Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 18:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe
-
Size
80KB
-
MD5
3e77fb06c681685797d03d4b56050380
-
SHA1
7c782532acd7c6c665c2951c1093a2ecdcd3cd42
-
SHA256
1bfabbd6a698f9cbe4b0dae3f2119d190902766fc10a69a4ee5bd3a5773a1b82
-
SHA512
eca52fb9ad9c14393d41d25b848075ba2df5299ab332fcfc7a235e0b4d905cd7ea6ea4af359930aece21e51bd027f0dccf507a47fa3ea235d75b1992b6d92cfb
-
SSDEEP
768:mT9BZytGl2wKCq4j4NAis0AbbNXYXQpA2jLw4VnQP87gC7xlRPbE9xm1pSqRWGu6:mzZyv4bTOi0ZbL/7+qkwm3yo+Z0p
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" couexof.exe -
Executes dropped EXE 1 IoCs
pid Process 2720 couexof.exe -
Loads dropped DLL 2 IoCs
pid Process 1488 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 1488 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\couexof = "C:\\Users\\Admin\\couexof.exe" couexof.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 264 1488 WerFault.exe 29 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe 2720 couexof.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1488 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 2720 couexof.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 2720 1488 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 30 PID 1488 wrote to memory of 2720 1488 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 30 PID 1488 wrote to memory of 2720 1488 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 30 PID 1488 wrote to memory of 2720 1488 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 30 PID 1488 wrote to memory of 264 1488 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 31 PID 1488 wrote to memory of 264 1488 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 31 PID 1488 wrote to memory of 264 1488 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 31 PID 1488 wrote to memory of 264 1488 3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 1488 2720 couexof.exe 29 PID 2720 wrote to memory of 264 2720 couexof.exe 31 PID 2720 wrote to memory of 264 2720 couexof.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e77fb06c681685797d03d4b56050380_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\couexof.exe"C:\Users\Admin\couexof.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 7802⤵
- Program crash
PID:264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5a4ec97040b6948d4739f64a3538bb48d
SHA1717db93d1f8d44228908c8289ad19b65ef706f68
SHA2565a348d79d6dd8b92bd39521c11d95c0d2984469507906dc96c097612bafad8de
SHA5120bef8982e69f57266d70969ab802154204bbe22dcc28a71da6f54a61b3a3c7dbbc9438020e2c5d57064e5ffd8a431013c3a1fc68c6ce954425c38536514d4b80