Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-04-2024 21:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
General
-
Target
0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe
-
Size
132KB
-
MD5
0020351cc4c2a3ea6e0b1fc5fa684fe3
-
SHA1
626f9da100fe83bbee5a25d52b87a3d4b48be5c9
-
SHA256
a67915345f7a32e7c40c51469a983ae18b731a658c04e370f2674ce8246c32dd
-
SHA512
e109d10bb84c33c246b1ba55c29949d2027389a5ad8d6c22770fefbbe162024dcedd573b69537109743b6dde0d85b6cebfd5e4460eef58d22c852a0325fcbdad
-
SSDEEP
3072:qTu19iMnR4ueRRKAQWXpr5r3/47hpK1W:qy1RrGFQ6r5c7
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mwarepwd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mwarepwd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mwarepwd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{341031A7-7D60-4E5E-AA7E-E4E789E95128}\WpadDecisionReason = "1" mwarepwd.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{341031A7-7D60-4E5E-AA7E-E4E789E95128}\WpadNetworkName = "Network 3" mwarepwd.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-2d-a6-de-1c-17 mwarepwd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{341031A7-7D60-4E5E-AA7E-E4E789E95128}\WpadDecisionTime = 70e3daeb5897da01 mwarepwd.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{341031A7-7D60-4E5E-AA7E-E4E789E95128}\ba-2d-a6-de-1c-17 mwarepwd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-2d-a6-de-1c-17\WpadDecision = "0" mwarepwd.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mwarepwd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mwarepwd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mwarepwd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0044000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mwarepwd.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{341031A7-7D60-4E5E-AA7E-E4E789E95128} mwarepwd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-2d-a6-de-1c-17\WpadDecisionReason = "1" mwarepwd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-2d-a6-de-1c-17\WpadDecisionTime = 70e3daeb5897da01 mwarepwd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mwarepwd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mwarepwd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{341031A7-7D60-4E5E-AA7E-E4E789E95128}\WpadDecision = "0" mwarepwd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1044 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe 2736 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe 2616 mwarepwd.exe 2724 mwarepwd.exe 2724 mwarepwd.exe 2724 mwarepwd.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2736 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2736 1044 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe 28 PID 1044 wrote to memory of 2736 1044 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe 28 PID 1044 wrote to memory of 2736 1044 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe 28 PID 1044 wrote to memory of 2736 1044 0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe 28 PID 2616 wrote to memory of 2724 2616 mwarepwd.exe 30 PID 2616 wrote to memory of 2724 2616 mwarepwd.exe 30 PID 2616 wrote to memory of 2724 2616 mwarepwd.exe 30 PID 2616 wrote to memory of 2724 2616 mwarepwd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0020351cc4c2a3ea6e0b1fc5fa684fe3_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2736
-
-
C:\Windows\SysWOW64\mwarepwd.exe"C:\Windows\SysWOW64\mwarepwd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\mwarepwd.exe"C:\Windows\SysWOW64\mwarepwd.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2724
-