Analysis
-
max time kernel
131s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 05:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6620336a6a602d98076733fe042d154d_JaffaCakes118.exe
Resource
win7-20240221-en
7 signatures
150 seconds
General
-
Target
6620336a6a602d98076733fe042d154d_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
6620336a6a602d98076733fe042d154d
-
SHA1
8c4163fc85be743836a407a9e262aac40880a92a
-
SHA256
95f33ec8115346b3cc2206125b265640c9df439275d4694b05de7d61c4c3cedb
-
SHA512
df94df992bec3b37eb745003b911e9c048036cda3f8237a15200c78096fb9f4c264c3cf1a1c566c6d9bf40f9b6c76c2dbde789ecd9a9cafa6be72b066ef37af8
-
SSDEEP
6144:VbXa0LFTuJQ3/j3zgZELr1VBNj082BJr3k3xUOVs3DVf81GoyHn7kOpN50IKOOqG:Vu0RTBPjkK/jH2fIGOVoDJLvfOqsUFY
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat controlmath.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad controlmath.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43} controlmath.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecisionReason = "1" controlmath.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecisionTime = 1022a06607acda01 controlmath.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecisionTime = 1022a06607acda01 controlmath.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecision = "0" controlmath.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 controlmath.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections controlmath.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings controlmath.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" controlmath.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61 controlmath.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings controlmath.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 controlmath.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 controlmath.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecision = "0" controlmath.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadNetworkName = "Network 3" controlmath.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\d6-8e-05-c7-1d-61 controlmath.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecisionReason = "1" controlmath.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1984 6620336a6a602d98076733fe042d154d_JaffaCakes118.exe 2728 6620336a6a602d98076733fe042d154d_JaffaCakes118.exe 2276 controlmath.exe 2792 controlmath.exe 2792 controlmath.exe 2792 controlmath.exe 2792 controlmath.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2728 6620336a6a602d98076733fe042d154d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2728 1984 6620336a6a602d98076733fe042d154d_JaffaCakes118.exe 28 PID 1984 wrote to memory of 2728 1984 6620336a6a602d98076733fe042d154d_JaffaCakes118.exe 28 PID 1984 wrote to memory of 2728 1984 6620336a6a602d98076733fe042d154d_JaffaCakes118.exe 28 PID 1984 wrote to memory of 2728 1984 6620336a6a602d98076733fe042d154d_JaffaCakes118.exe 28 PID 2276 wrote to memory of 2792 2276 controlmath.exe 30 PID 2276 wrote to memory of 2792 2276 controlmath.exe 30 PID 2276 wrote to memory of 2792 2276 controlmath.exe 30 PID 2276 wrote to memory of 2792 2276 controlmath.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6620336a6a602d98076733fe042d154d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6620336a6a602d98076733fe042d154d_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\6620336a6a602d98076733fe042d154d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6620336a6a602d98076733fe042d154d_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2728
-
-
C:\Windows\SysWOW64\controlmath.exe"C:\Windows\SysWOW64\controlmath.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\controlmath.exe"C:\Windows\SysWOW64\controlmath.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2792
-