Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 12:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05e1f71cb030e79bd08c6cea09da5672_JaffaCakes118.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
05e1f71cb030e79bd08c6cea09da5672_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
05e1f71cb030e79bd08c6cea09da5672_JaffaCakes118.exe
-
Size
133KB
-
MD5
05e1f71cb030e79bd08c6cea09da5672
-
SHA1
a1f020ecfeccd0e271f91285cfdf62e2343e532a
-
SHA256
83797610c1b74ca56ef18e81681c316256017dc22f8ac14fe873518f70250515
-
SHA512
00155300f059e15684ed73d944625f0834fb81ea8e04142c3092325a09d1ff4b93b5c15e4d6ea455d971ecd55321996785129efffa5d5b7cdee709e8f05cb6bd
-
SSDEEP
3072:UTGNOKVjANUemskniQYQZuw9UJq31qaJRBel9:UTG4OHBYQZt31qg/el
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3040 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1332 stsisvc.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat stsisvc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\stsisvc.exe 05e1f71cb030e79bd08c6cea09da5672_JaffaCakes118.exe File created C:\Program Files\stsisvc.exe 05e1f71cb030e79bd08c6cea09da5672_JaffaCakes118.exe -
Modifies data under HKEY_USERS 37 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 stsisvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-22-16-d6-5d-df\WpadDetectedUrl stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5AB9087-4988-4554-9E25-86D5733EF22F}\WpadDecisionTime = 5081744b0bc3da01 stsisvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5AB9087-4988-4554-9E25-86D5733EF22F}\WpadNetworkName = "Network 3" stsisvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-22-16-d6-5d-df\WpadDecision = "0" stsisvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" stsisvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" stsisvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-22-16-d6-5d-df\WpadDecisionTime = 30fc17890bc3da01 stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-22-16-d6-5d-df\WpadDecisionTime = d0521a9f0bc3da01 stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 stsisvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" stsisvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5AB9087-4988-4554-9E25-86D5733EF22F} stsisvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5AB9087-4988-4554-9E25-86D5733EF22F}\WpadDecision = "0" stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-22-16-d6-5d-df\WpadDecisionTime = 50b0155d0bc3da01 stsisvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings stsisvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-22-16-d6-5d-df stsisvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5AB9087-4988-4554-9E25-86D5733EF22F}\WpadDecisionTime = 50b0155d0bc3da01 stsisvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections stsisvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-22-16-d6-5d-df\WpadDecisionReason = "1" stsisvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" stsisvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5AB9087-4988-4554-9E25-86D5733EF22F}\WpadDecisionTime = 90a515730bc3da01 stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-22-16-d6-5d-df\WpadDecisionTime = 90a515730bc3da01 stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5AB9087-4988-4554-9E25-86D5733EF22F}\WpadDecisionTime = d0521a9f0bc3da01 stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 stsisvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5AB9087-4988-4554-9E25-86D5733EF22F}\ea-22-16-d6-5d-df stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5AB9087-4988-4554-9E25-86D5733EF22F}\WpadDecisionTime = 30fc17890bc3da01 stsisvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C5AB9087-4988-4554-9E25-86D5733EF22F}\WpadDecisionReason = "1" stsisvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-22-16-d6-5d-df\WpadDecisionTime = 5081744b0bc3da01 stsisvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix stsisvc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1052 05e1f71cb030e79bd08c6cea09da5672_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1052 wrote to memory of 3040 1052 05e1f71cb030e79bd08c6cea09da5672_JaffaCakes118.exe 29 PID 1052 wrote to memory of 3040 1052 05e1f71cb030e79bd08c6cea09da5672_JaffaCakes118.exe 29 PID 1052 wrote to memory of 3040 1052 05e1f71cb030e79bd08c6cea09da5672_JaffaCakes118.exe 29 PID 1052 wrote to memory of 3040 1052 05e1f71cb030e79bd08c6cea09da5672_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\05e1f71cb030e79bd08c6cea09da5672_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05e1f71cb030e79bd08c6cea09da5672_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a18371$$.bat2⤵
- Deletes itself
PID:3040
-
-
C:\Program Files\stsisvc.exe"C:\Program Files\stsisvc.exe" /service1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1332
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD505e1f71cb030e79bd08c6cea09da5672
SHA1a1f020ecfeccd0e271f91285cfdf62e2343e532a
SHA25683797610c1b74ca56ef18e81681c316256017dc22f8ac14fe873518f70250515
SHA51200155300f059e15684ed73d944625f0834fb81ea8e04142c3092325a09d1ff4b93b5c15e4d6ea455d971ecd55321996785129efffa5d5b7cdee709e8f05cb6bd
-
Filesize
152B
MD5fe6463e40c28111f74bdcd613690b61c
SHA12a66d73da28f8089231c757440e05ef0ce4817f4
SHA256db72be08e4dc0a19fa9b06eab8bb72a3e363a8ab0d3dd3c62406da43e52134a2
SHA512b31794d629476bf8f3849cd029ec41ab2ad4de9c481d6e6dc73edcf33f58770ee8e1ccc297b2a95cffad128b8c4c2d8c6281ae0e1443746b3a403f3a81e742fa