d2e38c961bd7d678183d6b9a77a770a13a089b0230e6654aafdfe6b21f3f6340

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 07:55

Target

e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
Size

88KB
MD5

e982beeef9c2364c3b1b4a6aae62fba8
SHA1

04214bf0b8dfbdc55a4d0cdd9ca15bbbdef02793
SHA256

d2e38c961bd7d678183d6b9a77a770a13a089b0230e6654aafdfe6b21f3f6340
SHA512

82d96a06b53ae5f813559fa6333193cea710b723caf49f630ad5fe328f6f70b47fa1014ef7aadde4e51dbd1605406028455a5fb85fa20bd5456d833e4ac79a95
SSDEEP

1536:Gld+4wqwXSXg+pjBIYjVdNTIhfia7G2hXUWgmrWRde/yrWjOx4:GlIZqwXSXg+fIYjV/cBi72hXUFmrWRdR

Score

4^/10

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Winlows Publmgq\services.exe.txt	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Winlows Publmgq\services.exe	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\filewnl\Shell\read\Command\ = "C:\\WINDOWS\\Winlows Publmgq\\services.exe \"%1\""	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\filewnl\Shell	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\filewnl\Shell\read\ = "??"	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\filewnl\Shell\read\Command	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\filewnl	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\filewnl\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shell32.dll,-151"	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\filewnl\Shell\read	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wnl	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wnl\ = "filewnl"	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\filewnl\DefaultIcon	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2352	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
2352	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
2352	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
2992	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
2992	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
2992	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2992	2352	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2992	2352	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2992	2352	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe	28
PID 2352 wrote to memory of 2992	2352	e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e982beeef9c2364c3b1b4a6aae62fba8_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2992