9a45b9d9372c94699693d5798b357311e6bc648e8a7d9ce2ea094caf22c02af1

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46b5485a2badc8a8d49962aef23ebf61_JaffaCakes118.exe
Size

176KB
MD5

46b5485a2badc8a8d49962aef23ebf61
SHA1

8cc9bd937b036fc5fe270c81433e55b9906e2c07
SHA256

9a45b9d9372c94699693d5798b357311e6bc648e8a7d9ce2ea094caf22c02af1
SHA512

1ccb2d54c787a39bb275a4ce9c8d498646c724fb7a2f6ba27e2d32bf54238432e247b55d0ff0ee9169f683d43fda8b8de1f7932fe28c313746657ab5172728cc
SSDEEP

1536:q9BkKaEKrGayc7nRobksF//gYWftTV/b6GZIhdf96K0USn:weKaRrGar7nRobksF/oY4V/b6GZG6K0

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wofor.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	46b5485a2badc8a8d49962aef23ebf61_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3868	wofor.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /Q"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /r"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /a"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /t"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /l"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /Y"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /v"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /D"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /k"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /s"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /f"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /o"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /c"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /p"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /z"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /A"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /U"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /j"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /u"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /Z"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /e"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /n"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /M"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /m"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /J"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /K"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /G"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /d"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /E"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /w"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /I"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /i"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /R"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /C"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /h"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /W"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /B"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /N"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /P"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /O"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /q"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /b"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /y"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /T"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /V"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /g"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /S"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /X"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /L"	wofor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofor = "C:\\Users\\Admin\\wofor.exe /F"	wofor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe
3868	wofor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4720	46b5485a2badc8a8d49962aef23ebf61_JaffaCakes118.exe
3868	wofor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 3868	4720	46b5485a2badc8a8d49962aef23ebf61_JaffaCakes118.exe	86
PID 4720 wrote to memory of 3868	4720	46b5485a2badc8a8d49962aef23ebf61_JaffaCakes118.exe	86
PID 4720 wrote to memory of 3868	4720	46b5485a2badc8a8d49962aef23ebf61_JaffaCakes118.exe	86
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82
PID 3868 wrote to memory of 4720	3868	wofor.exe	82

C:\Users\Admin\AppData\Local\Temp\46b5485a2badc8a8d49962aef23ebf61_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\46b5485a2badc8a8d49962aef23ebf61_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\wofor.exe
  "C:\Users\Admin\wofor.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wofor.exe

Filesize
176KB

MD5
de4f58142a8d27626c921740e45ad437

SHA1
b4b5d83042f6bee903122b3ac987ad42d2d10f7c

SHA256
8fd0c3a1a0223994c25e2efa99d7f269e23a4ccf680af69f59028b13e606dff2

SHA512
eb5d1c8d011b131bb6237d94901f246a9acc9303e12a08e4f9db2d635bf4b680c6e69259b6d980676af7d7f79b5be227d31636706c7e2cb57f027d202471f355

Download Submit