Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12/07/2024, 22:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe
-
Size
280KB
-
MD5
3f263a01112566fede6925cf41d3ab69
-
SHA1
0d6f3be6641c69934ba920a325c49373aff7ad8e
-
SHA256
61f6028c5cda2586d9555de043aeaadc94ffbf50e985fafb6fac686aec36f344
-
SHA512
7412813641d3620a1df9328dac7d80eb7aaa044b520737fe09893ba34c5736e2ea24b404dc82b11c4f9c4e26ab3e4c3988bffdb127b1c01a9c9808b441323d4a
-
SSDEEP
6144:SIYIpydVsZyxyK5R8GYKi1Xfvs1tzH51t+ewSReXNX/:WuydfiebOv
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" raaaxi.exe -
Executes dropped EXE 1 IoCs
pid Process 2172 raaaxi.exe -
Loads dropped DLL 2 IoCs
pid Process 3032 3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe 3032 3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /g" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /P" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /a" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /W" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /V" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /f" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /t" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /S" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /R" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /E" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /N" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /e" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /D" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /U" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /q" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /l" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /d" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /n" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /X" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /F" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /J" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /L" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /j" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /b" 3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /b" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /i" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /x" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /Q" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /z" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /u" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /s" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /C" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /M" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /y" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /c" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /I" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /m" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /k" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /p" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /Y" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /O" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /G" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /Z" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /T" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /w" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /h" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /r" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /A" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /K" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /v" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /H" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /B" raaaxi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\raaaxi = "C:\\Users\\Admin\\raaaxi.exe /o" raaaxi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3032 3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe 2172 raaaxi.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3032 3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe 2172 raaaxi.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2172 3032 3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe 30 PID 3032 wrote to memory of 2172 3032 3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe 30 PID 3032 wrote to memory of 2172 3032 3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe 30 PID 3032 wrote to memory of 2172 3032 3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3f263a01112566fede6925cf41d3ab69_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\raaaxi.exe"C:\Users\Admin\raaaxi.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2172
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD5567492dd671643526048e23d53f6c06c
SHA1dbeb9bac3377a1ab9d9c0404716b97829e9e1018
SHA2566f9f2c7bb9358617056c2f3c862c3af34776699bf38fc8ee3945b9ee766b03fa
SHA51212edf72a954c2600ec77d147ba4bdd0b97fce7c7f7c4b4560621e2607b4388962f729fee72a44ac5e5875eec22f6ff7336bac275cf2264b6b8e356a1d2763963