Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 07:35
Static task
static1
Behavioral task
behavioral1
Sample
4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe
-
Size
124KB
-
MD5
4d5b1ca0fb75751024ad6f9f8fb9a72c
-
SHA1
0b70c1bd46e6eb773e47421861a69a8158703b8c
-
SHA256
cdd9e6c99cf6dcd2d7f2e70535df94d9f472117754e4ec99196cfcb949cd3114
-
SHA512
00ff9b2291c4e781e486c4f40f6285f5b6357489c431bafd8d451bf756996672d6149335105154e8f1edd7b531f37e98e64a3bbc083bb4817af53f48b050e54c
-
SSDEEP
1536:VjtkjtTQPgU0GgAJa0P1kNmKldCMhdu8KWP/nTn8nBP9VewNeG0h/l:HkjyIU0GgAT98t
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zeodaad.exe -
Executes dropped EXE 1 IoCs
pid Process 2684 zeodaad.exe -
Loads dropped DLL 2 IoCs
pid Process 2720 4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe 2720 4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /t" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /u" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /X" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /n" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /s" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /o" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /r" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /z" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /Q" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /l" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /a" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /K" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /N" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /f" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /T" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /j" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /E" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /w" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /B" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /b" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /M" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /V" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /k" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /h" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /F" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /q" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /x" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /v" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /t" 4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /L" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /I" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /g" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /P" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /e" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /O" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /i" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /H" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /m" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /A" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /D" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /p" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /J" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /Z" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /Y" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /W" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /y" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /d" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /R" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /S" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /C" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /c" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /G" zeodaad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeodaad = "C:\\Users\\Admin\\zeodaad.exe /U" zeodaad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2720 4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe 2684 zeodaad.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2720 4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe 2684 zeodaad.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2684 2720 4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe 30 PID 2720 wrote to memory of 2684 2720 4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe 30 PID 2720 wrote to memory of 2684 2720 4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe 30 PID 2720 wrote to memory of 2684 2720 4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4d5b1ca0fb75751024ad6f9f8fb9a72c_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\zeodaad.exe"C:\Users\Admin\zeodaad.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5c849254f86cb6e9e91fa2efd6ce9ed79
SHA1215cc223892033493b541527db162f6178aa1876
SHA25663fe7b93c51ce9ff344946e4bc4c4fdd4b3cd45a0be23d0d3053b3eb975b8638
SHA51214928c6e3c2f3e0eddf84a93899469b0bb42a24c9d8f771fbdc77dfb731590bc7f8c8c17a082ac8974f32b2c4ca2db48dc8fd20a1301e92b9a10a58f844dbbf7