Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27/06/2024, 21:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe
-
Size
124KB
-
MD5
178f7c6e0d24d077a073620e39bd3fa6
-
SHA1
3ae7c96ee98a75e3a383643d19e41581cda469a2
-
SHA256
62ecfcbbbd8c78ad8d3f0cf08da832055eb6a889ff9ab94828b3e8f84f64ef01
-
SHA512
cf0bd556fe5ecbd53a561ce660d99b49265614497d0fe57d7a8a37b5c88b857a4ede997a863d500d2de58be2045899da7de342fe7dc503bc3c8c6ff4e89751f6
-
SSDEEP
3072:dDCbZSukOY8hrJFVNM/N/5sfqDfwqmuUwOI:dork6hrJ3NON/5sGq7wl
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wiiuy.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1540 wiiuy.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /B" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /c" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /s" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /v" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /U" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /A" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /M" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /X" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /T" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /o" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /D" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /r" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /K" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /z" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /J" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /P" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /w" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /e" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /N" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /j" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /x" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /h" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /q" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /Z" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /I" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /n" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /a" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /R" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /H" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /i" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /Q" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /F" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /g" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /b" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /k" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /V" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /S" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /y" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /Y" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /W" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /O" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /L" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /G" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /E" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /u" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /v" 178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /p" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /m" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /f" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /l" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /C" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /t" wiiuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiiuy = "C:\\Users\\Admin\\wiiuy.exe /d" wiiuy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3680 178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe 3680 178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe 1540 wiiuy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3680 178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe 1540 wiiuy.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3680 wrote to memory of 1540 3680 178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe 88 PID 3680 wrote to memory of 1540 3680 178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe 88 PID 3680 wrote to memory of 1540 3680 178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\178f7c6e0d24d077a073620e39bd3fa6_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\wiiuy.exe"C:\Users\Admin\wiiuy.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1540
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD53f8baed149392e55a967945c2da0f253
SHA1fac41386996298239fdb8a600f5dc640df1babaf
SHA256b67a7ee35fedefcad30b3e8f2723080986174dbd42e3ec9f0c1be3603ff7deae
SHA51212df23dcb3e6a3c8bc1237c68ca4bb598ecfa369e54bc8ddb1886eaa784f37fde008b62ad2bce36d4654cd4da0fba447c9de4425057101560e1c89eb32024845