Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 05:40
Static task
static1
Behavioral task
behavioral1
Sample
18fc883fbefe0e16903943cc4b41ca34_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
18fc883fbefe0e16903943cc4b41ca34_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
18fc883fbefe0e16903943cc4b41ca34_JaffaCakes118.exe
-
Size
224KB
-
MD5
18fc883fbefe0e16903943cc4b41ca34
-
SHA1
e0a3803d8679b6080c7b9da0faa4ded71d79f3e3
-
SHA256
2fc8a697ccae860d2190a40529cf7441aaa0e2a449ee96cf9ffb4f419a20b8fa
-
SHA512
6c3510de927b4c2036a69ef7721e379d7138d496202a58205d3fb56ddfb2251f033ff12aa1143d1ac486f7064a34498095647778ab0780ea0c14e20a57682efb
-
SSDEEP
1536:ZXOXpjuhFDeZT2shQBTpgqeXmRucvQydhfYOzbNj:YeeZq0chf
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rkqioj.exe -
Executes dropped EXE 1 IoCs
pid Process 1768 rkqioj.exe -
Loads dropped DLL 2 IoCs
pid Process 3048 18fc883fbefe0e16903943cc4b41ca34_JaffaCakes118.exe 3048 18fc883fbefe0e16903943cc4b41ca34_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /u" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /y" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /E" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /P" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /C" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /U" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /H" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /g" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /v" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /T" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /o" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /a" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /V" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /n" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /Q" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /X" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /j" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /i" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /b" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /q" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /Y" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /W" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /A" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /O" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /e" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /S" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /t" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /l" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /R" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /w" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /B" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /h" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /L" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /J" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /f" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /M" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /N" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /s" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /D" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /p" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /k" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /Z" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /F" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /z" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /I" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /d" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /m" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /x" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /c" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /G" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /r" rkqioj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\rkqioj = "C:\\Users\\Admin\\rkqioj.exe /K" rkqioj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe 1768 rkqioj.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3048 18fc883fbefe0e16903943cc4b41ca34_JaffaCakes118.exe 1768 rkqioj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 1768 3048 18fc883fbefe0e16903943cc4b41ca34_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1768 3048 18fc883fbefe0e16903943cc4b41ca34_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1768 3048 18fc883fbefe0e16903943cc4b41ca34_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1768 3048 18fc883fbefe0e16903943cc4b41ca34_JaffaCakes118.exe 28 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27 PID 1768 wrote to memory of 3048 1768 rkqioj.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\18fc883fbefe0e16903943cc4b41ca34_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18fc883fbefe0e16903943cc4b41ca34_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\rkqioj.exe"C:\Users\Admin\rkqioj.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD59deb244abfa15a4f2a7a8d4925114da6
SHA183c7a0ce03300af3ae6930f92e02cb851e379280
SHA256e23e6c9642b9d458be2a0c7ef4cca989cfb996d07d41d87bf272d4313b9d8cd4
SHA51293ea2042165fbbb142a465572fccd57054802369ca3559f9009c1d148f36e4bdd9d6cba31c1fce41542d1d2adf6b5805b28d2f39db7244da4281055b08b9c526