Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15/07/2024, 21:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe
-
Size
124KB
-
MD5
4b7f6980289eb51a9ee7fba4b3832dd7
-
SHA1
795d98c80fafc8400f133f5f6cad25c49dade152
-
SHA256
b259b0bc0f1bbc43a2f9f794d094a0090b56b44dd20a2582c4ea29231829dd6f
-
SHA512
0c3b52707a54c40525e43b82665c6f237c1146dcbaa8f08e71c22e9f8612797d4907e1e9640e01f43efc5e63f9d5444df06da506773e109e4816182791323496
-
SSDEEP
1536:tIJ9pVABU0GgAYu0P1kNmwldCMhdu8KWP/nTn8nBP9Ve+NeG0h/x:49peBU0GgA892p
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" haofoog.exe -
Executes dropped EXE 1 IoCs
pid Process 2708 haofoog.exe -
Loads dropped DLL 2 IoCs
pid Process 2696 4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe 2696 4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /Y" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /o" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /e" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /B" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /x" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /G" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /K" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /D" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /f" 4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /s" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /H" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /O" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /F" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /q" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /Q" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /J" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /c" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /t" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /N" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /L" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /v" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /g" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /h" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /P" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /y" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /S" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /E" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /Z" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /r" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /m" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /u" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /a" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /i" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /X" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /A" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /R" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /V" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /M" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /z" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /C" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /j" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /l" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /p" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /W" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /U" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /I" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /d" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /b" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /n" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /w" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /f" haofoog.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\haofoog = "C:\\Users\\Admin\\haofoog.exe /k" haofoog.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2696 4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe 2708 haofoog.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2696 4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe 2708 haofoog.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2708 2696 4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2708 2696 4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2708 2696 4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2708 2696 4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4b7f6980289eb51a9ee7fba4b3832dd7_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\haofoog.exe"C:\Users\Admin\haofoog.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD598c960e3c5f8dad2d5d70c372b18189c
SHA1ad7e31c6365e7ed34a545aad8e45e5827667acef
SHA2568b0bb63548f657f05dba626f10541b27ea6dcf102df2bf8fd22894d6c04d090b
SHA512fb789064968b37917687b8cef7622107eac397eea73e69005fbd2582a0eb5b0a4fc6eb42e08ec4de6972fa951d6c84b27bec70c94f7526822e3f98ce757dcff9