6227073ec7fd458d7765e59f55dbb20946b0ddf7d50180f7e2853daeb8c36a26

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Size

1.7MB
MD5

451036dfa1fc0e15964fe6292f1e03ae
SHA1

1ca90e2ab12d2bca1cf09277af60cfb3b9da88c8
SHA256

6227073ec7fd458d7765e59f55dbb20946b0ddf7d50180f7e2853daeb8c36a26
SHA512

7bb3ab37e1e245db49a0cf5529c81e2048ad901a41850a0f075b3ad8ca236cd5f72861a90825ee9ae2069216f192ddfd8c294d36495050e995ebc1fa82e0f143
SSDEEP

24576:3t+PGXJIYJgv8E32bpXnKKLA3FEQTdHUOD0/WkdmKaMaOhhKJ:dJXJQ32l3tLtIHXAOkdmn

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe\" -noconnect"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe\""	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe\""	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe\" -noconnect"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "mIRC"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "mIRC"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4776	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
4776	451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\451036dfa1fc0e15964fe6292f1e03ae_JaffaCakes118.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
915B

MD5
63a8ac4a048b63b558f816c1d690065f

SHA1
4792709596955c8077d56f18daff771b528e2faf

SHA256
7a69cef7a4af2649fc80b10fb9ca6c1ff0a9a76fea7127ef0ff11571d863a162

SHA512
8ed3628e1f37ed930d75f85a45d213a2209e36a7f8df44a784539acdc49d9d9898b7f109bc59cdb6bb7b8bf05abae90d667b1942c582e68c1fe4641932654197

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
875B

MD5
a7afc3ee8eb79b3ec537d557067aaa5a

SHA1
5dc296dab63520e831345311aa0d765c41bbe10f

SHA256
48143eadea47adac233d8d1eb536f9992eb04ee2a5f3efc66798279931191df8

SHA512
1083a7af3b67fb8fafae1fa10ae80d799cf3c016ede54938add4520e4c45d472b999764e18616f62e3ddf1bcb9b285328c307f841a33aa7fcc3f8fe3b4da9559

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirc.ini

Filesize
180B

MD5
c2713d63a7bec1866b2f5e336a5254e7

SHA1
1bcf57b9b937302578c2c10c174d68368bbf2cd5

SHA256
9e95bf2f2bb9346d83c7ca7b8da09107970a733583edfb30a5e5c14bee2c4c59

SHA512
c4230650aa58d48c938e8c375b26bc9414de1f4392ffa1cdff743a82db5d86c1264b5d452db104b4527c776424763d09e18442607c969f0109bd36416da2648b

Download Submit
memory/4776-182-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4776-184-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4776-179-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4776-180-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4776-181-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4776-177-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4776-183-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4776-178-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4776-185-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4776-186-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4776-187-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4776-188-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4776-189-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/4776-190-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download