsoft Visual C++ keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Runescape character editor.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\UT 2003 keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Vietcong keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\WinZip keygen (all versions).exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\BlindWrite crack (all versions).exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Dransik character editor.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\KMD 2.1.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\WinRAR keygen (all versions).exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Half-Life keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Warcraft III Reign Of Chaos 1.0X Virtual Crack.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winchk.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Norton Internet Security crack.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\userinit.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Lavasoft Ad-Aware 6 keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\KAV Personal Pro crack & keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Kazaa Speedup 3.05.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Lavasoft Ad-aware 6 pro keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Everquest 2 NoCD crack.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Delphi 7 Enterprise keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Briana Banks (screensaver).exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\MusicMatch JukeBox 8.0 keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Kazaa AD-remover.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Tiny Personal Firewall 5.0 crack.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\3D Studio MAX v4.x v5.x v6.x keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Britney spears DressUp Doll.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Jedi Academy keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Britney Spears NUDE (screensaver).exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Norton Anti-Virus 2004 crack.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Matrix Code Emulator Screensaver.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\PopUp Killer crack (all versions).exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Alcohol 120 keygen.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Imesh No-Adverts.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Shared\Windows XP activation crack.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\LOL.exe	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\windows\winkey.txt	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\windows\winbfkey.txt	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\windows\winutkey.txt	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
File created	C:\Windows\NOTEPAD.EXE	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com"	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
2372	e76b27d839080f09789186de45769ef2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e76b27d839080f09789186de45769ef2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e76b27d839080f09789186de45769ef2_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Shared\Lavasoft Ad-Aware 6 keygen.exe

Filesize
142KB

MD5
e76b27d839080f09789186de45769ef2

SHA1
8a12174e7ddaf0a2915373f8305bb73b7c4fd8ee

SHA256
386f8485fce6bd1f830d9140d3f5bb511602329a7a7dbdc84c4b94e16d230c84

SHA512
9a347aebb726244fbd7a4a2614e431dace3b58fca7cb0f985cd8a8248f7387fd0e1083609f93e9879bc4a6fa263d5aefdf4e37d3723363d8a086ae3efed7706c

Download Submit
memory/2372-60-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download