Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 12:58
Static task
static1
Behavioral task
behavioral1
Sample
f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe
-
Size
216KB
-
MD5
f5d274a7491191e1a0180ec06a70c7bb
-
SHA1
d675406a2e63ba4b7a87e72024e575e0453f6324
-
SHA256
96e73eb087f1c27a05ad2fbd861b9fd4c73bd86dfda4215cf4344bd3d934d181
-
SHA512
f71f59e49d7a6c81aa0571d78432f97c35844872eb3c2c4cd89d4137b266d789d377f27c5c215c7bbc6fb2a416aebfb9e63f414c6acb2f924ce33c1ca3081610
-
SSDEEP
6144:CcX2DECtrkQ5zgMZUP15HcAgonAmKfwDVAQ:n41gMZUHcAgonAmZDV
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" booutes.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2464 booutes.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /X" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /Q" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /u" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /D" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /H" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /N" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /r" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /s" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /d" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /i" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /m" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /q" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /W" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /c" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /G" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /k" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /M" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /Y" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /p" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /E" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /f" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /n" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /Z" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /S" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /J" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /o" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /L" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /e" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /t" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /U" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /b" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /x" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /g" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /R" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /T" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /P" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /v" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /a" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /y" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /K" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /B" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /V" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /w" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /I" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /C" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /j" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /h" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /l" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /A" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /z" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /O" booutes.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booutes = "C:\\Users\\Admin\\booutes.exe /F" booutes.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe 2464 booutes.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 232 f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe 2464 booutes.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 232 wrote to memory of 2464 232 f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe 89 PID 232 wrote to memory of 2464 232 f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe 89 PID 232 wrote to memory of 2464 232 f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f5d274a7491191e1a0180ec06a70c7bb_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\booutes.exe"C:\Users\Admin\booutes.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5b2ccb09781acd9170862577f178d1cdc
SHA1523474b8cbf6a55a04d2dbdb0356da9e3895b14d
SHA2569fc61568ee7dd3dee6462ebeccf66507b402c3a7b43906d6c5fbc8d4c6b99715
SHA512b7d46761f433e7cb2d84f537152b092b65d67171c2727df7c870cef826bd667cc0a551629c8a09a8779d4ddb5abd2e44f14bf57729f4e710e89d2193a47f947f