4a3b8b3cc5c78af971470b45c4e49a7dbf01af80039b7c7db6f6c2913994e235

Analysis

max time kernel
149s
max time network
131s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 05:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b22582e7a1387cd7ac75e214049886e_JaffaCakes118.exe
Size

160KB
MD5

2b22582e7a1387cd7ac75e214049886e
SHA1

01daba3b01ba182f549e28cf9b11afda975e56e8
SHA256

4a3b8b3cc5c78af971470b45c4e49a7dbf01af80039b7c7db6f6c2913994e235
SHA512

35065d53c71c95ae6843567f4c763c0f87e80719beb3458c357845b002a72f2213b3af7271abcec9f0671d8444bd56970dbcb34f3e31950f9f13b2fa92179d47
SSDEEP

3072:Ga5Xf+Dxj95Fbr2IsJ03CwLYwR49hPLd3BzK02Swq4lV34oQZiEh8:z5v+DbbrTw03rLlR4PLnh7w1rZWM

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	roehua.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2b22582e7a1387cd7ac75e214049886e_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2076	roehua.exe

Loads dropped DLL 2 IoCs

pid	Process
1420	2b22582e7a1387cd7ac75e214049886e_JaffaCakes118.exe
1420	2b22582e7a1387cd7ac75e214049886e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /g"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /C"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /Q"	2b22582e7a1387cd7ac75e214049886e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /r"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /j"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /n"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /Q"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /U"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /u"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /R"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /f"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /W"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /Y"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /a"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /V"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /K"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /T"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /z"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /G"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /D"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /J"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /q"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /l"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /y"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /N"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /H"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /b"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /c"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /s"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /A"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /t"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /F"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /e"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /d"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /L"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /m"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /k"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /I"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /E"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /w"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /v"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /h"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /O"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /B"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /P"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /M"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /X"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /Z"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /x"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /o"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /S"	roehua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\roehua = "C:\\Users\\Admin\\roehua.exe /p"	roehua.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1420	2b22582e7a1387cd7ac75e214049886e_JaffaCakes118.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe
2076	roehua.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1420	2b22582e7a1387cd7ac75e214049886e_JaffaCakes118.exe
2076	roehua.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2076	1420	2b22582e7a1387cd7ac75e214049886e_JaffaCakes118.exe	30
PID 1420 wrote to memory of 2076	1420	2b22582e7a1387cd7ac75e214049886e_JaffaCakes118.exe	30
PID 1420 wrote to memory of 2076	1420	2b22582e7a1387cd7ac75e214049886e_JaffaCakes118.exe	30
PID 1420 wrote to memory of 2076	1420	2b22582e7a1387cd7ac75e214049886e_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\2b22582e7a1387cd7ac75e214049886e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b22582e7a1387cd7ac75e214049886e_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\roehua.exe
  "C:\Users\Admin\roehua.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\roehua.exe

Filesize
160KB

MD5
8fc9f1bb4d708b3a61a9fe081db5756a

SHA1
30b9378058effd07e4f1f9d7ad286d596567e9b0

SHA256
ff89b6a1dd5ca9bc24a37de2581e8edfec945ab17b26f09c8600b9897c049d42

SHA512
d2657517d8d1d0c6a470034febe3c272b1738f235d92296828e6d65b5988612d8af811ec76d56ad5728665bde267a538ecbd7dfca70177cdee50baee3ec79e82

Download Submit
memory/1420-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1420-13-0x00000000027F0000-0x0000000002818000-memory.dmp

Filesize
160KB

Download
memory/1420-19-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2076-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2076-20-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download