Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 17:09 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Resource
win7-20240419-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
-
Size
76KB
-
MD5
16cf0d0a9af15d20fabe1d47e492246d
-
SHA1
7b4048c1eb2ee82145b4b26da3d49611f301304b
-
SHA256
f8ebf0c40feb20b9714011fd4d058912897ed36a2fbf5c9965525542ecd5045d
-
SHA512
3e047b783f4450b13ed4988b93511c9b26ebbcfcd377ad353ac8e5775e258a35598a85aa586f26fbd66283940f80b4e5663eeb4d1175a2631b5d000fe0a82200
-
SSDEEP
768:tembNRqsuhlGOBrhgFwumSCbxTGy/BBGg4NKJJKqUThbJ32+ve7i40vN0TlT+Xk+:jnqdu3abBGy3G8V0iuo2j
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" izav.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" izav.exe -
Executes dropped EXE 1 IoCs
pid Process 1236 izav.exe -
Loads dropped DLL 2 IoCs
pid Process 1960 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe 1960 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt izav.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" izav.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: izav.exe File opened (read-only) \??\L: izav.exe File opened (read-only) \??\N: izav.exe File opened (read-only) \??\P: izav.exe File opened (read-only) \??\S: izav.exe File opened (read-only) \??\E: izav.exe File opened (read-only) \??\G: izav.exe File opened (read-only) \??\H: izav.exe File opened (read-only) \??\U: izav.exe File opened (read-only) \??\W: izav.exe File opened (read-only) \??\X: izav.exe File opened (read-only) \??\M: izav.exe File opened (read-only) \??\T: izav.exe File opened (read-only) \??\V: izav.exe File opened (read-only) \??\R: izav.exe File opened (read-only) \??\Y: izav.exe File opened (read-only) \??\B: izav.exe File opened (read-only) \??\K: izav.exe File opened (read-only) \??\Q: izav.exe File opened (read-only) \??\J: izav.exe File opened (read-only) \??\O: izav.exe File opened (read-only) \??\Z: izav.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\Windows 3D.scr 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt izav.exe File opened for modification \??\c:\windows\SysWOW64\Windows 3D.scr izav.exe File created \??\c:\windows\SysWOW64\Desktop.sysm izav.exe File created \??\c:\windows\SysWOW64\CommandPrompt.Sysm izav.exe File created \??\c:\windows\SysWOW64\maxtrox.txt 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe -
Drops file in Program Files directory 35 IoCs
description ioc Process File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe izav.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.exe izav.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe izav.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe izav.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\crashreporter.exe izav.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe izav.exe File opened for modification \??\c:\Program Files\Windows Defender\MpCmdRun.exe izav.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe izav.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\private_browsing.exe izav.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmlaunch.exe izav.exe File opened for modification \??\c:\Program Files\7-Zip\7zG.exe izav.exe File opened for modification \??\c:\Program Files\Internet Explorer\iexplore.exe izav.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.exe izav.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpenc.exe izav.exe File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe izav.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmplayer.exe izav.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnetwk.exe izav.exe File opened for modification \??\c:\Program Files\ReadBlock.exe izav.exe File opened for modification \??\c:\Program Files\7-Zip\7z.exe izav.exe File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe izav.exe File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe izav.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\pingsender.exe izav.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmprph.exe izav.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\updater.exe izav.exe File opened for modification \??\c:\Program Files\Windows Mail\wab.exe izav.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpconfig.exe izav.exe File opened for modification \??\c:\Program Files\Windows Sidebar\sidebar.exe izav.exe File opened for modification \??\c:\Program Files\Internet Explorer\iediagcmd.exe izav.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe izav.exe File opened for modification \??\c:\Program Files\Windows Journal\PDIALOG.exe izav.exe File opened for modification \??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe izav.exe File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe izav.exe File opened for modification \??\c:\Program Files\Windows Defender\MSASCui.exe izav.exe File opened for modification \??\c:\Program Files\Windows Media Player\WMPDMC.exe izav.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnscfg.exe izav.exe -
Modifies registry class 36 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" izav.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" izav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile izav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt izav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt izav.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm izav.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon izav.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd izav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" izav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon izav.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command izav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" izav.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command izav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt izav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" izav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" izav.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1960 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe 1236 izav.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1960 wrote to memory of 1236 1960 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe 28 PID 1960 wrote to memory of 1236 1960 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe 28 PID 1960 wrote to memory of 1236 1960 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe 28 PID 1960 wrote to memory of 1236 1960 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\izav.exe"c:\Documents and Settings\Admin\Application Data\Microsoft\izav.exe" 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes1182⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1236
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5dc6d47deccda12a07e742a3929e5106f
SHA12a83b6c5d6a4060e8f816503e83b5c42f84fd176
SHA2562faf00becc95fd78520db0fbf499256ffe2e17ae43ba24fa2987537dd4a7da0e
SHA512ac5e2da856de241882caaa3a599d4f79fd0dcbac48cee03c54aad0372231a39832d8ab42c0a01dc0530dcf78d3b63d6c21cd8e00b41846e219b8645d9bddb84d
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062
-
Filesize
76KB
MD5bd1469d9b5d09a8c4924d4642885f11a
SHA1e7f990b4287e21b190eca95e9f69f63f7c338cfd
SHA2561ea350176f9a6aed1e4c2b8be5037dabc576909afd429ee53158b22540dc50eb
SHA512711b2aae1a6b828e86e18385ae726e1dc3e49ac7eb8b930e252b35ba3c70a9b08b45dadf31f5fb908740121afb664daa09112ff4f3f660f2f32fc5570b5e0d39