Analysis
-
max time kernel
149s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:08
Static task
static1
Behavioral task
behavioral1
Sample
36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe
-
Size
248KB
-
MD5
36641b0a718d811e74fde8ef7dd0ed32
-
SHA1
8426c305ac2e732f643d4e1357b57353f7e25e30
-
SHA256
fe87a12f6e6195ea889f8f8f1f0f48c9cb8c75bf9bc678e1130dd8451b13cc32
-
SHA512
e7048deb5c4a3fe0e2d0f0890ac369f64d62c46166bdd8a9203bb7030b3b721b172f61f149279b045d97ba46b0ef35baf2a09e062f730a6bc522532d81d3b0d6
-
SSDEEP
6144:dvM5CElofkFWQPtnRneqAKnvmb7/D269fgwMty0e6ndv0DO:dE5CLkFfnRnWKnvmb7/D26qndv0DO
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exewiuwo.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wiuwo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
wiuwo.exepid process 804 wiuwo.exe -
Adds Run key to start application 2 TTPs 53 IoCs
Processes:
wiuwo.exe36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /y" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /N" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /Q" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /X" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /m" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /t" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /b" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /j" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /u" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /o" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /e" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /s" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /J" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /S" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /d" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /T" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /i" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /V" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /h" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /F" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /M" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /W" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /a" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /K" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /B" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /Y" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /n" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /f" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /z" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /U" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /E" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /r" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /c" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /w" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /L" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /O" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /C" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /k" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /R" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /I" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /D" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /p" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /N" 36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /G" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /Z" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /l" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /H" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /g" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /v" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /P" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /q" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /A" wiuwo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wiuwo = "C:\\Users\\Admin\\wiuwo.exe /x" wiuwo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exewiuwo.exepid process 5072 36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe 5072 36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe 804 wiuwo.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exewiuwo.exepid process 5072 36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe 804 wiuwo.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exedescription pid process target process PID 5072 wrote to memory of 804 5072 36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe wiuwo.exe PID 5072 wrote to memory of 804 5072 36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe wiuwo.exe PID 5072 wrote to memory of 804 5072 36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe wiuwo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\36641b0a718d811e74fde8ef7dd0ed32_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\wiuwo.exe"C:\Users\Admin\wiuwo.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD523554240e5e8bb49f6e92172cbda3144
SHA1eddbc8a76800b88dcfd775d8c8b87e912a54fcef
SHA2564cca4156691c584747ae9ecf2910a576413f1a0b896658d43c1b05ab41c60960
SHA51261b23cec3ff60c5cbdda8dc0bbf8b99b3253032dcdb8a7029c65eff9043ae777c20f10f3fa9bec8cf4c2162bcc89bbdb7b04a08fb13476cfefa8c7717b592bb7