123ada8690f4f47bb480dab0f8bd5af2a7d549b7c0e0cdc5596b2f0b3b0fbb06

Analysis

max time kernel
134s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Size

599KB
MD5

3c9a68024b969a0035973e8bec1a339d
SHA1

9af9293d23341bb1826463d659661fa2ebb8da07
SHA256

123ada8690f4f47bb480dab0f8bd5af2a7d549b7c0e0cdc5596b2f0b3b0fbb06
SHA512

44bf09658e80f20923f49f3713c3ea0a2ecf82b19dbcd3de68a4d546321a2425ee19483d776a16feb0b6d5c3162707d9d7ecc768c3e224a5b75d89668f0823aa
SSDEEP

12288:HbLYszYvbyqCyHsAVvs3twVgmpYRZJLDVHQEBGNh1m3q0IT:HqGqCl3SVgmaRZPwjb1uq0IT

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}\1.0\0	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\LocalServer32	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\TypeLib	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}\1.0\ = "InstallerLib"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\ProxyStubClsid32	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\ProgID	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\TypeLib	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\TypeLib	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\earnest.penuches.1\CLSID	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\ = "IBoot"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe:typelib"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\earnest.penuches	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}\1.0\0\win32	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\Version	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\TypeLib	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\Programmable	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe\""	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\ = "Inst Class"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\TypeLib	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}\1.0	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\ProgID	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\TypeLib\ = "{92a9476d-3cb8-4388-89e8-22775739442f}"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\ = "IBoot"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\Programmable	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\ProxyStubClsid32	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\earnest.penuches\CurVer	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\ProxyStubClsid32	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}\1.0\FLAGS\ = "0"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\TypeLib\Version = "1.0"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\earnest.penuches.1	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}\1.0\0	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}\1.0	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\ProxyStubClsid32	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}\1.0\0\win32	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}\1.0\FLAGS	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\TypeLib\Version = "1.0"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\earnest.penuches.1\CLSID	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\LocalServer32	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\earnest.penuches.1	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\VersionIndependentProgID\ = "earnest.penuches"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\Version	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\TypeLib\ = "{92A9476D-3CB8-4388-89E8-22775739442F}"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\earnest.penuches.1\ = "Inst Class"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\VersionIndependentProgID	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}\TypeLib\ = "{92A9476D-3CB8-4388-89E8-22775739442F}"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\earnest.penuches\CurVer	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{92A9476D-3CB8-4388-89E8-22775739442F}\1.0\HELPDIR	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\ProgID\ = "earnest.penuches.1"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\earnest.penuches	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\earnest.penuches\CurVer\ = "earnest.penuches.1"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\Version\ = "1.0"	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E04964C9-618A-424B-B7CD-720C32A04474}	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3c4caa2e-aaae-4c84-805b-26ef5fd51331}\VersionIndependentProgID	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe:typelib	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
880	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
880	3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe"
1⤵
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3c9a68024b969a0035973e8bec1a339d_JaffaCakes118.exe:typelib

Filesize
8KB

MD5
784ecebdc78fa2bdfba195ae19f9eaeb

SHA1
b667f761b8e977d6ac540b45842aab83bf0e72b2

SHA256
d4b66bf77f0814dc5716596b9f6b4ffe17f5f3c6661c061bd5278bd6093e403d

SHA512
7f01e994bc75d0e1ae6d6b8026dacce7396e638109de693917b29785be3b8cb78ab340f2ec9b967599639084e512f354bc2cb679b63e1f34164874325a5ba949

Download Submit
memory/880-0-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/880-7-0x0000000000360000-0x00000000004E3000-memory.dmp

Filesize
1.5MB

Download
memory/880-14-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/880-15-0x0000000000360000-0x00000000004E3000-memory.dmp

Filesize
1.5MB

Download