9b3715d5a9113b0d6db0f0fb5e35a75b74db18c8eeb0b2a851634279e153dd2a

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 13:12 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe
Size

264KB
MD5

22792ae5942d52ddd9d364d43102b07f
SHA1

0625e734a8e3ee6d469445b4df0c063b26845eda
SHA256

9b3715d5a9113b0d6db0f0fb5e35a75b74db18c8eeb0b2a851634279e153dd2a
SHA512

d5f4cdf22ed6222cf83b2d9afa99c9875f61d5fe5360fe4e2863e0036d8021cf33f8670ca1302063466df048790b8ebbb9c4c04e9d18ab005635933f4c759d56
SSDEEP

3072:7wwQcqsOxH82IDyG2pfr4GNLzECcKIvMBSYWunCvPQiwhjXH1WkaBx5/lvnjLYad:MwQ3sOxc9Ic6OLynWunzXH1W9r3

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	buidea.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	buidea.exe

Loads dropped DLL 2 IoCs

pid	Process
2908	22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe
2908	22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /L"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /V"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /e"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /E"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /A"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /F"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /s"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /v"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /g"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /R"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /H"	22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /z"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /X"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /N"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /D"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /i"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /o"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /J"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /H"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /l"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /I"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /f"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /t"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /j"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /r"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /w"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /b"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /m"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /y"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /Y"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /k"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /C"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /a"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /G"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /U"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /d"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /Z"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /M"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /T"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /S"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /P"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /p"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /u"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /W"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /Q"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /c"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /q"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /B"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /n"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /O"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /x"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /K"	buidea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\buidea = "C:\\Users\\Admin\\buidea.exe /h"	buidea.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe
2740	buidea.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2908	22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe
2740	buidea.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2740	2908	22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2740	2908	22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2740	2908	22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2740	2908	22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\buidea.exe
  "C:\Users\Admin\buidea.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2740

Network

DNS

ns1.player1352.com

22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

ns1.player1352.com

IN A

Response
DNS

ns1.player1352.net

22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

ns1.player1352.net

IN A

Response

ns1.player1352.net

IN A

107.178.223.183

ns1.player1352.net

IN A

104.155.138.21

107.178.223.183:8000

ns1.player1352.net

22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe

512 B
412 B
11
10

8.8.8.8:53

ns1.player1352.com

dns

22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe

64 B
137 B
1
1

DNS Request

ns1.player1352.com
8.8.8.8:53

ns1.player1352.net

dns

22792ae5942d52ddd9d364d43102b07f_JaffaCakes118.exe

64 B
96 B
1
1

DNS Request

ns1.player1352.net

DNS Response

107.178.223.183

104.155.138.21

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\buidea.exe

Filesize
264KB

MD5
261a227b38272c443098ad65c758d7bb

SHA1
3791a44dcd70653dc2ccd336945cec4ea99af343

SHA256
222b8a9e460f70378a08cf5e4534ddf006f9144629371c2af6ac5da5a40ffc4b

SHA512
9d74a5beb23fea4af21b2e848d9603b5f6ebe8d1e1d6e1b309d7dd1a24d1de6868a9119b8b5f014530364654282a54e14930a48717e9632c58319cee589a17b7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.