01e886231896581c36fa5aba1852bc82abff0736cdfca02a7e48d8d5a23d3773

Analysis

max time kernel
132s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

686af4c766cc44369d88bd7b20f01e07_JaffaCakes118.exe
Size

3KB
MD5

686af4c766cc44369d88bd7b20f01e07
SHA1

4ba8b5821f3f8d7d9712c1670641c5762c53bde3
SHA256

01e886231896581c36fa5aba1852bc82abff0736cdfca02a7e48d8d5a23d3773
SHA512

ba21448943567acdf72e5e17985d7fe164f6c56b514a4915dc0114f46ce7be17d6908a4bdfb1dfc731ed5f9195881b309d05a3d40faadc11ae7b5f3a892395ed

Score

1^/10

Malware Config

Signatures

Modifies registry class 27 IoCs

Processes:

cmd.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ultraiso.exe\" \"%1\""	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cue\ = "UltraISO"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.img	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz\ = "UltraISO"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mds	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mdf\ = "UltraISO"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell\open	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bin	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UltraISO.EXE,0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cue	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ima\ = "UltraISO"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.isz	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraISO\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\UltraISO.EXE\" \"%1\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso\ = "UltraISO"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mdf	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.img\ = "UltraISO"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ima	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bin\ = "UltraISO"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mds\ = "UltraISO"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nrg	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nrg\ = "UltraISO"	cmd.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

686af4c766cc44369d88bd7b20f01e07_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 3568 wrote to memory of 2864	3568	686af4c766cc44369d88bd7b20f01e07_JaffaCakes118.exe	cmd.exe
PID 3568 wrote to memory of 2864	3568	686af4c766cc44369d88bd7b20f01e07_JaffaCakes118.exe	cmd.exe
PID 3568 wrote to memory of 2864	3568	686af4c766cc44369d88bd7b20f01e07_JaffaCakes118.exe	cmd.exe
PID 2864 wrote to memory of 4648	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4648	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4648	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 3628	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 3628	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 3628	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4436	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4436	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4436	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 5000	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 5000	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 5000	2864	cmd.exe	reg.exe
PID 2864 wrote to memory of 4152	2864	cmd.exe	regsvr32.exe
PID 2864 wrote to memory of 4152	2864	cmd.exe	regsvr32.exe
PID 2864 wrote to memory of 4152	2864	cmd.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\686af4c766cc44369d88bd7b20f01e07_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\686af4c766cc44369d88bd7b20f01e07_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\63BB.CMD" "
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\EasyBoot Systems\UltraISO\5.0" /f /ve /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp"
3⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
REG ADD HKCR\UltraISO\DefaultIcon /ve /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UltraISO.EXE,0" /f
3⤵
- Modifies registry class
PID:3628

C:\Windows\SysWOW64\reg.exe
REG ADD HKCR\UltraISO\shell\open\command /ve /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\UltraISO.EXE\" "\"%1\" /f
3⤵
- Modifies registry class
PID:4436

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\EasyBoot Systems\UltraISO\5.0" /v DefViewer /t REG_SZ /d "C:\Windows\system32\NOTEPAD.EXE" /f
3⤵
PID:5000

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\isoshell.dll"
3⤵
PID:4152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\63BB.CMD

Filesize
789B

MD5
24ef8d56226026b3f6e98036f01ae058

SHA1
650e8b0d31b1147f9f076b96c0af2444b610d425

SHA256
2bd6b5bab24bd9f826faf32af41967e9f159db37c7032260df3a0c3eb269a772

SHA512
a56e1ada84429b6ec05b528b925b1ffc12e272ec27a8ab44bf5305fb5145512fdbcc4501ededc5e2117a41b444960d4439eeacfd8cf2aa859a2a230f0168174f

Download Submit
memory/3568-2-0x0000000000400000-0x0000000000400F60-memory.dmp

Filesize
3KB

Download