72e139a5d7de3de3054148006b75ed6b2ccf8b3460905e7608dc8d5dc02e5268

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Size

1.2MB
MD5

4e1516c60acbd0a7b9a18f5f88131147
SHA1

cda391598d2e16482a988f26adbc05fac00d3619
SHA256

72e139a5d7de3de3054148006b75ed6b2ccf8b3460905e7608dc8d5dc02e5268
SHA512

e32f828eff56eadcd3ef251386d95795bb1a1cd32f3b468a7d7039d73c53aa8c0a719b7b8e8af457dbcdc60888470bd9c08a1e076f13dac2a1b57a00964ffcee
SSDEEP

24576:6ud8YPfNI3xdnUVp1QbgFCA+of0Ou7d2HMMLuCVUEM1sIZiEUN1kh7M3NCiV:6ud8EyBhOpfFCA5Lu7d2H3ZeEMTZiRIU

Score

1^/10

Malware Config

Signatures

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{665E4722-D3FA-11D4-8F38-0050DAC665BB}\ProxyStubClsid32	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WEXECTRL.ExecController.9\Clsid\ = "{6FB199D0-ECDC-4A8F-B4BE-017AA5C70CE8}"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A525718-70E2-11D3-9CA4-0080C837F11F}\7.0\0	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{665E4724-D3FA-11D4-8F38-0050DAC665BB}\VersionIndependentProgID\ = "WEXECTRL.mrunner_agent"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FB199D0-ECDC-4A8F-B4BE-017AA5C70CE8}\TypeLib\ = "{1A525718-70E2-11D3-9CA4-0080C837F11F}"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WEXECTRL.mrunner_agent.9\Clsid\ = "{665E4724-D3FA-11D4-8F38-0050DAC665BB}"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FB199D0-ECDC-4A8F-B4BE-017AA5C70CE8}\ = "Mercury Test Run Scheduler"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A525718-70E2-11D3-9CA4-0080C837F11F}\7.0\ = "Mercury Test Run Scheduler TypeLibrary"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{665E4724-D3FA-11D4-8F38-0050DAC665BB}\Version\ = "9"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FB199D0-ECDC-4A8F-B4BE-017AA5C70CE8}\VersionIndependentProgID	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{665E4722-D3FA-11D4-8F38-0050DAC665BB}\TypeLib	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{665E4724-D3FA-11D4-8F38-0050DAC665BB}\LocalServer32	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{665E4722-D3FA-11D4-8F38-0050DAC665BB}\ProxyStubClsid32	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{665E4722-D3FA-11D4-8F38-0050DAC665BB}\TypeLib\Version = "7.0"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WEXECTRL.mrunner_agent\ = "TD Manual Runner Agent Object"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wexectrl80.ExecController\Clsid	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A525718-70E2-11D3-9CA4-0080C837F11F}\7.0\FLAGS	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A525718-70E2-11D3-9CA4-0080C837F11F}\7.0\HELPDIR	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wexectrl80.mrunner_agent\CurVer	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FB199D0-ECDC-4A8F-B4BE-017AA5C70CE8}\ProgID\ = "WEXECTRL.ExecController"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WEXECTRL.ExecController\CurVer	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FB199D0-ECDC-4A8F-B4BE-017AA5C70CE8}\Version\ = "7.0"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{665E4724-D3FA-11D4-8F38-0050DAC665BB}\TypeLib	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WEXECTRL.mrunner_agent.9	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A525719-70E2-11D3-9CA4-0080C837F11F}\ProxyStubClsid32	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{665E4722-D3FA-11D4-8F38-0050DAC665BB}	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wexectrl80.ExecController\CurVer	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{665E4722-D3FA-11D4-8F38-0050DAC665BB}\ = "Imrunner_agent"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WEXECTRL.mrunner_agent\Clsid	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A525718-70E2-11D3-9CA4-0080C837F11F}\7.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1A525719-70E2-11D3-9CA4-0080C837F11F}\ = "IExecController"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WEXECTRL.ExecController.9\Clsid	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{665E4724-D3FA-11D4-8F38-0050DAC665BB}\ = "TD Manual Runner Agent Object"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WEXECTRL.mrunner_agent.9\ = "TD Manual Runner Agent Object"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FB199D0-ECDC-4A8F-B4BE-017AA5C70CE8}\Version	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FB199D0-ECDC-4A8F-B4BE-017AA5C70CE8}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WEXECTRL.ExecController\CurVer\ = "WEXECTRL.ExecController.9"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wexectrl80.mrunner_agent\ = "TD Manual Runner Agent Object"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wexectrl80.mrunner_agent\Clsid	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{665E4722-D3FA-11D4-8F38-0050DAC665BB}\TypeLib\ = "{1A525718-70E2-11D3-9CA4-0080C837F11F}"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{665E4722-D3FA-11D4-8F38-0050DAC665BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{665E4724-D3FA-11D4-8F38-0050DAC665BB}\ProgID\ = "WEXECTRL.mrunner_agent"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{665E4724-D3FA-11D4-8F38-0050DAC665BB}\ProgID\ = "WEXECTRL.mrunner_agent.9"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A525719-70E2-11D3-9CA4-0080C837F11F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WEXECTRL.ExecController\ = "Mercury Test Run Scheduler"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WEXECTRL.mrunner_agent\CurVer	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FB199D0-ECDC-4A8F-B4BE-017AA5C70CE8}	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A525719-70E2-11D3-9CA4-0080C837F11F}\TypeLib\ = "{1A525718-70E2-11D3-9CA4-0080C837F11F}"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{665E4722-D3FA-11D4-8F38-0050DAC665BB}\ = "Imrunner_agent"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{665E4724-D3FA-11D4-8F38-0050DAC665BB}\Version\ = "7.0"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{665E4724-D3FA-11D4-8F38-0050DAC665BB}\Version	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A525719-70E2-11D3-9CA4-0080C837F11F}\TypeLib\Version = "7.0"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wexectrl80.ExecController\ = "Mercury Test Run Scheduler"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wexectrl80.ExecController\CurVer\ = "WEXECTRL.ExecController.9"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A525719-70E2-11D3-9CA4-0080C837F11F}\ = "IExecController"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wexectrl80.ExecController	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A525718-70E2-11D3-9CA4-0080C837F11F}\7.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{665E4722-D3FA-11D4-8F38-0050DAC665BB}\TypeLib\ = "{1A525718-70E2-11D3-9CA4-0080C837F11F}"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wexectrl80.mrunner_agent\Clsid\ = "{665E4724-D3FA-11D4-8F38-0050DAC665BB}"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WEXECTRL.mrunner_agent	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WEXECTRL.mrunner_agent\Clsid\ = "{665E4724-D3FA-11D4-8F38-0050DAC665BB}"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wexectrl80.mrunner_agent\CurVer\ = "WEXECTRL.mrunner_agent.9"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FB199D0-ECDC-4A8F-B4BE-017AA5C70CE8}\TypeLib	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FB199D0-ECDC-4A8F-B4BE-017AA5C70CE8}\VersionIndependentProgID\ = "WEXECTRL.ExecController"	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1396	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
1396	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
1396	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1396	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
1396	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
1396	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1396	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
1396	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
1396	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
1396	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
1396	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
1396	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
1396	4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e1516c60acbd0a7b9a18f5f88131147_JaffaCakes118.exe"
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1396-1-0x0000000000400000-0x0000000000905000-memory.dmp

Filesize
5.0MB

Download
memory/1396-2-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1396-0-0x0000000000400000-0x0000000000905000-memory.dmp

Filesize
5.0MB

Download
memory/1396-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1396-5-0x0000000000400000-0x0000000000905000-memory.dmp

Filesize
5.0MB

Download
memory/1396-7-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads