26fede729834ee64c5bbe0cfa5516e72fb5dc361ace426c3cac2d8cc3c51ec0c

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16175ed53b3962d8c14c1ffd5f2482c7_JaffaCakes118.exe
Size

204KB
MD5

16175ed53b3962d8c14c1ffd5f2482c7
SHA1

1c76ef23b41bae50dc700c0ee5cbbf9a1d05e7a7
SHA256

26fede729834ee64c5bbe0cfa5516e72fb5dc361ace426c3cac2d8cc3c51ec0c
SHA512

e289106343394ef5f884398cca66a05bfeb75f01e02c46d91a4e481164dcf2e4576c41aa5d8648a5cb8a16c4a4a76bbd61b8bb7c9ed1a695dd26a17e88621275
SSDEEP

3072:1TqqZBXj3pZgjxp8HRfW+Ida220gN4JsBi40BuWNVYrcLwcYieNRrhomiyTfXIKg:1muxDpZgdORfWTmiDBuhTIaxu+7qT

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	feiozoh.exe

Executes dropped EXE 1 IoCs

pid	Process
2520	feiozoh.exe

Loads dropped DLL 2 IoCs

pid	Process
2872	16175ed53b3962d8c14c1ffd5f2482c7_JaffaCakes118.exe
2872	16175ed53b3962d8c14c1ffd5f2482c7_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /Z"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /n"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /b"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /V"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /J"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /Y"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /o"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /P"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /X"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /H"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /c"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /z"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /t"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /y"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /d"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /G"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /j"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /k"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /O"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /B"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /F"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /Q"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /D"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /A"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /W"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /r"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /s"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /C"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /M"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /h"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /m"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /R"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /x"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /g"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /L"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /N"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /a"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /S"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /U"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /p"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /u"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /i"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /T"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /e"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /E"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /q"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /K"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /f"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /I"	feiozoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\feiozoh = "C:\\Users\\Admin\\feiozoh.exe /w"	feiozoh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe
2520	feiozoh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2872	16175ed53b3962d8c14c1ffd5f2482c7_JaffaCakes118.exe
2520	feiozoh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2520	2872	16175ed53b3962d8c14c1ffd5f2482c7_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2520	2872	16175ed53b3962d8c14c1ffd5f2482c7_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2520	2872	16175ed53b3962d8c14c1ffd5f2482c7_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2520	2872	16175ed53b3962d8c14c1ffd5f2482c7_JaffaCakes118.exe	28
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27
PID 2520 wrote to memory of 2872	2520	feiozoh.exe	27

C:\Users\Admin\AppData\Local\Temp\16175ed53b3962d8c14c1ffd5f2482c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16175ed53b3962d8c14c1ffd5f2482c7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\feiozoh.exe
  "C:\Users\Admin\feiozoh.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\feiozoh.exe

Filesize
204KB

MD5
d4f8507790dbfcabc87c50a1f28da81b

SHA1
79dc74c0b54273c22cfa6eb6869d6c27aad4e0a1

SHA256
40ee068546852acce2518adf8b5ad58106ec142dc6ffdc40305196186b817817

SHA512
18227c5c23dfe06197cc2831c5e2ea3de831a7a5708986bad36d215a166dec8d500e14d080e1b1b019cc8a4435a7a93be0d0a016792a46ebd95be6d3093c9757

Download Submit