19cbbec9117101f147fe454c6e74a3d7a749d887ed76ff5ee32c43df6620550d

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Size

76KB
MD5

0651f6afa41c82867108d3181cf96175
SHA1

dd15af78e9854026502779df6a4c74feb9f8ce49
SHA256

19cbbec9117101f147fe454c6e74a3d7a749d887ed76ff5ee32c43df6620550d
SHA512

fb97dd4cf126bf123de6b24d863a68d9112f40fb2086caafe65d6dfa64bcd868b7d31d0e7e7c57f9b44da2dc14a394db27b2cdf50c571d5d8fc8a54d55e1751c
SSDEEP

768:9e8bNRqsuhlGOBnhgFwumSCbxTGy/BBGg4NKJJKqUThbJ32+ve7i40vN0TlT+Xkj:5nqJu3abBGy3G8V0iuoK2

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dsdv.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dsdv.exe

Executes dropped EXE 1 IoCs

pid	Process
2664	dsdv.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	dsdv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	dsdv.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	dsdv.exe
File opened (read-only)	\??\J:	dsdv.exe
File opened (read-only)	\??\P:	dsdv.exe
File opened (read-only)	\??\Q:	dsdv.exe
File opened (read-only)	\??\W:	dsdv.exe
File opened (read-only)	\??\Z:	dsdv.exe
File opened (read-only)	\??\L:	dsdv.exe
File opened (read-only)	\??\N:	dsdv.exe
File opened (read-only)	\??\R:	dsdv.exe
File opened (read-only)	\??\S:	dsdv.exe
File opened (read-only)	\??\T:	dsdv.exe
File opened (read-only)	\??\V:	dsdv.exe
File opened (read-only)	\??\B:	dsdv.exe
File opened (read-only)	\??\E:	dsdv.exe
File opened (read-only)	\??\M:	dsdv.exe
File opened (read-only)	\??\U:	dsdv.exe
File opened (read-only)	\??\X:	dsdv.exe
File opened (read-only)	\??\Y:	dsdv.exe
File opened (read-only)	\??\H:	dsdv.exe
File opened (read-only)	\??\I:	dsdv.exe
File opened (read-only)	\??\K:	dsdv.exe
File opened (read-only)	\??\O:	dsdv.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	dsdv.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	dsdv.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	dsdv.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	dsdv.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Mozilla Firefox\private_browsing.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	dsdv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	dsdv.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	dsdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	dsdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	dsdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	dsdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	dsdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	dsdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	dsdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	dsdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	dsdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	dsdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	dsdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	dsdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	dsdv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	dsdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	dsdv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	dsdv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4672	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
2664	dsdv.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 2664	4672	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe	82
PID 4672 wrote to memory of 2664	4672	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe	82
PID 4672 wrote to memory of 2664	4672	0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0651f6afa41c82867108d3181cf96175_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672
- \??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsdv.exe
  "c:\Documents and Settings\Admin\Application Data\Microsoft\dsdv.exe" 0651f6afa41c82867108d3181cf96175_JaffaCakes118
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\dsdv.exe

Filesize
76KB

MD5
c67bb49e5a5a48f599aaac6ac7c00e0c

SHA1
a432db2f1ef7e0e04a81da97d89ffb97262c4072

SHA256
f57af011e995927a776a56281a4c97da7676fbaa7a8307fc4cbe3701a124278c

SHA512
55ef8c2443d447796865c6c07d34ff985a8f83269af6963da9bbbc99e9346606e5d4dad7c54c862f9274276e0b1794a59e35bb5a9b6c6ff875e61961de4fd3fc

Download Submit
C:\Windows\SysWOW64\Desktop.sysm

Filesize
76KB

MD5
866b28d04c3fa76e6a5b83b6fa419686

SHA1
d62f5998555eac1503019ea1eea7de04b8362b3e

SHA256
6c028cb93ec463fdfbc61bfb5d051d41e39bdc921c01ddf54ed750062c2851e6

SHA512
e5597853a009b731e82b3dfc9d697edb125a02ca27eb9398512020fea78c05536fbc9af2149639503fba9006f4e4ebe88b653d8f9cb4dbb3c9e6b7616eb82e93

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads