b3652318b4839285a244c3cce72ae98597ff6287e9247f5365587981e3067b6e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29-03-2024 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

209efe65db32679b693b168ccd51a4bc_JaffaCakes118.exe
Size

111KB
MD5

209efe65db32679b693b168ccd51a4bc
SHA1

ca430a22a4155af68beb148fd34032c759326edc
SHA256

b3652318b4839285a244c3cce72ae98597ff6287e9247f5365587981e3067b6e
SHA512

666b0b7bdf20a37779e37fa3601b19139cc014809094101ca1edc2158016b6dfc567b9625638ed5890efcc4835563ee93ac83040ab49e003fbd5e5e140bce5d8
SSDEEP

1536:uP1JI4t8qDwTvD+bFWU+L1i4QmOexXxBxmxZx44D4dMz4n4N4t4R4R7ILiJIIIIN:c1JI4K3p4D4dMz4n4N4t4R4aEIIIIz5

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ldvoh.exe

Executes dropped EXE 1 IoCs

pid	Process
1792	ldvoh.exe

Loads dropped DLL 2 IoCs

pid	Process
3044	209efe65db32679b693b168ccd51a4bc_JaffaCakes118.exe
3044	209efe65db32679b693b168ccd51a4bc_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldvoh = "C:\\Users\\Admin\\ldvoh.exe"	ldvoh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe
1792	ldvoh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3044	209efe65db32679b693b168ccd51a4bc_JaffaCakes118.exe
1792	ldvoh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1792	3044	209efe65db32679b693b168ccd51a4bc_JaffaCakes118.exe	28
PID 3044 wrote to memory of 1792	3044	209efe65db32679b693b168ccd51a4bc_JaffaCakes118.exe	28
PID 3044 wrote to memory of 1792	3044	209efe65db32679b693b168ccd51a4bc_JaffaCakes118.exe	28
PID 3044 wrote to memory of 1792	3044	209efe65db32679b693b168ccd51a4bc_JaffaCakes118.exe	28
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27
PID 1792 wrote to memory of 3044	1792	ldvoh.exe	27

C:\Users\Admin\AppData\Local\Temp\209efe65db32679b693b168ccd51a4bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\209efe65db32679b693b168ccd51a4bc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\ldvoh.exe
  "C:\Users\Admin\ldvoh.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\ldvoh.exe

Filesize
111KB

MD5
8609f71f8bc46b96ce667aaea0e28b7f

SHA1
875744b360b75944031ee2fbb06349c2b13bdb3a

SHA256
4da51683f15efc5c3e75ce7d09dbd8c6378017cadf26c452efb5cff10d27278c

SHA512
f89062f62bc76b397ed97e5d65b81a66df303c272d105f524415f8ebda4840b5c269289f51810179fe0b90590008080a4336040839e96a79b4b90292efcc6304

Download Submit