d50bc8eb2c208003c0956ad59710c3aa10d2839acce3d02347c123c20cbf5e31

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe
Size

86KB
MD5

5c3e846afce73b946774ca1a30145e48
SHA1

53625e149d4a57b23fa9ac51ef5e43dbcfc3ebe3
SHA256

d50bc8eb2c208003c0956ad59710c3aa10d2839acce3d02347c123c20cbf5e31
SHA512

333570f4fd366d3eb61c5c55cd8c746905053c9957180630a3c150c76d5c42c8bb3190484832051d88662950d0d7be22cb14ad51289c7704d3ceca637531ffd1
SSDEEP

1536:7QIrRwTiCFN0JSAGwryea07Eq/HIoLjySYd/OqLiym/Jp+VsznnmHzxT:7QERwPz4SZzYE2o8jyuqLG+VImTx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2108	FED3.exe
2836	system32F24D.exe
1832	FED3.exe

Loads dropped DLL 9 IoCs

pid	Process
1904	cmd.exe
1904	cmd.exe
2108	FED3.exe
2108	FED3.exe
2108	FED3.exe
2108	FED3.exe
2428	cmd.exe
2428	cmd.exe
1832	FED3.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FED3.exe	5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FED3.exe	system32F24D.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32F24D.exe	5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	FED3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	FED3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	FED3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	FED3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	FED3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2172	5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe
2108	FED3.exe
2836	system32F24D.exe
1832	FED3.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1904	2172	5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe	30
PID 2172 wrote to memory of 1904	2172	5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe	30
PID 2172 wrote to memory of 1904	2172	5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe	30
PID 2172 wrote to memory of 1904	2172	5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe	30
PID 1904 wrote to memory of 2108	1904	cmd.exe	32
PID 1904 wrote to memory of 2108	1904	cmd.exe	32
PID 1904 wrote to memory of 2108	1904	cmd.exe	32
PID 1904 wrote to memory of 2108	1904	cmd.exe	32
PID 2172 wrote to memory of 2836	2172	5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe	35
PID 2172 wrote to memory of 2836	2172	5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe	35
PID 2172 wrote to memory of 2836	2172	5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe	35
PID 2172 wrote to memory of 2836	2172	5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe	35
PID 2836 wrote to memory of 2428	2836	system32F24D.exe	36
PID 2836 wrote to memory of 2428	2836	system32F24D.exe	36
PID 2836 wrote to memory of 2428	2836	system32F24D.exe	36
PID 2836 wrote to memory of 2428	2836	system32F24D.exe	36
PID 2428 wrote to memory of 1832	2428	cmd.exe	38
PID 2428 wrote to memory of 1832	2428	cmd.exe	38
PID 2428 wrote to memory of 1832	2428	cmd.exe	38
PID 2428 wrote to memory of 1832	2428	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c3e846afce73b946774ca1a30145e48_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\FED3.exe eee
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\FED3.exe
    C:\Windows\system32\FED3.exe eee
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2108
- C:\Windows\system32F24D.exe
  C:\Windows\system32F24D.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\FED3.exe eee
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\FED3.exe
      C:\Windows\system32\FED3.exe eee
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\63CBHSX0.htm

Filesize
393KB

MD5
ef7163d247efb0f66d2c048d2baa7f5a

SHA1
0778f6821c0850660ac2ed5c9ff881176c44253f

SHA256
3845c4c9d8ca567714751b29c0511d06ea6bf2dee994c68bd93ac2bcd835065f

SHA512
b460fc28ddfc85e5e2627de9c0d7dc367209cbef2407943cb9b9e1c57916ec142a9c644a07a24dadc9bd2d527a9f22c940c5998d903b3358d560d6c5eb05e03f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U01NV7NF.txt

Filesize
273B

MD5
187b8f929bf33d7e6d900b306db69b0b

SHA1
bd40e970b7161f93f989503676b9b88df1c7b84a

SHA256
3ae096c7f9316d09a091f292eb5b8081db9e07641210c2c6e989d2f510a3cb74

SHA512
427fe1e3f3120436cb5c8e3b11797edbdc7dd73dcf53f35046de4be837930815f438f186171de2c62c8552c6f14c98ac7ca234fd8ffa49bc8b6737b3377310d7

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\system32F24D.exe

Filesize
86KB

MD5
5c3e846afce73b946774ca1a30145e48

SHA1
53625e149d4a57b23fa9ac51ef5e43dbcfc3ebe3

SHA256
d50bc8eb2c208003c0956ad59710c3aa10d2839acce3d02347c123c20cbf5e31

SHA512
333570f4fd366d3eb61c5c55cd8c746905053c9957180630a3c150c76d5c42c8bb3190484832051d88662950d0d7be22cb14ad51289c7704d3ceca637531ffd1

Download Submit
\Windows\SysWOW64\FED3.exe

Filesize
112KB

MD5
a38812fe6b9ee8aa1a8eefd3c0050a5e

SHA1
95ccd8c57baeb09a025f25f096bbcdf67430d03e

SHA256
1e18f7bee4f8b978f3c14a1bd917b49bc94e53ee383fda3fe5f9a2b47396e5b2

SHA512
90011134499c8e3333f0ed39a56e91cb70de3ad29cf3ed59b6446755011dc4514566378e794f9a39b6c7f03a4e4c2eaaa9c47c6efd56e95e342d34e4260b61d5

Download Submit
memory/2172-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2172-30-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/2172-29-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/2172-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2172-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-32-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2836-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2836-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download