Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 16:43
Static task
static1
Behavioral task
behavioral1
Sample
af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe
-
Size
264KB
-
MD5
af64b00ee58a65e1d0b0fe0d9295b018
-
SHA1
255faa0e50e104ae5f353e5516d9cdf9a8d61c79
-
SHA256
6d28339809a4e1e8cf45ab998568f777c2ad101c75f94c72461e8592ef581b98
-
SHA512
9b0e0405ef2e75079684547e39a510abae679b1d97015ab4a7d5e44a0e6bebe226ec4d71e25a2bb0a7e4c18c8c55cddac8615379b8b8801f5d970465529e0cc4
-
SSDEEP
1536:DuaWmy41frZbE5KLCX6kxCxRjFnYDdyrrQkATezKwXHfterq8:DuaWmyWfrZYX6kSEgrrQkA2KWFeH
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
packxinput.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat packxinput.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 25 IoCs
Processes:
packxinput.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings packxinput.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" packxinput.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d\WpadDecisionReason = "1" packxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 packxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0036000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 packxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d\WpadDecisionTime = 20b9c33843bfda01 packxinput.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections packxinput.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad packxinput.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadDecision = "0" packxinput.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix packxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 packxinput.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadNetworkName = "Network 3" packxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0036000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 packxinput.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" packxinput.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d\WpadDetectedUrl packxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadDecisionTime = 409a6f8b43bfda01 packxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d\WpadDecisionTime = 409a6f8b43bfda01 packxinput.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E} packxinput.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings packxinput.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadDecisionTime = 20b9c33843bfda01 packxinput.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d packxinput.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\1e-23-d1-8d-c2-2d packxinput.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" packxinput.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d\WpadDecision = "0" packxinput.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadDecisionReason = "1" packxinput.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exeaf64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exepackxinput.exepackxinput.exepid process 2388 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe 2612 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe 2672 packxinput.exe 2748 packxinput.exe 2748 packxinput.exe 2748 packxinput.exe 2748 packxinput.exe 2748 packxinput.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exepid process 2612 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exepackxinput.exedescription pid process target process PID 2388 wrote to memory of 2612 2388 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe PID 2388 wrote to memory of 2612 2388 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe PID 2388 wrote to memory of 2612 2388 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe PID 2388 wrote to memory of 2612 2388 af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe PID 2672 wrote to memory of 2748 2672 packxinput.exe packxinput.exe PID 2672 wrote to memory of 2748 2672 packxinput.exe packxinput.exe PID 2672 wrote to memory of 2748 2672 packxinput.exe packxinput.exe PID 2672 wrote to memory of 2748 2672 packxinput.exe packxinput.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\af64b00ee58a65e1d0b0fe0d9295b018_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\packxinput.exe"C:\Windows\SysWOW64\packxinput.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\packxinput.exe"C:\Windows\SysWOW64\packxinput.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2388-14-0x0000000000250000-0x000000000025D000-memory.dmpFilesize
52KB
-
memory/2388-0-0x0000000000260000-0x000000000026D000-memory.dmpFilesize
52KB
-
memory/2388-6-0x0000000000270000-0x0000000000280000-memory.dmpFilesize
64KB
-
memory/2388-5-0x0000000000250000-0x000000000025D000-memory.dmpFilesize
52KB
-
memory/2388-4-0x0000000000260000-0x000000000026D000-memory.dmpFilesize
52KB
-
memory/2612-11-0x0000000000270000-0x000000000027D000-memory.dmpFilesize
52KB
-
memory/2612-13-0x0000000000280000-0x0000000000290000-memory.dmpFilesize
64KB
-
memory/2612-12-0x0000000000260000-0x000000000026D000-memory.dmpFilesize
52KB
-
memory/2612-7-0x0000000000270000-0x000000000027D000-memory.dmpFilesize
52KB
-
memory/2612-30-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/2612-31-0x0000000000260000-0x000000000026D000-memory.dmpFilesize
52KB
-
memory/2672-29-0x0000000000250000-0x000000000025D000-memory.dmpFilesize
52KB
-
memory/2672-21-0x0000000000280000-0x0000000000290000-memory.dmpFilesize
64KB
-
memory/2672-15-0x0000000000250000-0x000000000025D000-memory.dmpFilesize
52KB
-
memory/2748-22-0x00000000003A0000-0x00000000003AD000-memory.dmpFilesize
52KB
-
memory/2748-28-0x00000000003B0000-0x00000000003C0000-memory.dmpFilesize
64KB
-
memory/2748-27-0x0000000000390000-0x000000000039D000-memory.dmpFilesize
52KB
-
memory/2748-26-0x00000000003A0000-0x00000000003AD000-memory.dmpFilesize
52KB
-
memory/2748-32-0x0000000000390000-0x000000000039D000-memory.dmpFilesize
52KB