Analysis
-
max time kernel
132s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 14:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe
Resource
win7-20240220-en
7 signatures
150 seconds
General
-
Target
254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe
-
Size
358KB
-
MD5
254a71ecd4cfdda3cc5119029f277743
-
SHA1
7fcf7a67735c7a990cd8995a0c800940eb9f3b62
-
SHA256
556be9d0efd9bdccd689c7ec6732b1562bc121cb70902456909e94aae4a68488
-
SHA512
673676351c2c63429b8b3630fcc29bad24c6f4c3e3078d8a36768d15738cb78306bd4008c4c403a7c0b5ecd6aee47c8e73a77f9e6f0cedad1fc1337fe1e50d98
-
SSDEEP
3072:ZNvVSf/Sx0vK/HVohSDTC1WyE00WSqoOcdXeWFa2s0kEAu3awPIOkAQxouA:d21W86qmdXzF5sfEr3ZPDkA
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat wgxiprop.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" wgxiprop.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wgxiprop.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadDecision = "0" wgxiprop.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadNetworkName = "Network 3" wgxiprop.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDecisionReason = "1" wgxiprop.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDecision = "0" wgxiprop.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings wgxiprop.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings wgxiprop.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\fa-f4-8d-33-a9-5b wgxiprop.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wgxiprop.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2} wgxiprop.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadDecisionReason = "1" wgxiprop.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadDecisionTime = 8033a0b654a1da01 wgxiprop.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b wgxiprop.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDecisionTime = 8033a0b654a1da01 wgxiprop.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wgxiprop.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad wgxiprop.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections wgxiprop.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2292 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe 1144 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe 2156 wgxiprop.exe 2224 wgxiprop.exe 2224 wgxiprop.exe 2224 wgxiprop.exe 2224 wgxiprop.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1144 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2292 wrote to memory of 1144 2292 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe 28 PID 2292 wrote to memory of 1144 2292 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe 28 PID 2292 wrote to memory of 1144 2292 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe 28 PID 2292 wrote to memory of 1144 2292 254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe 28 PID 2156 wrote to memory of 2224 2156 wgxiprop.exe 30 PID 2156 wrote to memory of 2224 2156 wgxiprop.exe 30 PID 2156 wrote to memory of 2224 2156 wgxiprop.exe 30 PID 2156 wrote to memory of 2224 2156 wgxiprop.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\254a71ecd4cfdda3cc5119029f277743_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1144
-
-
C:\Windows\SysWOW64\wgxiprop.exe"C:\Windows\SysWOW64\wgxiprop.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\wgxiprop.exe"C:\Windows\SysWOW64\wgxiprop.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2224
-