Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
08/07/2024, 19:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2d9ad1c95a4f9a2be538695e6c0d5408_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2d9ad1c95a4f9a2be538695e6c0d5408_JaffaCakes118.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
2d9ad1c95a4f9a2be538695e6c0d5408_JaffaCakes118.exe
-
Size
224KB
-
MD5
2d9ad1c95a4f9a2be538695e6c0d5408
-
SHA1
0a7014f637eeb74a48cb5415d948e5876b7d4f65
-
SHA256
30b07540ccccae550572b36398b5069f24083b416e63f62dea9121d30a101305
-
SHA512
f9fd7d2e8e7400bf8eab8be8bf22e62688bb51c03c8123cc7a72881d2c821f3dab2bdddfe4d21726a0ca6d221a8c03e201200a7ca38d009fab885d13d63d506e
-
SSDEEP
6144:lnwOzydERpZDRZDI1/3W6EBZB07msnNJMhYq95uKLK:lnwO2OV/sJyBZK7nnNihYOuKL
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kiafouq.exe -
Executes dropped EXE 1 IoCs
pid Process 760 kiafouq.exe -
Loads dropped DLL 2 IoCs
pid Process 2280 2d9ad1c95a4f9a2be538695e6c0d5408_JaffaCakes118.exe 2280 2d9ad1c95a4f9a2be538695e6c0d5408_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /M" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /H" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /A" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /J" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /K" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /L" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /g" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /s" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /Z" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /v" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /F" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /w" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /U" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /Y" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /l" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /j" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /N" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /X" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /y" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /O" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /t" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /r" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /f" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /h" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /R" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /a" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /P" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /u" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /z" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /D" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /Q" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /B" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /T" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /e" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /I" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /W" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /V" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /c" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /d" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /q" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /p" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /o" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /i" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /G" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /k" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /b" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /m" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /x" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /C" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /S" kiafouq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\kiafouq = "C:\\Users\\Admin\\kiafouq.exe /n" kiafouq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe 760 kiafouq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2280 2d9ad1c95a4f9a2be538695e6c0d5408_JaffaCakes118.exe 760 kiafouq.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2280 wrote to memory of 760 2280 2d9ad1c95a4f9a2be538695e6c0d5408_JaffaCakes118.exe 28 PID 2280 wrote to memory of 760 2280 2d9ad1c95a4f9a2be538695e6c0d5408_JaffaCakes118.exe 28 PID 2280 wrote to memory of 760 2280 2d9ad1c95a4f9a2be538695e6c0d5408_JaffaCakes118.exe 28 PID 2280 wrote to memory of 760 2280 2d9ad1c95a4f9a2be538695e6c0d5408_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d9ad1c95a4f9a2be538695e6c0d5408_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2d9ad1c95a4f9a2be538695e6c0d5408_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\kiafouq.exe"C:\Users\Admin\kiafouq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD52f8b8a3a31af02d415c7d4263b5c63f6
SHA1c592a7656a4c200fffc173ad1a57e45e17ff3bcd
SHA2560c2fb0ebd9f24a78e979bb522d020b5291c090b3a1f5152d2b6ebc5ba5996d7c
SHA512f9881cb71a91ef301bf1510bf866efb35e53dc9b130889b498a134ba3cb8d821d22ac76d6e7142ac5a60cc555cc21d85dd1677e758bfd26116b1edb25c80f27b