Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 21:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe
-
Size
91KB
-
MD5
26d6aa10ad93d6aa5281483ac169bf3a
-
SHA1
331f191e3a85d7e97810ae62617c5a0d9b2babce
-
SHA256
07a2a449026acd0e941bfc8138266a5399e5a78f6ce5dc926a30d45c41558f11
-
SHA512
6a70376301a1c811f3fce2ab74f67dcf302aad6a0fc172aa86ffce6c7850d85be797af7bdb5386b5235e543ac50da2dbb20992aa5634a4be710a8067054d26f4
-
SSDEEP
1536:bw54SjpaSUkBy3y4OWinukAPzSatP4zlkwKQuvFboV8jXSk:ypIXJOWinZah4zgTvxoVcXS
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat stocktrouble.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat stocktrouble.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 26 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-09-25-b5-a8-64 stocktrouble.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{314F7DA4-6DEE-4372-BAA7-FFB5B3F99CA9}\12-09-25-b5-a8-64 stocktrouble.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{314F7DA4-6DEE-4372-BAA7-FFB5B3F99CA9}\WpadDecisionTime = 5010cb8a8fa1da01 stocktrouble.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" stocktrouble.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{314F7DA4-6DEE-4372-BAA7-FFB5B3F99CA9}\WpadDecisionReason = "1" stocktrouble.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{314F7DA4-6DEE-4372-BAA7-FFB5B3F99CA9}\WpadDecision = "0" stocktrouble.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-09-25-b5-a8-64\WpadDecision = "0" stocktrouble.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings stocktrouble.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings stocktrouble.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections stocktrouble.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-09-25-b5-a8-64\WpadDecisionReason = "1" stocktrouble.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix stocktrouble.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{314F7DA4-6DEE-4372-BAA7-FFB5B3F99CA9} stocktrouble.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{314F7DA4-6DEE-4372-BAA7-FFB5B3F99CA9}\WpadDecisionTime = 70a02f3a8fa1da01 stocktrouble.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad stocktrouble.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 stocktrouble.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" stocktrouble.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 stocktrouble.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-09-25-b5-a8-64\WpadDecisionTime = 70a02f3a8fa1da01 stocktrouble.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-09-25-b5-a8-64\WpadDetectedUrl stocktrouble.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" stocktrouble.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 stocktrouble.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{314F7DA4-6DEE-4372-BAA7-FFB5B3F99CA9}\WpadNetworkName = "Network 3" stocktrouble.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings stocktrouble.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-09-25-b5-a8-64\WpadDecisionTime = 5010cb8a8fa1da01 stocktrouble.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 stocktrouble.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1848 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe 2168 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe 2716 stocktrouble.exe 2644 stocktrouble.exe 2644 stocktrouble.exe 2644 stocktrouble.exe 2644 stocktrouble.exe 2644 stocktrouble.exe 2644 stocktrouble.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2168 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2168 1848 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe 28 PID 1848 wrote to memory of 2168 1848 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe 28 PID 1848 wrote to memory of 2168 1848 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe 28 PID 1848 wrote to memory of 2168 1848 26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe 28 PID 2716 wrote to memory of 2644 2716 stocktrouble.exe 30 PID 2716 wrote to memory of 2644 2716 stocktrouble.exe 30 PID 2716 wrote to memory of 2644 2716 stocktrouble.exe 30 PID 2716 wrote to memory of 2644 2716 stocktrouble.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26d6aa10ad93d6aa5281483ac169bf3a_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2168
-
-
C:\Windows\SysWOW64\stocktrouble.exe"C:\Windows\SysWOW64\stocktrouble.exe"1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\stocktrouble.exe"C:\Windows\SysWOW64\stocktrouble.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2644
-