745331f5d9ab3bf71f3b664646f47ebefd393e9ded6c429234dde7ccf0c89484

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 19:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a8ed0857614e31fc3f1591613098774_JaffaCakes118.exe
Size

2.0MB
MD5

0a8ed0857614e31fc3f1591613098774
SHA1

bda66f3ab255fac2243eaec10d11a65b8bb1ef23
SHA256

745331f5d9ab3bf71f3b664646f47ebefd393e9ded6c429234dde7ccf0c89484
SHA512

b68cb1728faa22ecff305912f531fa4acde72627092296c3ff04b794d4b4b82e5e3887df60ea5f637560733511f2e8372114a961f7e224e7c638fd604d8cb75d
SSDEEP

49152:DyqYSSqIgP6GuJfipmF0hIdppCIsq6nemQ4YvAjJ1iFh3:DEqDiZfM+dpvsumUvAjriFh3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2308	8yz7x9m2p02e35r.exe
2532	trew110gx7i4b68.exe

Loads dropped DLL 3 IoCs

pid	Process
1748	0a8ed0857614e31fc3f1591613098774_JaffaCakes118.exe
2308	8yz7x9m2p02e35r.exe
2308	8yz7x9m2p02e35r.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\FLAGS\	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\FLAGS\ = "0"	trew110gx7i4b68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\TypeLib	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\InprocServer32\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll"	trew110gx7i4b68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\0\	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\0\win64\	trew110gx7i4b68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\HELPDIR	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\TypeLib\ = "{9E6DB585-C599-05E5-335D-07C7A2999F6D}"	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\VersionIndependentProgID\	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\ProgID\ = "Microsoft.PhotoProgressDialog.1"	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\InprocServer32\	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\	trew110gx7i4b68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\FLAGS	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\HELPDIR\ = "%systemroot%\\SysWow64\\"	trew110gx7i4b68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\InprocServer32	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\HELPDIR\	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\TypeLib\	trew110gx7i4b68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\Version	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\Version\	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\Version\ = "1.0"	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\WsmAuto.dll"	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\ProgID\	trew110gx7i4b68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}	trew110gx7i4b68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\0	trew110gx7i4b68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\0\win64	trew110gx7i4b68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\VersionIndependentProgID	trew110gx7i4b68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\0\win32\	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\ = "Goker Tavapeze"	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\ = "Microsoft WSMAN Automation V1.0 Library"	trew110gx7i4b68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\0\win32	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\VersionIndependentProgID\ = "Microsoft.PhotoProgressDialog"	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\	trew110gx7i4b68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9E6DB585-C599-05E5-335D-07C7A2999F6D}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\WsmAuto.dll"	trew110gx7i4b68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E695D45A-EC61-43AA-9BA4-603EC131540F}\ProgID	trew110gx7i4b68.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2532	trew110gx7i4b68.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2308	1748	0a8ed0857614e31fc3f1591613098774_JaffaCakes118.exe	28
PID 1748 wrote to memory of 2308	1748	0a8ed0857614e31fc3f1591613098774_JaffaCakes118.exe	28
PID 1748 wrote to memory of 2308	1748	0a8ed0857614e31fc3f1591613098774_JaffaCakes118.exe	28
PID 1748 wrote to memory of 2308	1748	0a8ed0857614e31fc3f1591613098774_JaffaCakes118.exe	28
PID 1748 wrote to memory of 2308	1748	0a8ed0857614e31fc3f1591613098774_JaffaCakes118.exe	28
PID 1748 wrote to memory of 2308	1748	0a8ed0857614e31fc3f1591613098774_JaffaCakes118.exe	28
PID 1748 wrote to memory of 2308	1748	0a8ed0857614e31fc3f1591613098774_JaffaCakes118.exe	28
PID 2308 wrote to memory of 2532	2308	8yz7x9m2p02e35r.exe	29
PID 2308 wrote to memory of 2532	2308	8yz7x9m2p02e35r.exe	29
PID 2308 wrote to memory of 2532	2308	8yz7x9m2p02e35r.exe	29
PID 2308 wrote to memory of 2532	2308	8yz7x9m2p02e35r.exe	29
PID 2308 wrote to memory of 2532	2308	8yz7x9m2p02e35r.exe	29
PID 2308 wrote to memory of 2532	2308	8yz7x9m2p02e35r.exe	29
PID 2308 wrote to memory of 2532	2308	8yz7x9m2p02e35r.exe	29

C:\Users\Admin\AppData\Local\Temp\0a8ed0857614e31fc3f1591613098774_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a8ed0857614e31fc3f1591613098774_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\8yz7x9m2p02e35r.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\8yz7x9m2p02e35r.exe" -e -p3w59261h16xc94p
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\trew110gx7i4b68.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\trew110gx7i4b68.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\8yz7x9m2p02e35r.exe

Filesize
1.9MB

MD5
d6eafe971e3f6bc582513666eb3d5583

SHA1
2ea4b554b1168a9afa1acb4fe4b99e6bb7eb0c20

SHA256
a716bcbbcb79583d0c99597962438124a35c156855c9e899ae1082e5992fcb3c

SHA512
c1cd1df8f3157aa6402db8ac2c6052d2cb3b8a5da2221df751591e6414617c8d37f99a670e169a5b22af6adf4f2a7b79ad6fd45f5f9c0cb0a8107d872c85c8b4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\trew110gx7i4b68.exe

Filesize
1.9MB

MD5
ffb90a6fe19f8d5df94673aaabf48be1

SHA1
f1141dc2879463201710aaba6832736b95b3cbaf

SHA256
d8fea28ab53dac762ce3a807009aab00d48435108cb59cf527c076b607f58f6a

SHA512
61b87e68f767cc83b5bb5efff75ee893bcacbf91b626b0e04ce6d3f975393c4d38116102b248f8cb91ddddce58a550db8760fe10011e2e0e4581cfad03a6e627

Download Submit
memory/2308-18-0x0000000003840000-0x0000000003C5D000-memory.dmp

Filesize
4.1MB

Download
memory/2532-19-0x0000000000400000-0x000000000081D000-memory.dmp

Filesize
4.1MB

Download
memory/2532-21-0x0000000000400000-0x000000000081D000-memory.dmp

Filesize
4.1MB

Download