cf0f836b843586f6404c19e1b4a482c15a1d3bf94ee2816cb660ae580b5eadc1

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Size

210KB
MD5

67c643b853cbb79c5b12f0948088190e
SHA1

bef905e0db0f8c9d4b373c63ff770d226b7eda6b
SHA256

cf0f836b843586f6404c19e1b4a482c15a1d3bf94ee2816cb660ae580b5eadc1
SHA512

63d556a3d9225aef9c865f23adb0e08362ec1257d10bd8644ffeaeeeb8b1d8071cec8388e70aeba06a3976f137d1b501cd86b0fadf32a6a4c24fa6882629c538
SSDEEP

3072:XEHeDMBSQwTOvP5mhXv0/2XDHVVuSIKj1QPbC4:X6BSQwTOvPd2X6Pcau4

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 2756	2700	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe	30

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\ = "_aFlRh"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\TypeLib\ = "{3A05B893-C4C0-494F-9EC7-18FBA58A227C}"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF610843-4C40-43A1-B4E4-B499FDA0C72D}\ProgID\ = "Project1.aFlRh"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\TypeLib	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF610843-4C40-43A1-B4E4-B499FDA0C72D}\Programmable	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF610843-4C40-43A1-B4E4-B499FDA0C72D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\ = "_aFlRh"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF610843-4C40-43A1-B4E4-B499FDA0C72D}\TypeLib	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF610843-4C40-43A1-B4E4-B499FDA0C72D}\TypeLib\ = "{3A05B893-C4C0-494F-9EC7-18FBA58A227C}"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF610843-4C40-43A1-B4E4-B499FDA0C72D}\Implemented Categories	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project1.aFlRh	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Project1.aFlRh\Clsid	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3A05B893-C4C0-494F-9EC7-18FBA58A227C}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\TypeLib	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF610843-4C40-43A1-B4E4-B499FDA0C72D}\ = "Project1.aFlRh"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF610843-4C40-43A1-B4E4-B499FDA0C72D}\LocalServer32	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3A05B893-C4C0-494F-9EC7-18FBA58A227C}\2.0\0	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3A05B893-C4C0-494F-9EC7-18FBA58A227C}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF610843-4C40-43A1-B4E4-B499FDA0C72D}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\ = "aFlRh"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3A05B893-C4C0-494F-9EC7-18FBA58A227C}\2.0	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3A05B893-C4C0-494F-9EC7-18FBA58A227C}\2.0\0\win32	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF610843-4C40-43A1-B4E4-B499FDA0C72D}	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project1.aFlRh\ = "Project1.aFlRh"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Project1.aFlRh\Clsid\ = "{FF610843-4C40-43A1-B4E4-B499FDA0C72D}"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF610843-4C40-43A1-B4E4-B499FDA0C72D}\VERSION\ = "2.0"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3A05B893-C4C0-494F-9EC7-18FBA58A227C}\2.0\ = "Project1"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3A05B893-C4C0-494F-9EC7-18FBA58A227C}\2.0\HELPDIR	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\TypeLib\ = "{3A05B893-C4C0-494F-9EC7-18FBA58A227C}"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\TypeLib\Version = "2.0"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF610843-4C40-43A1-B4E4-B499FDA0C72D}\ProgID	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\TypeLib\Version = "2.0"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\ProxyStubClsid32	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF610843-4C40-43A1-B4E4-B499FDA0C72D}\VERSION	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3A05B893-C4C0-494F-9EC7-18FBA58A227C}	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3A05B893-C4C0-494F-9EC7-18FBA58A227C}\2.0\FLAGS	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3A05B893-C4C0-494F-9EC7-18FBA58A227C}\2.0\FLAGS\ = "0"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\ProxyStubClsid32	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{43A970AB-1FD8-46C5-8490-E983FD9BECA5}\ProxyStubClsid	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2700	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2756	2700	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2756	2700	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2756	2700	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2756	2700	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2756	2700	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2756	2700	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2756	2700	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2756	2700	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2756	2700	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2756	2700	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2756	2700	67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\67c643b853cbb79c5b12f0948088190e_JaffaCakes118.exe
  2⤵
  PID:2756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2700-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2700-1-0x0000000000230000-0x0000000000266000-memory.dmp

Filesize
216KB

Download
memory/2700-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2756-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-12-0x00000000001C0000-0x00000000001F6000-memory.dmp

Filesize
216KB

Download
memory/2756-11-0x00000000001C0000-0x00000000001F6000-memory.dmp

Filesize
216KB

Download
memory/2756-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-15-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads