Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
06-07-2024 16:13
General
-
Target
28c9111963ed724562914a09bd88941a_JaffaCakes118.exe
-
Size
801KB
-
MD5
28c9111963ed724562914a09bd88941a
-
SHA1
2768b62003eadf910ac45c86fe57d25b7d5e7930
-
SHA256
643ac7842c7ff727f1b116821d9870bb724ab47108fedcb6d0b2b99bde75515d
-
SHA512
3cfc8046e9a59a14679f90462dd3added140c5ec1fe448e71f9c981e74d1964b9834ae9f0d0521a314904d82fe5c8dcaf72607340c12249efcd42f4d3ce37d5e
-
SSDEEP
24576:c8nxN/c0oQ5IGwacnTV7KRLrcSu47oC7Zu7Al7GC7Zu7fI76C7Zu7N57xC7Zu7Xp:bxNfotFnB7K9rZu47oC7Zu7Al7GC7Zu3
Malware Config
Signatures
-
Modifies security service 2 TTPs 22 IoCs
-
Executes dropped EXE 10 IoCs
-
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 20 IoCs
-
Drops file in System32 directory 22 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Runs .reg file with regedit 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\28c9111963ed724562914a09bd88941a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28c9111963ed724562914a09bd88941a_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\devsvc.exeC:\Windows\system32\devsvc.exe 660 "C:\Users\Admin\AppData\Local\Temp\28c9111963ed724562914a09bd88941a_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\devsvc.exeC:\Windows\system32\devsvc.exe 748 "C:\Windows\SysWOW64\devsvc.exe"3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\devsvc.exeC:\Windows\system32\devsvc.exe 744 "C:\Windows\SysWOW64\devsvc.exe"4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\devsvc.exeC:\Windows\system32\devsvc.exe 756 "C:\Windows\SysWOW64\devsvc.exe"5⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\devsvc.exeC:\Windows\system32\devsvc.exe 752 "C:\Windows\SysWOW64\devsvc.exe"6⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat7⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\devsvc.exeC:\Windows\system32\devsvc.exe 736 "C:\Windows\SysWOW64\devsvc.exe"7⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat8⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\devsvc.exeC:\Windows\system32\devsvc.exe 764 "C:\Windows\SysWOW64\devsvc.exe"8⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat9⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\devsvc.exeC:\Windows\system32\devsvc.exe 760 "C:\Windows\SysWOW64\devsvc.exe"9⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat10⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\devsvc.exeC:\Windows\system32\devsvc.exe 776 "C:\Windows\SysWOW64\devsvc.exe"10⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat11⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\devsvc.exeC:\Windows\system32\devsvc.exe 768 "C:\Windows\SysWOW64\devsvc.exe"11⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat12⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- Runs .reg file with regedit
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
298B
MD54117e5a9c995bab9cd3bce3fc2b99a46
SHA180144ccbad81c2efb1df64e13d3d5f59ca4486da
SHA25637b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292
SHA512bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c
-
Filesize
1KB
MD5a920eceddece6cf7f3487fd8e919af34
SHA1a6dee2d31d4cbd1b18f5d3bc971521411a699889
SHA256ec2d3952154412db3202f5c95e4d1b02c40a7f71f4458898ddc36e827a7b32d6
SHA512a4700af2ce477c7ce33f434cdddd4031e88c3926d05475f522a753063269fe8b6e50b649c3e939272240194951cb70ac05df533978c19839e381141535275ecc
-
Filesize
801KB
MD528c9111963ed724562914a09bd88941a
SHA12768b62003eadf910ac45c86fe57d25b7d5e7930
SHA256643ac7842c7ff727f1b116821d9870bb724ab47108fedcb6d0b2b99bde75515d
SHA5123cfc8046e9a59a14679f90462dd3added140c5ec1fe448e71f9c981e74d1964b9834ae9f0d0521a314904d82fe5c8dcaf72607340c12249efcd42f4d3ce37d5e
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
116KB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB