Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 11:20
Behavioral task
behavioral1
Sample
7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe
-
Size
101KB
-
MD5
7805e6298903cbd07833d6d7b4147458
-
SHA1
2abad5544ec45b78eba1d2a38a26167c25197bd5
-
SHA256
a882cd36825d6e74446f7e4654b5658c0e350c6a473db3542c537959cc661499
-
SHA512
5214889cda839857f226c7225021d9a0eb7e2fb239a534d81e6075998ae5bfb6102ead0388cd7fca96ba017de17068a46218a59ff31634e825d195be23236727
-
SSDEEP
1536:39XM2K4Y3kK5MNq5cktsVPkRcT5nEYJyuXtg/I/rSL5+Fj7z3nYxt:398xkK5h5xwPDTZrJ/rq5+Fj7z3nYxt
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
randompinned.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat randompinned.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exerandompinned.exerandompinned.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language randompinned.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language randompinned.exe -
Modifies data under HKEY_USERS 21 IoCs
Processes:
randompinned.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings randompinned.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix randompinned.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CC5E481-0723-4ED9-9933-3A4F2891A8D9} randompinned.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CC5E481-0723-4ED9-9933-3A4F2891A8D9}\WpadNetworkName = "Network 3" randompinned.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-ca-e2-18-15-e2 randompinned.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-ca-e2-18-15-e2\WpadDecisionTime = d0842b0160e2da01 randompinned.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections randompinned.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings randompinned.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 randompinned.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CC5E481-0723-4ED9-9933-3A4F2891A8D9}\WpadDecisionReason = "1" randompinned.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 randompinned.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" randompinned.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" randompinned.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CC5E481-0723-4ED9-9933-3A4F2891A8D9}\WpadDecision = "0" randompinned.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CC5E481-0723-4ED9-9933-3A4F2891A8D9}\96-ca-e2-18-15-e2 randompinned.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-ca-e2-18-15-e2\WpadDecision = "0" randompinned.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" randompinned.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad randompinned.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0073000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 randompinned.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CC5E481-0723-4ED9-9933-3A4F2891A8D9}\WpadDecisionTime = d0842b0160e2da01 randompinned.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-ca-e2-18-15-e2\WpadDecisionReason = "1" randompinned.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
randompinned.exepid process 2832 randompinned.exe 2832 randompinned.exe 2832 randompinned.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exepid process 1968 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exerandompinned.exerandompinned.exepid process 3032 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe 1968 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe 2464 randompinned.exe 2832 randompinned.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exerandompinned.exedescription pid process target process PID 3032 wrote to memory of 1968 3032 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe PID 3032 wrote to memory of 1968 3032 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe PID 3032 wrote to memory of 1968 3032 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe PID 3032 wrote to memory of 1968 3032 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe 7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe PID 2464 wrote to memory of 2832 2464 randompinned.exe randompinned.exe PID 2464 wrote to memory of 2832 2464 randompinned.exe randompinned.exe PID 2464 wrote to memory of 2832 2464 randompinned.exe randompinned.exe PID 2464 wrote to memory of 2832 2464 randompinned.exe randompinned.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\7805e6298903cbd07833d6d7b4147458_JaffaCakes118.exe--aeaf4a342⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:1968
-
C:\Windows\SysWOW64\randompinned.exe"C:\Windows\SysWOW64\randompinned.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\randompinned.exe--224ae5ed2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2832