Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18/04/2024, 05:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe
-
Size
148KB
-
MD5
f75764d7b83f4935465542fdae8a5923
-
SHA1
ab16f5a2798255bf5ce9f23531fc320a7c324130
-
SHA256
01700892d2f3e30fff0f92bb168864e926c7f9dfb22eae4bd325ac371838a5e4
-
SHA512
eb933181df22b30ff2c02d2251093a4c6df35e237e4c6d904c4c8bad43d4d944a27114999686a0c16d57290359ce49395553f744a011b025db53a539e3f7217b
-
SSDEEP
3072:DiFqQh4mRpDGq7At/yRWr2wA36nbMUq8hFOdhI/2E5j4oQu:uFFh96F90Wf7nJPwdud
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kuofaoq.exe -
Executes dropped EXE 1 IoCs
pid Process 1712 kuofaoq.exe -
Loads dropped DLL 2 IoCs
pid Process 1044 f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe 1044 f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /l" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /E" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /x" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /H" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /y" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /K" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /F" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /u" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /V" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /t" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /R" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /m" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /f" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /s" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /c" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /o" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /r" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /d" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /Z" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /j" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /b" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /X" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /T" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /B" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /h" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /p" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /W" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /U" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /C" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /N" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /D" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /n" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /k" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /i" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /S" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /M" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /z" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /q" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /v" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /e" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /J" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /P" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /O" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /L" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /I" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /Y" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /g" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /G" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /Q" kuofaoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /A" f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\kuofaoq = "C:\\Users\\Admin\\kuofaoq.exe /A" kuofaoq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1044 f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe 1712 kuofaoq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1044 f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe 1712 kuofaoq.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1044 wrote to memory of 1712 1044 f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe 28 PID 1044 wrote to memory of 1712 1044 f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe 28 PID 1044 wrote to memory of 1712 1044 f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe 28 PID 1044 wrote to memory of 1712 1044 f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f75764d7b83f4935465542fdae8a5923_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\kuofaoq.exe"C:\Users\Admin\kuofaoq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD5d70cef8018df06c13d009284215bfa88
SHA16b455013fcff6684691fb5e3732fbb38bbd56687
SHA2569830accdb3f85cb0b9fc95af1611ff74e79f2566faf350278bc6d45534e52c7c
SHA512eb9947117a936d053b860afd98a3815ec1e520b34ea4328370e37cdc28272537929271bfd686dc62cd606572acd2b614b4ea138e11953abeefefb2a18ec933d5