Analysis
-
max time kernel
142s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 17:46
Static task
static1
Behavioral task
behavioral1
Sample
642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe
-
Size
55KB
-
MD5
642a93206cb3a055012ccc65681e6710
-
SHA1
31c51d61177c894820d5c332f8dbdac3c6554665
-
SHA256
964e43336fed2aefa381d181f58c962e0690e31406ff35d1d44b6c6a9e0eb774
-
SHA512
40f274f355642ea3f876cd89ce9dd2e06d70ded0027dd6e20a0b685e1bd93daac9f5cb1baf719c2affd6d883dc96661e7ff9cdc0fd34652306fbfd9a05e83b2f
-
SSDEEP
1536:VCqlZmQeDYncJuHcHv6qZHQe3V/H3DVepP1lx:KDDyHcHfH7F/Anlx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2004 m.exe -
Loads dropped DLL 1 IoCs
pid Process 2540 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\WINDOWS\inf\mtq.dll 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe File opened for modification C:\WINDOWS\inf\MTQ m.exe File created C:\WINDOWS\inf\MTQ 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe File opened for modification C:\WINDOWS\inf\MTQ 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E096F01-9790-4D05-ACDC-91409B1B7A52}\ 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E096F01-9790-4D05-ACDC-91409B1B7A52}\InProcServer32 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E096F01-9790-4D05-ACDC-91409B1B7A52}\InProcServer32\ = "C:\\WINDOWS\\inf\\mtq.dll" 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E096F01-9790-4D05-ACDC-91409B1B7A52}\InProcServer32\ThreadingModel = "Apartment" 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E096F01-9790-4D05-ACDC-91409B1B7A52} 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2540 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2540 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2540 wrote to memory of 2004 2540 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe 30 PID 2540 wrote to memory of 2004 2540 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe 30 PID 2540 wrote to memory of 2004 2540 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe 30 PID 2540 wrote to memory of 2004 2540 642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe 30 PID 2004 wrote to memory of 2728 2004 m.exe 31 PID 2004 wrote to memory of 2728 2004 m.exe 31 PID 2004 wrote to memory of 2728 2004 m.exe 31 PID 2004 wrote to memory of 2728 2004 m.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\642a93206cb3a055012ccc65681e6710_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\m.exec:\m.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.execmd /c delself.bat3⤵PID:2728
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19B
MD587bcc25b51b58c7a63f10143b156034c
SHA1f841d51f9bb39db8b8fd4b17e328b3a8066b36d9
SHA2564d4334f4dde0c7d83bdcb475f1a947d3147e34d8bcdf609ef066b8d2056d07d1
SHA512b78d5597ad6575d3b0124b0d81f31446b2a0cdd3136d1b13d92390fcadd08029a471f0c38258900a5a38389b0f64102b3f48f622b994ac11a6d09e48beb072e4
-
Filesize
55KB
MD5642a93206cb3a055012ccc65681e6710
SHA131c51d61177c894820d5c332f8dbdac3c6554665
SHA256964e43336fed2aefa381d181f58c962e0690e31406ff35d1d44b6c6a9e0eb774
SHA51240f274f355642ea3f876cd89ce9dd2e06d70ded0027dd6e20a0b685e1bd93daac9f5cb1baf719c2affd6d883dc96661e7ff9cdc0fd34652306fbfd9a05e83b2f
-
Filesize
33KB
MD5f0d92ab4d65f94b9b1338c585567fe27
SHA19e027f8c281b5d900a0b814b419413bec2efbde7
SHA25625043c98a8d88edf4be5565e814c23e29236b7d48d45e9cda1dc1768fd5e070a
SHA51234b1f53fcdad320ba0d62a3923fe864167d961d636fcb8d192ce0abeb53b5f50015a7a34bf68287816c63cd0dc5a5e346744d325862b98da45651cb8240f7ee7