d7300f700927b397efa4381af2a7f5f2b840701a6b19aee055a4d69ac16741c2

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38dd5fbd38760238da1738417f83e10b_JaffaCakes118.exe
Size

104KB
MD5

38dd5fbd38760238da1738417f83e10b
SHA1

c8dae99170df270dfcada29328a8c12144d9e197
SHA256

d7300f700927b397efa4381af2a7f5f2b840701a6b19aee055a4d69ac16741c2
SHA512

0e4f706aedf65371f8cb91cc00709b6756ec74d731b4692a40934923f1021dc8e82a4aff4ccf01a7464ddc894d619bc554c2e7557dec195607c91a2bd5129f52
SSDEEP

1536:VP1L/lgjJ8iHycDEJfNOPcDGwSgRouYmvqwMew7db/02u+bk/krBNIjnZd8:LNiHyc0m/3Zu+bk2Cnf8

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	38dd5fbd38760238da1738417f83e10b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tivor.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	tivor.exe

Loads dropped DLL 2 IoCs

pid	Process
2860	38dd5fbd38760238da1738417f83e10b_JaffaCakes118.exe
2860	38dd5fbd38760238da1738417f83e10b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /t"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /A"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /X"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /j"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /U"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /c"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /W"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /k"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /B"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /b"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /g"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /J"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /T"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /H"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /K"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /P"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /e"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /E"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /Q"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /S"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /M"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /f"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /d"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /y"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /N"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /G"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /o"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /j"	38dd5fbd38760238da1738417f83e10b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /O"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /Z"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /m"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /z"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /p"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /D"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /v"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /l"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /R"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /a"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /x"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /C"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /n"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /r"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /s"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /w"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /h"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /Y"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /q"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /V"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /i"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /F"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /u"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /I"	tivor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\tivor = "C:\\Users\\Admin\\tivor.exe /L"	tivor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	38dd5fbd38760238da1738417f83e10b_JaffaCakes118.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe
2840	tivor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2860	38dd5fbd38760238da1738417f83e10b_JaffaCakes118.exe
2840	tivor.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2840	2860	38dd5fbd38760238da1738417f83e10b_JaffaCakes118.exe	29
PID 2860 wrote to memory of 2840	2860	38dd5fbd38760238da1738417f83e10b_JaffaCakes118.exe	29
PID 2860 wrote to memory of 2840	2860	38dd5fbd38760238da1738417f83e10b_JaffaCakes118.exe	29
PID 2860 wrote to memory of 2840	2860	38dd5fbd38760238da1738417f83e10b_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\38dd5fbd38760238da1738417f83e10b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38dd5fbd38760238da1738417f83e10b_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\tivor.exe
  "C:\Users\Admin\tivor.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\tivor.exe

Filesize
104KB

MD5
be11117a6a5375caa5b2f9ba7c3f0d3f

SHA1
235d87ff7196eab02621bb8f5c63bddeccd80daa

SHA256
f744e01f2419f48d5117c38dfb08b49b6e80d9e7019f293867b94c2f68dd2c62

SHA512
e922147f0fd67e1105fd1b63a95214f335587a12b144a586f446c7e4f32aa15001df50fb8ac7062b128eb15ce7368418dddc6861c02e05d842e4f0fab7747b57

Download Submit
memory/2860-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2860-9-0x0000000002B10000-0x0000000002B3D000-memory.dmp

Filesize
180KB

Download
memory/2860-15-0x0000000002B10000-0x0000000002B3D000-memory.dmp

Filesize
180KB

Download