1c553eb5e9707baa6a3439f26afe2e70b475f80a938d62b4ca0813e86a1a6610

Analysis

max time kernel
141s
max time network
94s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 12:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe
Size

594KB
MD5

633d06fd866adaa532c2f5c606b5456e
SHA1

5216424e39d3fe8587fa93d500ae1d9e995369d5
SHA256

1c553eb5e9707baa6a3439f26afe2e70b475f80a938d62b4ca0813e86a1a6610
SHA512

217c9365e5438249fb323ea344580ffb543c5f1492935b4a8c027ca324cc8617c01a07710307723c7ce36e021d71c5d1f7927da11869871658d2e4244947d512
SSDEEP

12288:MHWYg1ieQ7NfOKn2NkBjm1q0BbTgoWTHQo30veJTv3PdEXV:MHtf7/nsamY0BgoNRGJTq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2996	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system\svchost.exe	633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe
File opened for modification	C:\Windows\system\svchost.exe	633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe
File created	C:\Windows\UNINSTAL.BAT	633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E25E846E-219A-49AF-BD2F-5F7B665DA5C0}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E25E846E-219A-49AF-BD2F-5F7B665DA5C0}\WpadDecisionTime = 400d89bd35dcda01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-e0-a4-b7-81-e9\WpadDecisionTime = 400d89bd35dcda01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E25E846E-219A-49AF-BD2F-5F7B665DA5C0}\WpadDecisionTime = e0c0768b35dcda01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-e0-a4-b7-81-e9	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E25E846E-219A-49AF-BD2F-5F7B665DA5C0}\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E25E846E-219A-49AF-BD2F-5F7B665DA5C0}\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E25E846E-219A-49AF-BD2F-5F7B665DA5C0}\e6-e0-a4-b7-81-e9	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-e0-a4-b7-81-e9\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-e0-a4-b7-81-e9\WpadDecisionTime = e0c0768b35dcda01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E25E846E-219A-49AF-BD2F-5F7B665DA5C0}\WpadNetworkName = "Network 3"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-e0-a4-b7-81-e9\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-e0-a4-b7-81-e9\WpadDetectedUrl	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe
Token: SeDebugPrivilege	2888	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2888	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2728	2888	svchost.exe	31
PID 2888 wrote to memory of 2728	2888	svchost.exe	31
PID 2888 wrote to memory of 2728	2888	svchost.exe	31
PID 2888 wrote to memory of 2728	2888	svchost.exe	31
PID 1736 wrote to memory of 2996	1736	633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe	32
PID 1736 wrote to memory of 2996	1736	633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe	32
PID 1736 wrote to memory of 2996	1736	633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe	32
PID 1736 wrote to memory of 2996	1736	633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe	32
PID 1736 wrote to memory of 2996	1736	633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe	32
PID 1736 wrote to memory of 2996	1736	633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe	32
PID 1736 wrote to memory of 2996	1736	633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\633d06fd866adaa532c2f5c606b5456e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\UNINSTAL.BAT
  2⤵
  - Deletes itself
  PID:2996

C:\Windows\system\svchost.exe
C:\Windows\system\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\UNINSTAL.BAT

Filesize
214B

MD5
1d4bb5ff4e10bc6d9c2b6cf11cb2ea2f

SHA1
894568b214681a4874c9d76d9b46fed1b54ecefd

SHA256
59c7bd1e815e14959b2721f8a07554e8b6848a3accbc47cfae5bab1950d8d594

SHA512
b2afbd1bc86048bfad9cac5b49e7fde1f8d1ce5acdab2d534e93c66cae49500e2a93eb4fe586dff751d6cf6540ea96559b7bce40008c31796fbe70db8f05197e

Download Submit
C:\Windows\system\svchost.exe

Filesize
594KB

MD5
633d06fd866adaa532c2f5c606b5456e

SHA1
5216424e39d3fe8587fa93d500ae1d9e995369d5

SHA256
1c553eb5e9707baa6a3439f26afe2e70b475f80a938d62b4ca0813e86a1a6610

SHA512
217c9365e5438249fb323ea344580ffb543c5f1492935b4a8c027ca324cc8617c01a07710307723c7ce36e021d71c5d1f7927da11869871658d2e4244947d512

Download Submit
memory/1736-1-0x0000000000390000-0x00000000003DB000-memory.dmp

Filesize
300KB

Download
memory/1736-0-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1736-10-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1736-69-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/1736-68-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/1736-67-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/1736-66-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/1736-65-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/1736-64-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

Filesize
4KB

Download
memory/1736-63-0x0000000003AD0000-0x0000000003AD1000-memory.dmp

Filesize
4KB

Download
memory/1736-62-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

Filesize
4KB

Download
memory/1736-61-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/1736-60-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/1736-59-0x0000000003A90000-0x0000000003A91000-memory.dmp

Filesize
4KB

Download
memory/1736-58-0x0000000003A60000-0x0000000003A61000-memory.dmp

Filesize
4KB

Download
memory/1736-57-0x0000000003A70000-0x0000000003A71000-memory.dmp

Filesize
4KB

Download
memory/1736-56-0x0000000003A40000-0x0000000003A41000-memory.dmp

Filesize
4KB

Download
memory/1736-55-0x0000000003A50000-0x0000000003A51000-memory.dmp

Filesize
4KB

Download
memory/1736-54-0x0000000003A20000-0x0000000003A21000-memory.dmp

Filesize
4KB

Download
memory/1736-53-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/1736-52-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/1736-51-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/1736-50-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/1736-49-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/1736-48-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/1736-47-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/1736-46-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/1736-45-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/1736-44-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1736-43-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1736-42-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/1736-41-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1736-40-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1736-39-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/1736-38-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1736-37-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1736-36-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1736-35-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1736-34-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1736-33-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1736-32-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1736-31-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/1736-30-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1736-29-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/1736-28-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/1736-27-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1736-26-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1736-25-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1736-24-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1736-23-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1736-22-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1736-21-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1736-20-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1736-19-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1736-18-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1736-17-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/1736-16-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1736-15-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1736-14-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1736-13-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1736-9-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/1736-8-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1736-7-0x0000000002820000-0x0000000002823000-memory.dmp

Filesize
12KB

Download
memory/1736-6-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1736-5-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/1736-4-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/1736-3-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1736-2-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/1736-80-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1736-81-0x0000000000390000-0x00000000003DB000-memory.dmp

Filesize
300KB

Download
memory/2888-71-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2888-83-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2888-87-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download