Analysis Overview
SHA256
6d6267dc36ff608a588abdc0afd6a2804773464b075c79523217140e84e351f5
Threat Level: Known bad
The file e3945674659d66a30a118f16cf27a95e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 23:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 23:49
Reported
2024-04-06 23:52
Platform
win7-20240221-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\bidit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\bidit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /z" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /m" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /M" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /D" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /c" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /g" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /H" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /T" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /A" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /d" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /k" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /o" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /h" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /s" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /y" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /E" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /i" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /V" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /G" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /t" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /K" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /X" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /S" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /L" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /N" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /O" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /e" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /P" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /q" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /T" | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /x" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /b" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /I" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /u" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /C" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /W" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /r" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /a" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /B" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /R" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /p" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /j" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /f" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /J" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /l" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /v" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /w" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /U" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /F" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /Q" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /Z" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /Y" | C:\Users\Admin\bidit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\bidit = "C:\\Users\\Admin\\bidit.exe /n" | C:\Users\Admin\bidit.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\bidit.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2204 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | C:\Users\Admin\bidit.exe |
| PID 2204 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | C:\Users\Admin\bidit.exe |
| PID 2204 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | C:\Users\Admin\bidit.exe |
| PID 2204 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | C:\Users\Admin\bidit.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe"
C:\Users\Admin\bidit.exe
"C:\Users\Admin\bidit.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.spansearcher.net | udp |
| US | 8.8.8.8:53 | ns1.spinsearcher.org | udp |
| US | 8.8.8.8:53 | ns1.player1352.net | udp |
| US | 8.8.8.8:53 | ns1.player1352.org | udp |
Files
\Users\Admin\bidit.exe
| MD5 | 57afbdf06cd30c75ab82b7e4d17a68ef |
| SHA1 | 367c58a4cf18f8247cfe4d00a7b626f42cb0f6cf |
| SHA256 | 9baa98a0b7ee6cd1c4e2b194062be2cd13ae443580ae2792d07d2d8e00bcadfc |
| SHA512 | ea257d5e2dca6e8079051421f7b6c70ec3ff49f8c85bd2f9e197526bad64b8cc4689f48ee2c01ca72c8c17bdfa45b7d7d8925a3c4b36a98388c0206bf62ebf6f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 23:49
Reported
2024-04-06 23:52
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\miuni.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\miuni.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /l" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /S" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /N" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /a" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /g" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /w" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /R" | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /s" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /h" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /z" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /E" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /q" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /c" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /F" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /k" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /L" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /e" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /U" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /K" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /m" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /P" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /n" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /Y" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /Q" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /M" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /B" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /b" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /j" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /A" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /i" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /R" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /y" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /D" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /W" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /G" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /C" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /f" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /I" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /T" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /d" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /o" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /v" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /X" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /p" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /u" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /H" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /V" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /Z" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /t" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /O" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /x" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /J" | C:\Users\Admin\miuni.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miuni = "C:\\Users\\Admin\\miuni.exe /r" | C:\Users\Admin\miuni.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\miuni.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4468 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | C:\Users\Admin\miuni.exe |
| PID 4468 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | C:\Users\Admin\miuni.exe |
| PID 4468 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe | C:\Users\Admin\miuni.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e3945674659d66a30a118f16cf27a95e_JaffaCakes118.exe"
C:\Users\Admin\miuni.exe
"C:\Users\Admin\miuni.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.spansearcher.net | udp |
| US | 8.8.8.8:53 | ns1.spinsearcher.org | udp |
| US | 8.8.8.8:53 | ns1.player1352.net | udp |
| US | 8.8.8.8:53 | ns1.player1352.org | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\miuni.exe
| MD5 | e95e2b18605dfc46adf8bc9ade0963f8 |
| SHA1 | 9025a0fea540c5fcaff7a57655eb4f5174417327 |
| SHA256 | 7d450eb8e125575deb6aa7848a17a80a3bf1e4a389109de69bfb8f6fabd1d243 |
| SHA512 | 0ec0c73baaf449cb401a094557246b3634f3051b4008be4a82222d3282a3a8ba9600ebf473314df65b4b5580afb8674c51985d4f9912f5575de271c7b307aefa |