Overview

overview

10

Static

static

3

0fe0e8736b...18.exe

windows7-x64

10

0fe0e8736b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 23:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fe0e8736beca525247d2c952a086f7f_JaffaCakes118.exe

  • Size

    44KB

  • MD5

    0fe0e8736beca525247d2c952a086f7f

  • SHA1

    22ee647d8285dfbb9d031b7b259ee68129ce59b6

  • SHA256

    4d83ebffa15f1977ea6f4aaef47c874d770a2a9e2ebd74b8e0298a5277f1a390

  • SHA512

    eec8a7ff6c60a0ee4bfd0baff8069163a7071e79bcbdf77389f26134b138a034c4b248d949aa9541de3a55a3699ea374f63e8fb9d6413e04ca1c06c721da968e

  • SSDEEP

    384:/wm3UqRKwBBUuRXt8eX2c9yfnH+8wdKRSJMZgJOftuOY+GHHbrg/XqRKwBBrm3:tPRd8GVQ+jJOgJOo6r

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 23 IoCs
  • Runs .reg file with regedit 30 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fe0e8736beca525247d2c952a086f7f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0fe0e8736beca525247d2c952a086f7f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Windows\SysWOW64\explorer.exe
      explorer C:\Users\Admin\AppData\Local\Temp\0fe0e8736beca525247d2c952a086f7f_JaffaCakes118
      2⤵
        PID:2368
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s C:\Users\Admin\AppData\Local\Temp\Funny!.reg
        2⤵
        • Modifies visibility of file extensions in Explorer
        • Disables RegEdit via registry modification
        • Modifies system executable filetype association
        • Adds Run key to start application
        • Modifies registry class
        • Runs .reg file with regedit
        PID:312
      • C:\Program Files\EXPLORER.EXE
        "C:\Program Files\EXPLORER.EXE"
        2⤵
        • Executes dropped EXE
        • Drops autorun.inf file
        • Drops file in Program Files directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2708
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2832
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2768
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2012
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2024
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:1756
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2196
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:1496
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:892
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:1092
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:1328
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2356
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2404
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2592
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2536
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2856
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2800
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2348
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:1668
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:1760
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:684
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:576
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:1364
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:3068
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:1636
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:1716
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:2604
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:320
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s C:\Program Files\Funny!.reg
          3⤵
          • Runs .reg file with regedit
          PID:820
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      PID:2552

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Autorun.inf
      Filesize

      99B

      MD5

      9bf1e5a2afbe7da98a68e24153056e89

      SHA1

      a081dd05387f0a820c090d1d1d003af4f4374b63

      SHA256

      bca0db21212fb26b90ca976ad73636249ee40e70f59d867698a760b674ef13d2

      SHA512

      591855a387d8e28b89821e3d5c0c9418ebc2d644732ab9ce75e90e9db0b2bf7fecfd273fd6ef22a8d8fde87b97002e176d49e274b6c6cfa5798ef151092fcdcf

      Download Submit

    • C:\Program Files\Funny!.reg
      Filesize

      572B

      MD5

      c2ab01b697609862244ae7365e7e03d9

      SHA1

      63f95bf1efc2f7fb66a51627131150a01856ab36

      SHA256

      3e8770c1a3b8112a25d08b47a1bc0eed22aae31389b16dc03b07f3f10093e092

      SHA512

      afb30a04c3b50ccd913200b012409a9a1e2411ca97f1143a8e6f879fb8bc50acb3ec0c32a76fa4aea2b5ad35450578b53c51bb6e5e982da4f63136f8734f7da2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Funny!.reg
      Filesize

      631B

      MD5

      b5fba68a94b89425c0718fb38bb32e56

      SHA1

      e119b9eb6761df620f35536232331700fa642b9b

      SHA256

      4e1256cc8fcba1cc1cf4dd83fdac3be87de2e88ccfe43ed3e62b3e6c49b1daf7

      SHA512

      153b1efce4b48224b3e24ec816c3e094442e3a24ed490e0e2cbb2a47936c017bfa9f77f7e4a7c754bbc729f98309c50295b9d6b60c11d2b773219957b100c4fc

      Download Submit

    • \Program Files\EXPLORER.EXE
      Filesize

      44KB

      MD5

      0fe0e8736beca525247d2c952a086f7f

      SHA1

      22ee647d8285dfbb9d031b7b259ee68129ce59b6

      SHA256

      4d83ebffa15f1977ea6f4aaef47c874d770a2a9e2ebd74b8e0298a5277f1a390

      SHA512

      eec8a7ff6c60a0ee4bfd0baff8069163a7071e79bcbdf77389f26134b138a034c4b248d949aa9541de3a55a3699ea374f63e8fb9d6413e04ca1c06c721da968e

      Download Submit

    • memory/820-0-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/820-14-0x00000000005A0000-0x00000000005AC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/820-19-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2552-20-0x0000000003B10000-0x0000000003B20000-memory.dmp

      Filesize

      64KB

      Download