Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 07:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe
Resource
win7-20240220-en
7 signatures
150 seconds
General
-
Target
668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe
-
Size
187KB
-
MD5
668d1d7c39af8906ed862ae9ff645a63
-
SHA1
35644070d27bde9f87a5552becc4b18d017d9faf
-
SHA256
a1a6a9070efc72cd197cb8d27342f0cd6ba8f15e706b308f164fcafd6f561258
-
SHA512
b5f0ad76de4110445fb978c13c9d1c76676ff541f5d0721b2303765c44ac5bb2037e92914e5d0dae8c7dc16c8fe5bb376e17e3e039df6383d7a9374472b13a2e
-
SSDEEP
3072:2D8qMHPIFIhK2kwVP5YdShdXlkkaK/PngcfS3CYo7RWa5A+:2DhMHPThK2x5WSXl6K/lS3CdY
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat jitvsgd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 25 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad jitvsgd.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" jitvsgd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDecisionReason = "1" jitvsgd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadDecisionReason = "1" jitvsgd.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b jitvsgd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDecisionTime = 30189b851dacda01 jitvsgd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 jitvsgd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 jitvsgd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 jitvsgd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadDecisionTime = 30189b851dacda01 jitvsgd.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix jitvsgd.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" jitvsgd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings jitvsgd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadDecision = "0" jitvsgd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadDecisionTime = 104030d91dacda01 jitvsgd.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings jitvsgd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 jitvsgd.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\fa-f4-8d-33-a9-5b jitvsgd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" jitvsgd.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2} jitvsgd.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadNetworkName = "Network 3" jitvsgd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDecision = "0" jitvsgd.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDetectedUrl jitvsgd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDecisionTime = 104030d91dacda01 jitvsgd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections jitvsgd.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2276 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe 1296 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe 2116 jitvsgd.exe 2668 jitvsgd.exe 2668 jitvsgd.exe 2668 jitvsgd.exe 2668 jitvsgd.exe 2668 jitvsgd.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1296 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2276 wrote to memory of 1296 2276 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe 28 PID 2276 wrote to memory of 1296 2276 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe 28 PID 2276 wrote to memory of 1296 2276 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe 28 PID 2276 wrote to memory of 1296 2276 668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe 28 PID 2116 wrote to memory of 2668 2116 jitvsgd.exe 30 PID 2116 wrote to memory of 2668 2116 jitvsgd.exe 30 PID 2116 wrote to memory of 2668 2116 jitvsgd.exe 30 PID 2116 wrote to memory of 2668 2116 jitvsgd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\668d1d7c39af8906ed862ae9ff645a63_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1296
-
-
C:\Windows\SysWOW64\jitvsgd.exe"C:\Windows\SysWOW64\jitvsgd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\jitvsgd.exe"C:\Windows\SysWOW64\jitvsgd.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2668
-