Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 15:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe
Resource
win7-20240221-en
7 signatures
150 seconds
General
-
Target
2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe
-
Size
459KB
-
MD5
2599715e41108a239dbb2168409a45e2
-
SHA1
70d64469924d04541e83b603f6e96649f18d9c36
-
SHA256
f8fa091e213aa5cbeac224f8af4337f891ca719c2769ea84f30af31944e5a01d
-
SHA512
2ed7f496519cd8771b9ffc64be8dfa7cca53eb540ba2cec912359519053e7cdbd9ff66531761d584d0a730710f5c8c4102e993747dbde99cec03da92dca09201
-
SSDEEP
6144:132grmZzPSC5gRi8d3VGHnWtkwaauFHgPvbkqqM:sgqZLpD8dFwnWCEu6ruM
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat routervoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 19 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-eb-7e-51-d1-c6\WpadDecisionTime = e0cd5d2f60a1da01 routervoice.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-eb-7e-51-d1-c6\WpadDetectedUrl routervoice.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 routervoice.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 routervoice.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E38402DF-3D1C-46FF-9F71-7B7F06D441B3}\WpadDecisionReason = "1" routervoice.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-eb-7e-51-d1-c6\WpadDecisionReason = "1" routervoice.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E38402DF-3D1C-46FF-9F71-7B7F06D441B3} routervoice.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-eb-7e-51-d1-c6 routervoice.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E38402DF-3D1C-46FF-9F71-7B7F06D441B3}\WpadNetworkName = "Network 3" routervoice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings routervoice.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" routervoice.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0117000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 routervoice.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E38402DF-3D1C-46FF-9F71-7B7F06D441B3}\WpadDecision = "0" routervoice.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E38402DF-3D1C-46FF-9F71-7B7F06D441B3}\b6-eb-7e-51-d1-c6 routervoice.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-eb-7e-51-d1-c6\WpadDecision = "0" routervoice.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings routervoice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections routervoice.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad routervoice.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E38402DF-3D1C-46FF-9F71-7B7F06D441B3}\WpadDecisionTime = e0cd5d2f60a1da01 routervoice.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1652 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe 2480 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe 2824 routervoice.exe 2532 routervoice.exe 2532 routervoice.exe 2532 routervoice.exe 2532 routervoice.exe 2532 routervoice.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2480 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1652 wrote to memory of 2480 1652 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe 28 PID 1652 wrote to memory of 2480 1652 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe 28 PID 1652 wrote to memory of 2480 1652 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe 28 PID 1652 wrote to memory of 2480 1652 2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe 28 PID 2824 wrote to memory of 2532 2824 routervoice.exe 30 PID 2824 wrote to memory of 2532 2824 routervoice.exe 30 PID 2824 wrote to memory of 2532 2824 routervoice.exe 30 PID 2824 wrote to memory of 2532 2824 routervoice.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2599715e41108a239dbb2168409a45e2_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2480
-
-
C:\Windows\SysWOW64\routervoice.exe"C:\Windows\SysWOW64\routervoice.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\routervoice.exe"C:\Windows\SysWOW64\routervoice.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2532
-