730ba1ecdbc582e4c708bb40ba566e809968e46e752635010aa8a06bbf3fb039

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc61e9f92e24e4d32e5b2b06dd62b31a_JaffaCakes118.exe
Size

160KB
MD5

fc61e9f92e24e4d32e5b2b06dd62b31a
SHA1

a285f95da052c23fd8bf3e5228b6db896fe96807
SHA256

730ba1ecdbc582e4c708bb40ba566e809968e46e752635010aa8a06bbf3fb039
SHA512

c401ed116167f01910e05e2cb0fe08e5775d743a29ee122f69ecf0ae72f9ac2343861a16ddd069d518cac380e60a87dd1aaf5ce0f334df6f7420d3a2f214158f
SSDEEP

768:SVXL+uSmHRCfKy09p42hoJ0h4h2hQJVNjDkp57xXp5Rmg5Fh4hqhxOhDhzhnhvhB:SZqPfKyQ/Jh4h2hON6x5puwVT0h

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2368	rhwiop.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	fc61e9f92e24e4d32e5b2b06dd62b31a_JaffaCakes118.exe
2240	fc61e9f92e24e4d32e5b2b06dd62b31a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /m"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /h"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /M"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /n"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /H"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /r"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /j"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /W"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /g"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /f"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /D"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /i"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /x"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /A"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /I"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /e"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /d"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /l"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /w"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /X"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /p"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /Q"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /K"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /c"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /N"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /u"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /S"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /C"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /y"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /Z"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /b"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /L"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /E"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /Y"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /q"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /U"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /O"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /G"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /T"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /R"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /a"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /B"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /o"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /P"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /t"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /V"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /s"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /J"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /v"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /k"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /F"	rhwiop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhwiop = "C:\\Users\\Admin\\rhwiop.exe /z"	rhwiop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe
2368	rhwiop.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2240	fc61e9f92e24e4d32e5b2b06dd62b31a_JaffaCakes118.exe
2368	rhwiop.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2368	2240	fc61e9f92e24e4d32e5b2b06dd62b31a_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2368	2240	fc61e9f92e24e4d32e5b2b06dd62b31a_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2368	2240	fc61e9f92e24e4d32e5b2b06dd62b31a_JaffaCakes118.exe	30
PID 2240 wrote to memory of 2368	2240	fc61e9f92e24e4d32e5b2b06dd62b31a_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29
PID 2368 wrote to memory of 2240	2368	rhwiop.exe	29

C:\Users\Admin\AppData\Local\Temp\fc61e9f92e24e4d32e5b2b06dd62b31a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc61e9f92e24e4d32e5b2b06dd62b31a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\rhwiop.exe
  "C:\Users\Admin\rhwiop.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\rhwiop.exe

Filesize
160KB

MD5
dfa016b846d70584a60f763079ea0ba1

SHA1
e5d9c5b1504fb020e6bdc0af87e2c23a483e7d70

SHA256
aaa2b0e852eabf8319f74124533713f8ff60c5a0240ce9ccfb85460587e6d99f

SHA512
15e8639b652a6197b26f30d2f3de5678c13980eafb8d5c434d9a0456676fb106cf2bc0364e55eeaacca86b688ea493aeea03e75e5a299a897a9380aa45f21bf0

Download Submit