Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe
Resource
win7-20240220-en
8 signatures
150 seconds
General
-
Target
b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe
-
Size
145KB
-
MD5
b9c32274be42fd6ad161ab31f742bc28
-
SHA1
9901f7b53a1a7bf4ede32fa0bef31583553e48bf
-
SHA256
ee0a206415cce60f8b3afb29d8c17f86fe1923cbdf69812be139a3012b2fa24b
-
SHA512
bc7b299144acffa4ae29d173c147a3185d356f260bae6967122d8a56c56016548fcbdd560f06ca4974828ce3afd3d77ce68317aaeab167cf9332477a6e0fd312
-
SSDEEP
3072:uB2Bbs6Raii991vRon8OmfvEywB2xMXYSmuEPgWTrx:uBF6vu91vRohywBODuEPD
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
ribbonexec.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ribbonexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
ribbonexec.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" ribbonexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC3EB598-80B5-4567-A834-A2A57EF8954C} ribbonexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC3EB598-80B5-4567-A834-A2A57EF8954C}\WpadNetworkName = "Network 3" ribbonexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ribbonexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ribbonexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ribbonexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-66-0b-70-30-99\WpadDecisionTime = b04e94c5f0c0da01 ribbonexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ribbonexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ribbonexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad ribbonexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f013f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ribbonexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC3EB598-80B5-4567-A834-A2A57EF8954C}\WpadDecisionTime = b04e94c5f0c0da01 ribbonexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-66-0b-70-30-99\WpadDecision = "0" ribbonexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ribbonexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings ribbonexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC3EB598-80B5-4567-A834-A2A57EF8954C}\WpadDecision = "0" ribbonexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-66-0b-70-30-99 ribbonexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC3EB598-80B5-4567-A834-A2A57EF8954C}\36-66-0b-70-30-99 ribbonexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-66-0b-70-30-99\WpadDecisionReason = "1" ribbonexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ribbonexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC3EB598-80B5-4567-A834-A2A57EF8954C}\WpadDecisionReason = "1" ribbonexec.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ribbonexec.exepid process 2112 ribbonexec.exe 2112 ribbonexec.exe 2112 ribbonexec.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exepid process 2200 b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exeb9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exeribbonexec.exeribbonexec.exepid process 2960 b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe 2200 b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe 1804 ribbonexec.exe 2112 ribbonexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exeribbonexec.exedescription pid process target process PID 2960 wrote to memory of 2200 2960 b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe PID 2960 wrote to memory of 2200 2960 b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe PID 2960 wrote to memory of 2200 2960 b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe PID 2960 wrote to memory of 2200 2960 b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe PID 1804 wrote to memory of 2112 1804 ribbonexec.exe ribbonexec.exe PID 1804 wrote to memory of 2112 1804 ribbonexec.exe ribbonexec.exe PID 1804 wrote to memory of 2112 1804 ribbonexec.exe ribbonexec.exe PID 1804 wrote to memory of 2112 1804 ribbonexec.exe ribbonexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\b9c32274be42fd6ad161ab31f742bc28_JaffaCakes118.exe--d7ea91772⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:2200
-
C:\Windows\SysWOW64\ribbonexec.exe"C:\Windows\SysWOW64\ribbonexec.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\ribbonexec.exe--477010d92⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2112