b40e8b28a72b95c301c892aaa65edaf5d5f5b961ad8ce32f912c334a555ecb23

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f420a4fb613b2965b6919646c9d0157f_JaffaCakes118.exe
Size

236KB
MD5

f420a4fb613b2965b6919646c9d0157f
SHA1

ebdbba6e515ab0c2734bec5041430b33d49b4496
SHA256

b40e8b28a72b95c301c892aaa65edaf5d5f5b961ad8ce32f912c334a555ecb23
SHA512

9b5d947a66cdf4c7048faa7b302a99b4a48c4de3e0762408e811932b5506de9f5d7ef671ea3c061d7da363b4dde216485518b2e025406f066686ce88612b394f
SSDEEP

3072:rdNhnA6wKzzGKXW28oYLVp0uP5cPLa6KMWM+x2rfdnpcJMyaegtmN2W6gBV:rtA5mzGXoYZpDPCPLa64fmdK+dt5W

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	f420a4fb613b2965b6919646c9d0157f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	peausa.exe

Executes dropped EXE 1 IoCs

pid	Process
1424	peausa.exe

Loads dropped DLL 2 IoCs

pid	Process
2108	f420a4fb613b2965b6919646c9d0157f_JaffaCakes118.exe
2108	f420a4fb613b2965b6919646c9d0157f_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /f"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /q"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /v"	f420a4fb613b2965b6919646c9d0157f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /a"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /e"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /j"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /p"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /x"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /c"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /z"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /l"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /w"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /m"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /t"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /g"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /i"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /h"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /b"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /d"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /o"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /y"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /n"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /v"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /k"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /s"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /r"	peausa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\peausa = "C:\\Users\\Admin\\peausa.exe /u"	peausa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	f420a4fb613b2965b6919646c9d0157f_JaffaCakes118.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe
1424	peausa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2108	f420a4fb613b2965b6919646c9d0157f_JaffaCakes118.exe
1424	peausa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1424	2108	f420a4fb613b2965b6919646c9d0157f_JaffaCakes118.exe	28
PID 2108 wrote to memory of 1424	2108	f420a4fb613b2965b6919646c9d0157f_JaffaCakes118.exe	28
PID 2108 wrote to memory of 1424	2108	f420a4fb613b2965b6919646c9d0157f_JaffaCakes118.exe	28
PID 2108 wrote to memory of 1424	2108	f420a4fb613b2965b6919646c9d0157f_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\f420a4fb613b2965b6919646c9d0157f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f420a4fb613b2965b6919646c9d0157f_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\peausa.exe
  "C:\Users\Admin\peausa.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\peausa.exe

Filesize
236KB

MD5
df0eb5b818f261024c7e2c4f7dd40f44

SHA1
98adf2594ea773379ed267cea7f7fcca33be2b9b

SHA256
7eeec03a1e39f83e4b82ec6e86034dd62c7e1cb126a7a458c3f63a7fe6dc1342

SHA512
32039904f03abbe93a0b6cd9d0a1413621c8a8f7b633b9fc02536fc27e6d3650e4959c638a27df9406dec653c942a678467d248bf2f99823e94c4c93f83c91be

Download Submit