155253495c7606a5ac3506401133d7bc55b1e48e7f78c397fcc2817f90abe79b

Analysis

max time kernel
51s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 08:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Size

878KB
MD5

b2976694a679e4266ac2c554b27c03cd
SHA1

62b3607c38874eadb95dbeaeb745e46dae4e1fec
SHA256

155253495c7606a5ac3506401133d7bc55b1e48e7f78c397fcc2817f90abe79b
SHA512

5815d38cb8a04e02d96643e1e1cc4e56f134b75b5161c4e31b7c7836f12a2eea90b3dbaa1e85bef4d29a4f33ad7d94a11a376babfcfc55e3b53c290e6f60795c
SSDEEP

24576:LYCZIDCYTC3wKpe5P3edTzYIxjMXFHrTDHn1D0:fhYTdKpe5O3PxwXFHrTDd0

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\smudging.somewhen.1\CLSID	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\Programmable	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0\FLAGS	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\Version	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\smudging.somewhen.1	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\ = "IBoot"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\Programmable	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\smudging.somewhen.1\CLSID	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\TypeLib\ = "{559CE6A1-92FE-47FB-B0CD-79CE093661D7}"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\smudging.somewhen.1	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0\HELPDIR	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\TypeLib	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\TypeLib	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\ProgID	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\smudging.somewhen\ = "Inst Class"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\ProxyStubClsid32	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\LocalServer32	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0\0\win32	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0\FLAGS	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\LocalServer32	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\smudging.somewhen.1\CLSID\ = "{d13b4cbb-a9ff-4369-80a8-1727356420d8}"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\ProxyStubClsid32	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe:typelib"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\TypeLib	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\TypeLib	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\ProxyStubClsid32	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0\0	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\ = "Inst Class"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\VersionIndependentProgID	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\ = "IBoot"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0\ = "InstallerLib"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0\0	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\VersionIndependentProgID	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\TypeLib	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\TypeLib\Version = "1.0"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\ProxyStubClsid32	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\smudging.somewhen\CurVer	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\ProgID	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\ProgID\ = "smudging.somewhen.1"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\smudging.somewhen	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0\HELPDIR	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\TypeLib	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\smudging.somewhen	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe\""	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0\FLAGS\ = "0"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}\TypeLib\Version = "1.0"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0\0\win32	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{559CE6A1-92FE-47FB-B0CD-79CE093661D7}\1.0	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5942FAAB-8FBD-4836-A7D5-9EB9F250645F}	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\smudging.somewhen.1\ = "Inst Class"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{d13b4cbb-a9ff-4369-80a8-1727356420d8}\TypeLib\ = "{559ce6a1-92fe-47fb-b0cd-79ce093661d7}"	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe:typelib	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe:typelib	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4276	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
4276	b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe"
1⤵
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b2976694a679e4266ac2c554b27c03cd_JaffaCakes118.exe:typelib

Filesize
8KB

MD5
16561b594e08733c72d2efd46698ea14

SHA1
e53eba8fec7f27e1171c480895fac1aa6415a72e

SHA256
25a374fae0bb255f4b2dbc7046530e6f6598cce80399907a8a045e35855b1959

SHA512
caac780ed2aae2820195d8da1485a1c0b171c252775d54b18d81849efabfb34d4bbd20b073a758090d99f3e5e3e001c57212c394e96e2e73405d472f977cc4b2

Download Submit
memory/4276-12-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4276-6-0x00000000032D0000-0x00000000033A3000-memory.dmp

Filesize
844KB

Download
memory/4276-4-0x00000000032D0000-0x00000000033A3000-memory.dmp

Filesize
844KB

Download
memory/4276-1-0x00000000032D0000-0x00000000033A3000-memory.dmp

Filesize
844KB

Download
memory/4276-9-0x00000000032D0000-0x00000000033A3000-memory.dmp

Filesize
844KB

Download
memory/4276-0-0x00000000032D0000-0x00000000033A3000-memory.dmp

Filesize
844KB

Download
memory/4276-20-0x00000000032D0000-0x00000000033A3000-memory.dmp

Filesize
844KB

Download
memory/4276-21-0x00000000032D0000-0x00000000033A3000-memory.dmp

Filesize
844KB

Download
memory/4276-22-0x00000000032D0000-0x00000000033A3000-memory.dmp

Filesize
844KB

Download
memory/4276-26-0x00000000032D0000-0x00000000033A3000-memory.dmp

Filesize
844KB

Download
memory/4276-27-0x00000000032D0000-0x00000000033A3000-memory.dmp

Filesize
844KB

Download
memory/4276-24-0x00000000032D0000-0x00000000033A3000-memory.dmp

Filesize
844KB

Download
memory/4276-29-0x00000000032D0000-0x00000000033A3000-memory.dmp

Filesize
844KB

Download