f8ebf0c40feb20b9714011fd4d058912897ed36a2fbf5c9965525542ecd5045d

Analysis

max time kernel
147s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Size

76KB
MD5

16cf0d0a9af15d20fabe1d47e492246d
SHA1

7b4048c1eb2ee82145b4b26da3d49611f301304b
SHA256

f8ebf0c40feb20b9714011fd4d058912897ed36a2fbf5c9965525542ecd5045d
SHA512

3e047b783f4450b13ed4988b93511c9b26ebbcfcd377ad353ac8e5775e258a35598a85aa586f26fbd66283940f80b4e5663eeb4d1175a2631b5d000fe0a82200
SSDEEP

768:tembNRqsuhlGOBrhgFwumSCbxTGy/BBGg4NKJJKqUThbJ32+ve7i40vN0TlT+Xk+:jnqdu3abBGy3G8V0iuo2j

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	izav.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	izav.exe

Executes dropped EXE 1 IoCs

pid	Process
1236	izav.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
1960	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	izav.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	izav.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	izav.exe
File opened (read-only)	\??\L:	izav.exe
File opened (read-only)	\??\N:	izav.exe
File opened (read-only)	\??\P:	izav.exe
File opened (read-only)	\??\S:	izav.exe
File opened (read-only)	\??\E:	izav.exe
File opened (read-only)	\??\G:	izav.exe
File opened (read-only)	\??\H:	izav.exe
File opened (read-only)	\??\U:	izav.exe
File opened (read-only)	\??\W:	izav.exe
File opened (read-only)	\??\X:	izav.exe
File opened (read-only)	\??\M:	izav.exe
File opened (read-only)	\??\T:	izav.exe
File opened (read-only)	\??\V:	izav.exe
File opened (read-only)	\??\R:	izav.exe
File opened (read-only)	\??\Y:	izav.exe
File opened (read-only)	\??\B:	izav.exe
File opened (read-only)	\??\K:	izav.exe
File opened (read-only)	\??\Q:	izav.exe
File opened (read-only)	\??\J:	izav.exe
File opened (read-only)	\??\O:	izav.exe
File opened (read-only)	\??\Z:	izav.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	izav.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	izav.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	izav.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	izav.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	izav.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	izav.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	izav.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	izav.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	izav.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	izav.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\private_browsing.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	izav.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	izav.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	izav.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	izav.exe
File opened for modification	\??\c:\Program Files\ReadBlock.exe	izav.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	izav.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	izav.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	izav.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	izav.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	izav.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	izav.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	izav.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	izav.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	izav.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	izav.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	izav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	izav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	izav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	izav.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	izav.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	izav.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	izav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	izav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	izav.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	izav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	izav.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	izav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	izav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	izav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	izav.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1960	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
1236	izav.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1236	1960	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe	28
PID 1960 wrote to memory of 1236	1960	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe	28
PID 1960 wrote to memory of 1236	1960	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe	28
PID 1960 wrote to memory of 1236	1960	16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- \??\c:\Documents and Settings\Admin\Application Data\Microsoft\izav.exe
  "c:\Documents and Settings\Admin\Application Data\Microsoft\izav.exe" 16cf0d0a9af15d20fabe1d47e492246d_JaffaCakes118
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
dc6d47deccda12a07e742a3929e5106f

SHA1
2a83b6c5d6a4060e8f816503e83b5c42f84fd176

SHA256
2faf00becc95fd78520db0fbf499256ffe2e17ae43ba24fa2987537dd4a7da0e

SHA512
ac5e2da856de241882caaa3a599d4f79fd0dcbac48cee03c54aad0372231a39832d8ab42c0a01dc0530dcf78d3b63d6c21cd8e00b41846e219b8645d9bddb84d

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\izav.exe

Filesize
76KB

MD5
bd1469d9b5d09a8c4924d4642885f11a

SHA1
e7f990b4287e21b190eca95e9f69f63f7c338cfd

SHA256
1ea350176f9a6aed1e4c2b8be5037dabc576909afd429ee53158b22540dc50eb

SHA512
711b2aae1a6b828e86e18385ae726e1dc3e49ac7eb8b930e252b35ba3c70a9b08b45dadf31f5fb908740121afb664daa09112ff4f3f660f2f32fc5570b5e0d39

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads