Analysis
-
max time kernel
134s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 13:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe
-
Size
457KB
-
MD5
8e2ee1038a38f7f0b5537a965e366b52
-
SHA1
f5d841826836b706032de4a11cc69e94c4fb821b
-
SHA256
1f3fc7159fce7bca1fb0b6b740dea75749c68194d0684dd0167de5671c261ead
-
SHA512
7ac12f42efb211eceb17b76b9aaf80079ccd6412be4e0a51a5c75f40682d7d0c124480de52cebc87f0f308301c376e2c7adb5c3555795831a6a47f521cadb8e1
-
SSDEEP
6144:iwt1iI9T4gh8trVcFi2M/E1y6GlLICuqgX9MqDfQ8M:iG1iMT4wAcFtM/wy6SLg3DY8M
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
lookroyale.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat lookroyale.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 18 IoCs
Processes:
lookroyale.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A24D26E-8C8B-4F97-89FE-EC494E79FBF6} lookroyale.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad lookroyale.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 lookroyale.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A24D26E-8C8B-4F97-89FE-EC494E79FBF6}\WpadDecisionTime = 202abb20eeb4da01 lookroyale.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-97-1a-02-a6-45\WpadDecision = "0" lookroyale.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 lookroyale.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings lookroyale.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A24D26E-8C8B-4F97-89FE-EC494E79FBF6}\WpadDecision = "0" lookroyale.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A24D26E-8C8B-4F97-89FE-EC494E79FBF6}\WpadNetworkName = "Network 3" lookroyale.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-97-1a-02-a6-45 lookroyale.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-97-1a-02-a6-45\WpadDecisionTime = 202abb20eeb4da01 lookroyale.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections lookroyale.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 lookroyale.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A24D26E-8C8B-4F97-89FE-EC494E79FBF6}\WpadDecisionReason = "1" lookroyale.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A24D26E-8C8B-4F97-89FE-EC494E79FBF6}\fe-97-1a-02-a6-45 lookroyale.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-97-1a-02-a6-45\WpadDecisionReason = "1" lookroyale.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings lookroyale.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" lookroyale.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exelookroyale.exelookroyale.exepid process 2116 8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe 2724 8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe 2744 lookroyale.exe 2608 lookroyale.exe 2608 lookroyale.exe 2608 lookroyale.exe 2608 lookroyale.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exepid process 2724 8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exelookroyale.exedescription pid process target process PID 2116 wrote to memory of 2724 2116 8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe 8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe PID 2116 wrote to memory of 2724 2116 8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe 8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe PID 2116 wrote to memory of 2724 2116 8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe 8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe PID 2116 wrote to memory of 2724 2116 8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe 8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe PID 2744 wrote to memory of 2608 2744 lookroyale.exe lookroyale.exe PID 2744 wrote to memory of 2608 2744 lookroyale.exe lookroyale.exe PID 2744 wrote to memory of 2608 2744 lookroyale.exe lookroyale.exe PID 2744 wrote to memory of 2608 2744 lookroyale.exe lookroyale.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e2ee1038a38f7f0b5537a965e366b52_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2724
-
C:\Windows\SysWOW64\lookroyale.exe"C:\Windows\SysWOW64\lookroyale.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\lookroyale.exe"C:\Windows\SysWOW64\lookroyale.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2608