05a9d2e7d6c650eb79f3c77f39b395b6b0db494860e7adca7d67ad67eac204db

Analysis

max time kernel
134s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Size

733KB
MD5

4ed6ed50ae9c53bf2f1cc70370b6e76e
SHA1

e36a1821f6bcd5cb7122f59cd6ae465c0d02eee1
SHA256

05a9d2e7d6c650eb79f3c77f39b395b6b0db494860e7adca7d67ad67eac204db
SHA512

fa1f800d93f1448cd854f7076ea897333cb08cfb10f7ec6460fe54b50274a364a4152fa6951ba59ecec2c07891aee8fb46886ca131883a986341a75aa398f391
SSDEEP

12288:CBtUCARpFAWoamZUv3wwK4EjuEsj6HPFEypM0JNmu1facYFk5b2:CfbWWUvnK/jiePrMwpYF8q

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0\0	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe:typelib"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\ProgID	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\LocalServer32	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\feted.phasmid.1	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\TypeLib\Version = "1.0"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0\0	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\ = "Inst Class"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0\FLAGS	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\TypeLib	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\ProxyStubClsid32	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\Programmable	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0\HELPDIR	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\TypeLib	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\feted.phasmid\CurVer	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\VersionIndependentProgID	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0\0\win32	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\feted.phasmid\CurVer	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\feted.phasmid	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\feted.phasmid\ = "Inst Class"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe\""	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\TypeLib	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\ProxyStubClsid32	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\ProxyStubClsid32	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\TypeLib\Version = "1.0"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\feted.phasmid	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\VersionIndependentProgID\ = "feted.phasmid"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\Version	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0\0\win32	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\Version	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\TypeLib\ = "{474EABFE-792F-484E-9AC3-5D579BD99C1A}"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0\HELPDIR	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0\FLAGS	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\TypeLib\ = "{474EABFE-792F-484E-9AC3-5D579BD99C1A}"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\feted.phasmid.1\CLSID	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\Version\ = "1.0"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\ = "IBoot"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\TypeLib	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\TypeLib\ = "{474eabfe-792f-484e-9ac3-5d579bd99c1a}"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\VersionIndependentProgID	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\TypeLib	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\feted.phasmid.1\ = "Inst Class"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\feted.phasmid\CurVer\ = "feted.phasmid.1"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0\ = "InstallerLib"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\ProxyStubClsid32	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\feted.phasmid.1\CLSID\ = "{fce393c4-3925-4246-9f66-68fdb87aee6e}"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0\FLAGS\ = "0"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{474EABFE-792F-484E-9AC3-5D579BD99C1A}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe"	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\feted.phasmid.1	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\Programmable	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C30CB86-22FF-4B23-81AC-89FE5BCCDB0E}\TypeLib	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\feted.phasmid.1\CLSID	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}\ProgID	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fce393c4-3925-4246-9f66-68fdb87aee6e}	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe:typelib	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3200	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
3200	4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe"
1⤵
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ed6ed50ae9c53bf2f1cc70370b6e76e_JaffaCakes118.exe:typelib

Filesize
7KB

MD5
d25baea0241f59aebf35fcedc4131455

SHA1
641d7906634cf9f5771b95e20ee19f1c776d1fc0

SHA256
5d64ab4c4861c440fb040345d0c388d5bc23c1074f369e741875accbd1b9239f

SHA512
c1d26c968e6375c587f757d565a95108b24b6282ce027329205a90454393dba8d0e42ef17daded547d8fe0f4f0894198361e6bc72d4a88265d310ee2d7486314

Download Submit
memory/3200-0-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/3200-7-0x0000000000340000-0x00000000004E3000-memory.dmp

Filesize
1.6MB

Download
memory/3200-15-0x0000000000340000-0x00000000004E3000-memory.dmp

Filesize
1.6MB

Download
memory/3200-14-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download