Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:10
Static task
static1
Behavioral task
behavioral1
Sample
366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe
-
Size
264KB
-
MD5
366525c0bb1391e1642d3904f6d2565d
-
SHA1
da28048168cbd59b82406fc911d488c9ee9ee3c3
-
SHA256
41c2c0740c7821f19b8d3f492ef37d6f3572386f8f2f8acba7aefb2dae055c48
-
SHA512
0bcc3b3f8664c52918df410702d71c2044e5bd051a42e7ed4763b26f4b6fac046e6fa889d0fd405eb1a2a9f76565eb3ce50ea5f30b3d680c30fd35414a0dd295
-
SSDEEP
6144:ZrrXI/3JJYHyxyIuEA4aZM9DRruwcu3zCCvQe:FrXcvHVzKu3zCCvQe
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exenaumul.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" naumul.exe -
Executes dropped EXE 1 IoCs
Processes:
naumul.exepid process 2428 naumul.exe -
Loads dropped DLL 2 IoCs
Processes:
366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exepid process 496 366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe 496 366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 50 IoCs
Processes:
naumul.exe366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /X" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /j" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /Z" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /N" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /P" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /m" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /e" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /v" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /U" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /x" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /M" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /V" 366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /o" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /R" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /Y" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /a" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /f" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /q" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /z" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /d" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /B" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /K" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /G" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /g" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /A" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /C" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /E" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /F" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /L" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /Q" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /W" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /s" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /D" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /c" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /V" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /i" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /O" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /y" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /h" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /J" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /H" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /w" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /u" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /S" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /b" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /n" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /T" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /r" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /I" naumul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\naumul = "C:\\Users\\Admin\\naumul.exe /t" naumul.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exenaumul.exepid process 496 366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe 2428 naumul.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exenaumul.exepid process 496 366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe 2428 naumul.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exedescription pid process target process PID 496 wrote to memory of 2428 496 366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe naumul.exe PID 496 wrote to memory of 2428 496 366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe naumul.exe PID 496 wrote to memory of 2428 496 366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe naumul.exe PID 496 wrote to memory of 2428 496 366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe naumul.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\366525c0bb1391e1642d3904f6d2565d_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Users\Admin\naumul.exe"C:\Users\Admin\naumul.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5c2da7578ed73833f1b54809912e3a214
SHA1688ec4fe4a068395e618ee71abc1099592424470
SHA256d83a0329f1d6c7b626043e1db91a38379dbc45694c9d660806d44aaab4d9e7eb
SHA5127117ac1774baf1fadc247ddc8e253434398001845f9211a9ed03168d8356ab7bc6341a21b4e8768d4a0bc06fbb356dbd85ad65bc61e209900ee83c2c9a342439