Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 23:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe
Resource
win7-20240508-en
7 signatures
150 seconds
General
-
Target
273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe
-
Size
144KB
-
MD5
273291567a770579ce3dc6917e1b4402
-
SHA1
46a9e2139d2021b2ca68c84fe53a7f798f9b0bc7
-
SHA256
a12e6a57bafb85c0d8eeb15d71697b09be4a0222ed897fc05b573d57a2593ac2
-
SHA512
1b966a4ca2103656e1a736ec0629f90364c68f66b3b13b0ff04f7b5ea8d3026c5fe3106113b8ad638335771d019ccc690d420b23a23bc867a86f9d808870e31b
-
SSDEEP
3072:MJiOVZaic4INE9+j8ocr2i+hF3ijB4QMr3:MJtVZ1cJGIj8YMB4F
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat zipbased.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 19 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" zipbased.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 zipbased.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 zipbased.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 zipbased.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DBB4EBAB-9170-4B81-B231-53D510E45737} zipbased.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DBB4EBAB-9170-4B81-B231-53D510E45737}\WpadDecisionReason = "1" zipbased.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DBB4EBAB-9170-4B81-B231-53D510E45737}\0a-79-9a-29-cf-db zipbased.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-79-9a-29-cf-db\WpadDecisionReason = "1" zipbased.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-79-9a-29-cf-db\WpadDecision = "0" zipbased.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-79-9a-29-cf-db\WpadDetectedUrl zipbased.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings zipbased.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad zipbased.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DBB4EBAB-9170-4B81-B231-53D510E45737}\WpadDecisionTime = 2098a7e79ea1da01 zipbased.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DBB4EBAB-9170-4B81-B231-53D510E45737}\WpadDecision = "0" zipbased.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings zipbased.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections zipbased.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DBB4EBAB-9170-4B81-B231-53D510E45737}\WpadNetworkName = "Network 3" zipbased.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-79-9a-29-cf-db zipbased.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-79-9a-29-cf-db\WpadDecisionTime = 2098a7e79ea1da01 zipbased.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1868 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe 2160 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe 2632 zipbased.exe 2696 zipbased.exe 2696 zipbased.exe 2696 zipbased.exe 2696 zipbased.exe 2696 zipbased.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2160 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1868 wrote to memory of 2160 1868 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe 28 PID 1868 wrote to memory of 2160 1868 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe 28 PID 1868 wrote to memory of 2160 1868 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe 28 PID 1868 wrote to memory of 2160 1868 273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe 28 PID 2632 wrote to memory of 2696 2632 zipbased.exe 30 PID 2632 wrote to memory of 2696 2632 zipbased.exe 30 PID 2632 wrote to memory of 2696 2632 zipbased.exe 30 PID 2632 wrote to memory of 2696 2632 zipbased.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\273291567a770579ce3dc6917e1b4402_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2160
-
-
C:\Windows\SysWOW64\zipbased.exe"C:\Windows\SysWOW64\zipbased.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\zipbased.exe"C:\Windows\SysWOW64\zipbased.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2696
-