Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 08:32
Static task
static1
Behavioral task
behavioral1
Sample
0061ba64225d307688d0764af65732ab_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
0061ba64225d307688d0764af65732ab_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
0061ba64225d307688d0764af65732ab_JaffaCakes118.exe
-
Size
2.7MB
-
MD5
0061ba64225d307688d0764af65732ab
-
SHA1
97adaf0e0fa154e7060ec152034ca9da4cbfa279
-
SHA256
49b19e229968acb597acef9e587860362b6cfdf9d89438f919888e267eb97cc9
-
SHA512
88bba7589563925fea1a0247310e21a29e45c41be1143c18d1c5215c168ba9515a6b3bc46914fdd9688b48105c47fe72b245f4bf09b6f11d953fd645b089ed44
-
SSDEEP
49152:lOfcsMc6EoBzTw6Gqqypj56G1LWMPFJRQ8EaI4EbN/uJyBjEt2fevm53:6oAoN6G1iKbW7aZQNWJyBXfevm53
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2844 vVo71E4.exe 2168 vVo71E4.tmp -
Loads dropped DLL 1 IoCs
pid Process 2168 vVo71E4.tmp -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT\OLESCRIPT regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT AUTHOR\OLESCRIPT regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT AUTHOR\OLESCRIPT regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLEScript regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\OLESCRIPT regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\PROGID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.3\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\OLEScript regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript.Encode" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT AUTHOR\OLESCRIPT regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.2\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Authoring" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\ = "JScript Language" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\ = "JScript Language Authoring" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID\ = "{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1 AUTHOR\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\OLESCRIPT regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.2\OLESCRIPT regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\ = "JScript Language Authoring" regsvr32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4180 wrote to memory of 2844 4180 0061ba64225d307688d0764af65732ab_JaffaCakes118.exe 87 PID 4180 wrote to memory of 2844 4180 0061ba64225d307688d0764af65732ab_JaffaCakes118.exe 87 PID 4180 wrote to memory of 2844 4180 0061ba64225d307688d0764af65732ab_JaffaCakes118.exe 87 PID 2844 wrote to memory of 2168 2844 vVo71E4.exe 88 PID 2844 wrote to memory of 2168 2844 vVo71E4.exe 88 PID 2844 wrote to memory of 2168 2844 vVo71E4.exe 88 PID 2168 wrote to memory of 1556 2168 vVo71E4.tmp 91 PID 2168 wrote to memory of 1556 2168 vVo71E4.tmp 91 PID 2168 wrote to memory of 1556 2168 vVo71E4.tmp 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\0061ba64225d307688d0764af65732ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0061ba64225d307688d0764af65732ab_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\vVo71E4.exeC:\Users\Admin\AppData\Local\Temp\vVo71E4.exe u_cam=pub4332⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\is-5SIM8.tmp\vVo71E4.tmp"C:\Users\Admin\AppData\Local\Temp\is-5SIM8.tmp\vVo71E4.tmp" /SL5="$11003A,2159041,171008,C:\Users\Admin\AppData\Local\Temp\vVo71E4.exe" u_cam=pub4333⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\jscript.dll"4⤵
- Modifies registry class
PID:1556
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD52cf86a92f71a6a44d1967e692032eea1
SHA13dd2306d4e5cf362b89d00698a572e14cda89346
SHA2567adf77b47c9cc04887a4eecf6e9009754fccfd2da01a030a1c99f23d1cbb0d36
SHA512189cc025615704431e292bd98a1dd6fcd3b3ecfae3f2a2424284a14f20590662c5ba41297c8d058334440fb988fc1e96b8f5dd25bf2c927176594d2cf7ed21dd
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
2.5MB
MD59ca5d4aee5a5cd99c07fe4ba2f98db67
SHA10f99d3ddfab19c79c5f9be286f42829aeed1d099
SHA256f8fc83761fb5f1a4a546f1c8d6f3630cbdff66f85e621b593c10e2ffa18d6d85
SHA5127ab205183bb55b76adaf425e9e6a18949931d462e0cf58e018476b348b6f863c341932aee0c50518fccb9ac3664119d4308bff889d177a2f8e232013122fe797