Analysis
-
max time kernel
134s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 13:34
Static task
static1
Behavioral task
behavioral1
Sample
aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe
-
Size
536KB
-
MD5
aea8cc9ea2da64828259ddad36685f8e
-
SHA1
ca319183736d722a4c5157930e8eba7fb24f3846
-
SHA256
fc762d1673347c40c10454641b6892dc07fea2e0a3564f5cdabcc8764335c5b5
-
SHA512
875254bf1a8265acab4ba84c6973a664130c990b2871d21245fc9113061b74933b251eca46b87678af70324f19514ebe3a2166a03d1eefeb0dcedd596a7f109b
-
SSDEEP
6144:DH/93YEXcP89331OH0j7Ie0+CCiJrOPHbzkXfYTmGaH5KQu2894mST2GG9:b6nE93wU5hCCiAzkXgTsvhq
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
tvoutcabinet.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat tvoutcabinet.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 18 IoCs
Processes:
tvoutcabinet.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4202EE61-7A55-4596-88D3-E2EAD1E58AAD}\6e-f9-4c-0c-fa-10 tvoutcabinet.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-f9-4c-0c-fa-10\WpadDecisionReason = "1" tvoutcabinet.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings tvoutcabinet.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" tvoutcabinet.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tvoutcabinet.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4202EE61-7A55-4596-88D3-E2EAD1E58AAD} tvoutcabinet.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4202EE61-7A55-4596-88D3-E2EAD1E58AAD}\WpadDecisionReason = "1" tvoutcabinet.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections tvoutcabinet.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings tvoutcabinet.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4202EE61-7A55-4596-88D3-E2EAD1E58AAD}\WpadDecisionTime = b09a8cd228bfda01 tvoutcabinet.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-f9-4c-0c-fa-10 tvoutcabinet.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-f9-4c-0c-fa-10\WpadDecisionTime = b09a8cd228bfda01 tvoutcabinet.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-f9-4c-0c-fa-10\WpadDecision = "0" tvoutcabinet.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tvoutcabinet.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad tvoutcabinet.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bf000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 tvoutcabinet.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4202EE61-7A55-4596-88D3-E2EAD1E58AAD}\WpadDecision = "0" tvoutcabinet.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4202EE61-7A55-4596-88D3-E2EAD1E58AAD}\WpadNetworkName = "Network 3" tvoutcabinet.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exeaea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exetvoutcabinet.exetvoutcabinet.exepid process 1756 aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe 2696 aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe 2912 tvoutcabinet.exe 2772 tvoutcabinet.exe 2772 tvoutcabinet.exe 2772 tvoutcabinet.exe 2772 tvoutcabinet.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exepid process 2696 aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exetvoutcabinet.exedescription pid process target process PID 1756 wrote to memory of 2696 1756 aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe PID 1756 wrote to memory of 2696 1756 aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe PID 1756 wrote to memory of 2696 1756 aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe PID 1756 wrote to memory of 2696 1756 aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe PID 2912 wrote to memory of 2772 2912 tvoutcabinet.exe tvoutcabinet.exe PID 2912 wrote to memory of 2772 2912 tvoutcabinet.exe tvoutcabinet.exe PID 2912 wrote to memory of 2772 2912 tvoutcabinet.exe tvoutcabinet.exe PID 2912 wrote to memory of 2772 2912 tvoutcabinet.exe tvoutcabinet.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\aea8cc9ea2da64828259ddad36685f8e_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\tvoutcabinet.exe"C:\Windows\SysWOW64\tvoutcabinet.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tvoutcabinet.exe"C:\Windows\SysWOW64\tvoutcabinet.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1756-16-0x0000000000220000-0x0000000000236000-memory.dmpFilesize
88KB
-
memory/1756-7-0x0000000000310000-0x0000000000320000-memory.dmpFilesize
64KB
-
memory/1756-6-0x0000000000220000-0x0000000000236000-memory.dmpFilesize
88KB
-
memory/1756-1-0x00000000003D0000-0x00000000003E6000-memory.dmpFilesize
88KB
-
memory/1756-5-0x00000000003D0000-0x00000000003E6000-memory.dmpFilesize
88KB
-
memory/2696-15-0x0000000000300000-0x0000000000310000-memory.dmpFilesize
64KB
-
memory/2696-13-0x0000000000620000-0x0000000000636000-memory.dmpFilesize
88KB
-
memory/2696-10-0x0000000000620000-0x0000000000636000-memory.dmpFilesize
88KB
-
memory/2696-14-0x00000000002E0000-0x00000000002F6000-memory.dmpFilesize
88KB
-
memory/2696-33-0x00000000002E0000-0x00000000002F6000-memory.dmpFilesize
88KB
-
memory/2696-32-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2772-26-0x0000000000B40000-0x0000000000B56000-memory.dmpFilesize
88KB
-
memory/2772-30-0x0000000000B40000-0x0000000000B56000-memory.dmpFilesize
88KB
-
memory/2912-22-0x00000000003D0000-0x00000000003E6000-memory.dmpFilesize
88KB
-
memory/2912-18-0x00000000003D0000-0x00000000003E6000-memory.dmpFilesize
88KB
-
memory/2912-24-0x00000000002F0000-0x0000000000300000-memory.dmpFilesize
64KB
-
memory/2912-23-0x00000000002D0000-0x00000000002E6000-memory.dmpFilesize
88KB
-
memory/2912-31-0x00000000002D0000-0x00000000002E6000-memory.dmpFilesize
88KB