Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 05:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe
Resource
win7-20240221-en
7 signatures
150 seconds
General
-
Target
663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe
-
Size
140KB
-
MD5
663bd5680043ed438a43cbcf80379654
-
SHA1
cfaa08ea4843c6aae0c5e19d70ad2d86333e9e2e
-
SHA256
987c0d5b77345fdb979da45817424b80f08416ece53e67693b80c041228ae37e
-
SHA512
851cff7c02c60fa19c526e6d8b2ea29b3ea674a92d5cf94469cab5b668de4cfff2da56d0eef37d064910099521e1566fd79a08f73bae34cfbd8c2f5a15fc5126
-
SSDEEP
3072:Hyb5zxdwWjXhBqm9NCbg1UbIDzblnfiw:gdRDhBqm9NC81WInblnx
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat packmheg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 19 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings packmheg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings packmheg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" packmheg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad packmheg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F7BB961-67A2-4A1B-9EFF-8A5307526C7A} packmheg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F7BB961-67A2-4A1B-9EFF-8A5307526C7A}\WpadDecision = "0" packmheg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-c0-4c-d7-22-e7 packmheg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 packmheg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 packmheg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-c0-4c-d7-22-e7\WpadDecisionTime = 00cc8bdb0cacda01 packmheg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-c0-4c-d7-22-e7\WpadDecision = "0" packmheg.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-c0-4c-d7-22-e7\WpadDetectedUrl packmheg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections packmheg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F7BB961-67A2-4A1B-9EFF-8A5307526C7A}\WpadDecisionReason = "1" packmheg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F7BB961-67A2-4A1B-9EFF-8A5307526C7A}\WpadDecisionTime = 00cc8bdb0cacda01 packmheg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F7BB961-67A2-4A1B-9EFF-8A5307526C7A}\66-c0-4c-d7-22-e7 packmheg.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-c0-4c-d7-22-e7\WpadDecisionReason = "1" packmheg.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 packmheg.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F7BB961-67A2-4A1B-9EFF-8A5307526C7A}\WpadNetworkName = "Network 3" packmheg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2876 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe 2988 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe 2564 packmheg.exe 2576 packmheg.exe 2576 packmheg.exe 2576 packmheg.exe 2576 packmheg.exe 2576 packmheg.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2988 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2988 2876 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe 28 PID 2876 wrote to memory of 2988 2876 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe 28 PID 2876 wrote to memory of 2988 2876 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe 28 PID 2876 wrote to memory of 2988 2876 663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe 28 PID 2564 wrote to memory of 2576 2564 packmheg.exe 30 PID 2564 wrote to memory of 2576 2564 packmheg.exe 30 PID 2564 wrote to memory of 2576 2564 packmheg.exe 30 PID 2564 wrote to memory of 2576 2564 packmheg.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\663bd5680043ed438a43cbcf80379654_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2988
-
-
C:\Windows\SysWOW64\packmheg.exe"C:\Windows\SysWOW64\packmheg.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\packmheg.exe"C:\Windows\SysWOW64\packmheg.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2576
-