a306fd33e3df77861909c7c27ec90cfe90d11a47c768f448012882517cf7701a

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66dc240f7587c18ef0f46c54024ae880_JaffaCakes118.exe
Size

100KB
MD5

66dc240f7587c18ef0f46c54024ae880
SHA1

0adc4e63333d42aa369169a19d2b393fed00486f
SHA256

a306fd33e3df77861909c7c27ec90cfe90d11a47c768f448012882517cf7701a
SHA512

20baeb00aa485bc994e36e63f39853300e7ee5ecff562364a3807ee995500179bf28af52667ac6ead53614c80c9aa36ef52e60a8a495a369e0b6daef6f6bce6e
SSDEEP

1536:94tGb82NTzwMMGAc4ohrPXo+73Rez8b0SyKNIjnZrJ:Rw7urPX7CKCnlJ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	66dc240f7587c18ef0f46c54024ae880_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	liukaer.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	liukaer.exe

Loads dropped DLL 2 IoCs

pid	Process
2388	66dc240f7587c18ef0f46c54024ae880_JaffaCakes118.exe
2388	66dc240f7587c18ef0f46c54024ae880_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /G"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /O"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /c"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /L"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /v"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /I"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /g"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /h"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /t"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /W"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /p"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /E"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /Z"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /s"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /S"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /N"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /C"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /U"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /q"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /j"	66dc240f7587c18ef0f46c54024ae880_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /u"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /D"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /r"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /m"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /Y"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /K"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /l"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /b"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /d"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /f"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /B"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /F"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /X"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /T"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /y"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /J"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /o"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /A"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /n"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /V"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /j"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /i"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /R"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /a"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /P"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /Q"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /z"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /w"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /x"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /k"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /e"	liukaer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\liukaer = "C:\\Users\\Admin\\liukaer.exe /M"	liukaer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	66dc240f7587c18ef0f46c54024ae880_JaffaCakes118.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe
2692	liukaer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2388	66dc240f7587c18ef0f46c54024ae880_JaffaCakes118.exe
2692	liukaer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2692	2388	66dc240f7587c18ef0f46c54024ae880_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2692	2388	66dc240f7587c18ef0f46c54024ae880_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2692	2388	66dc240f7587c18ef0f46c54024ae880_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2692	2388	66dc240f7587c18ef0f46c54024ae880_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\66dc240f7587c18ef0f46c54024ae880_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66dc240f7587c18ef0f46c54024ae880_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\liukaer.exe
  "C:\Users\Admin\liukaer.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\liukaer.exe

Filesize
100KB

MD5
46bb1702920a85ebd23a2331994ddc9d

SHA1
f91105792b6e98df5f4c03d05bae7259dae99715

SHA256
d3e6122e36596e767b9c008e1634c5f4a9ecfa8a6eb3fc3ac94897b0f21b5b27

SHA512
045ca2300c495a08421b335b0f969fd5caac33f070c8865d7b1389c5963eec72cdef3b919322159fdec37cc1182e6d973aa1dff120c44718b662d946c350d888

Download Submit