Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:10
Static task
static1
Behavioral task
behavioral1
Sample
36658031885947b34da48b909a6297f2_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
36658031885947b34da48b909a6297f2_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
36658031885947b34da48b909a6297f2_JaffaCakes118.exe
-
Size
100KB
-
MD5
36658031885947b34da48b909a6297f2
-
SHA1
714e3b6a17adc6e78ad5c78350ef09bff4a6f435
-
SHA256
40fd9d7eb14df4a1d1c8fadddfaf49e9b430c36f8d2e88425bef65b5d2e1c6d4
-
SHA512
a202cd485b8c33ee7bdc56e7e954a675c288d070020705247484e99b16bb2f312d3e713e82af2dcfedb75dde3a0a89130f7ad604ce8bfc19f17fa478b8d65f4b
-
SSDEEP
1536:dttGG82NTzw5MGAc4ohrPXo+73Rez8b0SyKNIjnZrJ:lwgurPX7CKCnlJ
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
36658031885947b34da48b909a6297f2_JaffaCakes118.exeyeieji.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 36658031885947b34da48b909a6297f2_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yeieji.exe -
Executes dropped EXE 1 IoCs
Processes:
yeieji.exepid process 820 yeieji.exe -
Loads dropped DLL 2 IoCs
Processes:
36658031885947b34da48b909a6297f2_JaffaCakes118.exepid process 1688 36658031885947b34da48b909a6297f2_JaffaCakes118.exe 1688 36658031885947b34da48b909a6297f2_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 53 IoCs
Processes:
yeieji.exe36658031885947b34da48b909a6297f2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /M" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /w" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /k" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /q" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /j" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /g" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /f" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /D" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /b" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /c" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /E" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /d" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /y" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /p" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /l" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /A" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /Z" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /z" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /R" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /W" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /N" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /F" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /v" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /S" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /V" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /K" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /L" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /J" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /r" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /H" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /i" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /U" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /a" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /h" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /e" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /r" 36658031885947b34da48b909a6297f2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /O" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /t" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /P" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /G" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /C" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /u" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /n" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /Q" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /o" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /B" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /Y" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /x" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /X" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /s" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /m" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /T" yeieji.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\yeieji = "C:\\Users\\Admin\\yeieji.exe /I" yeieji.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
36658031885947b34da48b909a6297f2_JaffaCakes118.exeyeieji.exepid process 1688 36658031885947b34da48b909a6297f2_JaffaCakes118.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe 820 yeieji.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
36658031885947b34da48b909a6297f2_JaffaCakes118.exeyeieji.exepid process 1688 36658031885947b34da48b909a6297f2_JaffaCakes118.exe 820 yeieji.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
36658031885947b34da48b909a6297f2_JaffaCakes118.exedescription pid process target process PID 1688 wrote to memory of 820 1688 36658031885947b34da48b909a6297f2_JaffaCakes118.exe yeieji.exe PID 1688 wrote to memory of 820 1688 36658031885947b34da48b909a6297f2_JaffaCakes118.exe yeieji.exe PID 1688 wrote to memory of 820 1688 36658031885947b34da48b909a6297f2_JaffaCakes118.exe yeieji.exe PID 1688 wrote to memory of 820 1688 36658031885947b34da48b909a6297f2_JaffaCakes118.exe yeieji.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36658031885947b34da48b909a6297f2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\36658031885947b34da48b909a6297f2_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\yeieji.exe"C:\Users\Admin\yeieji.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5237c044a78ccd0345fab21daa572946d
SHA16fec6525abc189f18c7ba684d2dc8e57e400d623
SHA2566d4709ec890a6d57af413592d0f34348d8d015ea111b19808dc531617f7d543f
SHA512989bf716351607168bd46814050393f1056bbf40fa5e18d0dce7719d0607e04e3c2be7eabbf6cb5fed6e6a8663e76f48dd1f911083754c8fd158ebb56f65d4ae