f1871deb52cc79a570c99186dead646b90ae2b65c5e76ee3d845af5540597133

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 10:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

414335118db9b82a72c29186633b02ab_JaffaCakes118.exe
Size

100KB
MD5

414335118db9b82a72c29186633b02ab
SHA1

15587952bd85191e3ed7f2407552b0c05f1d929c
SHA256

f1871deb52cc79a570c99186dead646b90ae2b65c5e76ee3d845af5540597133
SHA512

de39a02ca44fc31551ae139b179369a0673bde075ab785ac076691d6db3045880328b35a9099c34f37bb26ed3800c48e9e58ba901bee1d7dea474a009f083f99
SSDEEP

1536:w+Wa6cX220mQcx2xJKIRGWcOUP7vXArnY1ZqAefzyes5NIjnZB9:ttvQcxlNAfzyeuCnr9

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	voeemu.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	414335118db9b82a72c29186633b02ab_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2868	voeemu.exe

Loads dropped DLL 2 IoCs

pid	Process
1944	414335118db9b82a72c29186633b02ab_JaffaCakes118.exe
1944	414335118db9b82a72c29186633b02ab_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /e"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /C"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /R"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /i"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /V"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /k"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /J"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /O"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /o"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /u"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /X"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /a"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /z"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /r"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /n"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /E"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /y"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /c"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /I"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /W"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /Z"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /m"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /U"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /M"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /h"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /v"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /p"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /H"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /L"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /S"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /g"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /R"	414335118db9b82a72c29186633b02ab_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /t"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /K"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /s"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /j"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /N"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /q"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /B"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /Q"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /P"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /T"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /G"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /D"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /d"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /x"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /F"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /Y"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /b"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /A"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /w"	voeemu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeemu = "C:\\Users\\Admin\\voeemu.exe /f"	voeemu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1944	414335118db9b82a72c29186633b02ab_JaffaCakes118.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe
2868	voeemu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1944	414335118db9b82a72c29186633b02ab_JaffaCakes118.exe
2868	voeemu.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2868	1944	414335118db9b82a72c29186633b02ab_JaffaCakes118.exe	31
PID 1944 wrote to memory of 2868	1944	414335118db9b82a72c29186633b02ab_JaffaCakes118.exe	31
PID 1944 wrote to memory of 2868	1944	414335118db9b82a72c29186633b02ab_JaffaCakes118.exe	31
PID 1944 wrote to memory of 2868	1944	414335118db9b82a72c29186633b02ab_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\414335118db9b82a72c29186633b02ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\414335118db9b82a72c29186633b02ab_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\voeemu.exe
  "C:\Users\Admin\voeemu.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\voeemu.exe

Filesize
100KB

MD5
b9975a6981a9574d4f961fa1756d1af9

SHA1
7005d5a3ea0f1e7a5a36000ea1e785a1767b47df

SHA256
569394bc4923fec32302eb45f0fcc2aefe33528439ad93865c6068f62ca0d2b1

SHA512
29ff198de7e9ac9c1fdc6f42a6cfb803a71b14fc7bc368946290cba61cf5e8a637ad540f153c95885af7fe812d7123e1577c61a48781f31ed2106b0ba92d2110

Download Submit