f193dc85f37991a05c2d8cfd318bdf9d153c2ab567016ef41ab355a81a5f60c6

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 11:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4992bf5b5d68a4df486993aa742f69ca_JaffaCakes118.exe
Size

308KB
MD5

4992bf5b5d68a4df486993aa742f69ca
SHA1

c6c009086f5ddda5dfe5124adfceede39b9a0fc9
SHA256

f193dc85f37991a05c2d8cfd318bdf9d153c2ab567016ef41ab355a81a5f60c6
SHA512

c5a0573a2ddecf2ef478a8c1680f9308f5ed66c1656e50b5f52f9e6a59d0f06c67dae2be707875522dd4219c387e28bab35f0521de4db80c14b308145da3fc61
SSDEEP

3072:Ev75FPhlOhiDqd1Hz0IeTsjXcvnHZi1r5w/ihLkbM6HVJMVH6JYTdUAgQxhOo9zE:IHZxGdlzkwDU4w/iyM6HG6JYxV2o6v

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4992bf5b5d68a4df486993aa742f69ca_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hyquh.exe

Executes dropped EXE 1 IoCs

pid	Process
2920	hyquh.exe

Loads dropped DLL 2 IoCs

pid	Process
2560	4992bf5b5d68a4df486993aa742f69ca_JaffaCakes118.exe
2560	4992bf5b5d68a4df486993aa742f69ca_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /z"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /T"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /V"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /t"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /M"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /E"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /R"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /o"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /k"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /H"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /n"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /j"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /a"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /c"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /d"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /O"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /b"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /Q"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /q"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /S"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /P"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /W"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /N"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /h"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /g"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /J"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /L"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /C"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /z"	4992bf5b5d68a4df486993aa742f69ca_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /r"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /y"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /u"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /Y"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /Z"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /U"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /K"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /p"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /x"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /f"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /m"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /B"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /X"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /s"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /F"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /D"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /I"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /w"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /e"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /A"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /i"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /G"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /v"	hyquh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyquh = "C:\\Users\\Admin\\hyquh.exe /l"	hyquh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2560	4992bf5b5d68a4df486993aa742f69ca_JaffaCakes118.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe
2920	hyquh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2560	4992bf5b5d68a4df486993aa742f69ca_JaffaCakes118.exe
2920	hyquh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2920	2560	4992bf5b5d68a4df486993aa742f69ca_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2920	2560	4992bf5b5d68a4df486993aa742f69ca_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2920	2560	4992bf5b5d68a4df486993aa742f69ca_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2920	2560	4992bf5b5d68a4df486993aa742f69ca_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\4992bf5b5d68a4df486993aa742f69ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4992bf5b5d68a4df486993aa742f69ca_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\hyquh.exe
  "C:\Users\Admin\hyquh.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\hyquh.exe

Filesize
308KB

MD5
0b4f496b5dbcf0fb4a48205fe2a3f295

SHA1
dc26dd36871b1c514a230090949f6b33a5082bff

SHA256
4120b4a317198b45ff5e23c21c84bb55a7da861d71cab882c9a64c5b06f6c564

SHA512
f861f92ec9aeb24b59182eefd55bf06eec8baab856a8412e30059efdc2bcf8d3ce35516e646222c27fe36a4da4bb7192f7c943846b83b81b5547497fae16f5b5

Download Submit
memory/2560-0-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2560-9-0x00000000029C0000-0x0000000002A0D000-memory.dmp

Filesize
308KB

Download
memory/2560-19-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2560-20-0x00000000029C0000-0x0000000002A0D000-memory.dmp

Filesize
308KB

Download
memory/2920-15-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2920-21-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download