b09fc2c86d2e285f420f42d9db2219ef6f0f93a4634b2ba680b35e2b5b5e4f9e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Size

19KB
MD5

250ec7ceb11bc22ba7693c2631bcb4d9
SHA1

a8a97c9170cc683127a8fad58217ff083e585a6b
SHA256

b09fc2c86d2e285f420f42d9db2219ef6f0f93a4634b2ba680b35e2b5b5e4f9e
SHA512

8bd598e0a52ec311fa8550bff2cfaacd4a65f56eb64cf5adabd357e78908ea76cc68a5b74e43135755ac3b307bf8802a2fed6f2636fd983b4cad689f64d8011e
SSDEEP

384:oXwYfil0KNhejdEBNxPg2Dzv3fEHSI6qODjJcgCr/36LrVHE5MiePv:o7il0KNmE5Y2DzvsHSLcf7KLrh1X

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1724	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wrqszl.dll.LoG	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wrqszl.dll	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tf0	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F99DEFDD-200B-4410-B572-E90883D527D2}\InProcServer32\ = "C:\\Windows\\SysWow64\\wrqszl.dll"	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F99DEFDD-200B-4410-B572-E90883D527D2}\InProcServer32\ThreadingModel = "Apartment"	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F99DEFDD-200B-4410-B572-E90883D527D2}	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F99DEFDD-200B-4410-B572-E90883D527D2}\ = "MICROSOFT"	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F99DEFDD-200B-4410-B572-E90883D527D2}\InProcServer32	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1724	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1724	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Token: SeRestorePrivilege	1724	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Token: SeBackupPrivilege	1724	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
Token: SeRestorePrivilege	1724	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1724	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
1724	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
1724	250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\250ec7ceb11bc22ba7693c2631bcb4d9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wrqszl.dll

Filesize
224KB

MD5
e995bba3d3f01b35d75325106997d676

SHA1
8a6087664cec67c6ca30cf2ac4252eb1cedfc995

SHA256
8fb99d1acea60e4d9dc3b2cb850ee869bba5d3cdf6b49eb17f2ea8e1ff2b2ade

SHA512
a2f3c6e13ee0a825dc764490dbe7c668791b26afc93c8afd61f840e65dc49df5ba2373b15007d192a2b7e7fc09dbe052436c47d4c6ef07156b0c7276815778f4

Download Submit
memory/1724-2-0x0000000000220000-0x000000000022D000-memory.dmp

Filesize
52KB

Download
memory/1724-5-0x0000000000220000-0x000000000022D000-memory.dmp

Filesize
52KB

Download