Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 00:56
Static task
static1
Behavioral task
behavioral1
Sample
656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe
Resource
win7-20240508-en
8 signatures
150 seconds
General
-
Target
656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe
-
Size
107KB
-
MD5
656e1f70891e4a2c77a1f58cb4446a83
-
SHA1
4d2e950535237f92aabf712863c7a6f00d93d17f
-
SHA256
ddbc8b5d72af93b39727f2a26efae6aca2127b933f600c6213435a91542d0ed0
-
SHA512
8e707d3b20b17c611436e098debd8b8602dd19a51d6fbeebd090f6bed7ef874c9e885c75fe95f09ecaa112542bc9c9abb11ebd5b9cc5427386047d3a46913f7e
-
SSDEEP
1536:vvA3k5x9zTF9V1GfCpq+j+zU8wrHvg+jjNVJAgUKT8W2cK3wy/8l/epYnHvIqvIM:Fx9PrbRrH/jhVJAzKTCx37s/fnA/aSg
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat randomrandom.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 25 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 randomrandom.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F68488D-586D-4572-B446-D5AA8DB822E2}\WpadDecisionTime = 604f3f05e3abda01 randomrandom.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F68488D-586D-4572-B446-D5AA8DB822E2}\WpadNetworkName = "Network 3" randomrandom.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-cd-19-7d-49-dc\WpadDecisionTime = 40a42a3fe3abda01 randomrandom.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings randomrandom.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 randomrandom.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" randomrandom.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F68488D-586D-4572-B446-D5AA8DB822E2} randomrandom.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-cd-19-7d-49-dc\WpadDecisionTime = 604f3f05e3abda01 randomrandom.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings randomrandom.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad randomrandom.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F68488D-586D-4572-B446-D5AA8DB822E2}\9e-cd-19-7d-49-dc randomrandom.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-cd-19-7d-49-dc\WpadDecision = "0" randomrandom.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix randomrandom.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" randomrandom.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-cd-19-7d-49-dc randomrandom.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F68488D-586D-4572-B446-D5AA8DB822E2}\WpadDecisionTime = 40a42a3fe3abda01 randomrandom.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections randomrandom.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-cd-19-7d-49-dc\WpadDecisionReason = "1" randomrandom.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F68488D-586D-4572-B446-D5AA8DB822E2}\WpadDecisionReason = "1" randomrandom.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 randomrandom.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 randomrandom.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" randomrandom.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-cd-19-7d-49-dc\WpadDetectedUrl randomrandom.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F68488D-586D-4572-B446-D5AA8DB822E2}\WpadDecision = "0" randomrandom.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2588 randomrandom.exe 2588 randomrandom.exe 2588 randomrandom.exe 2588 randomrandom.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1612 656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 4 IoCs
pid Process 620 656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe 1612 656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe 3032 randomrandom.exe 2588 randomrandom.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 620 wrote to memory of 1612 620 656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe 28 PID 620 wrote to memory of 1612 620 656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe 28 PID 620 wrote to memory of 1612 620 656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe 28 PID 620 wrote to memory of 1612 620 656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe 28 PID 3032 wrote to memory of 2588 3032 randomrandom.exe 30 PID 3032 wrote to memory of 2588 3032 randomrandom.exe 30 PID 3032 wrote to memory of 2588 3032 randomrandom.exe 30 PID 3032 wrote to memory of 2588 3032 randomrandom.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Local\Temp\656e1f70891e4a2c77a1f58cb4446a83_JaffaCakes118.exe--6a9ac4fd2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:1612
-
-
C:\Windows\SysWOW64\randomrandom.exe"C:\Windows\SysWOW64\randomrandom.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\randomrandom.exe--cf884cd82⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2588
-