Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 07:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe
-
Size
275KB
-
MD5
8d6146eed06d626d31499c689dbdacdc
-
SHA1
d85b600d2457a5948e92956d1dbb9160aa05a88e
-
SHA256
01d06594c1418a2f58d827174255e372848d80a1eb037b9ae733e4b21a918cd2
-
SHA512
f269aed0b8d1d137bac7b3af8c461b57488b9a41e0fa8f6f0559f12f7c58ffdd0317db8ab1daddc71d1accfafc58dc4b79a4d61841441c071a489d17831e7fa9
-
SSDEEP
3072:jVFKX2GybFw1w8oayTMtu+5x4Rd17bo5PLF0MNseNI3920h:jTKX2b+a8oRTMY+H4Rv7OPLmMN3NIv
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
mdmsgxinput.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mdmsgxinput.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 22 IoCs
Processes:
mdmsgxinput.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mdmsgxinput.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011} mdmsgxinput.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadNetworkName = "Network 3" mdmsgxinput.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mdmsgxinput.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mdmsgxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mdmsgxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mdmsgxinput.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mdmsgxinput.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionReason = "1" mdmsgxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionTime = e092c1c2c2b4da01 mdmsgxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionTime = a04e4919c3b4da01 mdmsgxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionTime = a04e4919c3b4da01 mdmsgxinput.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\52-a4-6c-d2-f4-72 mdmsgxinput.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecision = "0" mdmsgxinput.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mdmsgxinput.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mdmsgxinput.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionReason = "1" mdmsgxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionTime = e092c1c2c2b4da01 mdmsgxinput.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecision = "0" mdmsgxinput.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72 mdmsgxinput.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDetectedUrl mdmsgxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mdmsgxinput.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exemdmsgxinput.exemdmsgxinput.exepid process 1616 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe 2888 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe 2644 mdmsgxinput.exe 2540 mdmsgxinput.exe 2540 mdmsgxinput.exe 2540 mdmsgxinput.exe 2540 mdmsgxinput.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exepid process 2888 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exemdmsgxinput.exedescription pid process target process PID 1616 wrote to memory of 2888 1616 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe PID 1616 wrote to memory of 2888 1616 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe PID 1616 wrote to memory of 2888 1616 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe PID 1616 wrote to memory of 2888 1616 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe 8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe PID 2644 wrote to memory of 2540 2644 mdmsgxinput.exe mdmsgxinput.exe PID 2644 wrote to memory of 2540 2644 mdmsgxinput.exe mdmsgxinput.exe PID 2644 wrote to memory of 2540 2644 mdmsgxinput.exe mdmsgxinput.exe PID 2644 wrote to memory of 2540 2644 mdmsgxinput.exe mdmsgxinput.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8d6146eed06d626d31499c689dbdacdc_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2888
-
C:\Windows\SysWOW64\mdmsgxinput.exe"C:\Windows\SysWOW64\mdmsgxinput.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\mdmsgxinput.exe"C:\Windows\SysWOW64\mdmsgxinput.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2540