a701a2626db828ac44e96681ecf0c4dcf9b526393953dd8ca6fea7e0542e0c60

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe
Size

124KB
MD5

8e3ed334025768858bec204049ce3e52
SHA1

b2f949f6fe2fdd64372407eb814d3172a7e30c9d
SHA256

a701a2626db828ac44e96681ecf0c4dcf9b526393953dd8ca6fea7e0542e0c60
SHA512

bc6f30310b9251fae625128633f18216c368d216dde2ae067f4f0e0eb2e505c894601e215a1b52308bff7001f0bcbc6b5e5cf1e450651989f1951e9822ceacc3
SSDEEP

1536:HutkjUTQ5U0GgAJa0P1kNmKldCMhdu8KWP/nTn8nBP9Ve+NeG0h/x:MkjT5U0GgAT92p

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qoataf.exe

Executes dropped EXE 1 IoCs

pid	Process
1964	qoataf.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe
1732	8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /X"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /e"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /b"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /F"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /O"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /x"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /T"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /c"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /Z"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /i"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /k"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /w"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /m"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /B"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /v"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /L"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /f"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /l"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /t"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /A"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /W"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /p"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /h"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /d"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /r"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /F"	8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /g"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /G"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /P"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /S"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /D"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /j"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /Y"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /s"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /n"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /J"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /M"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /z"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /H"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /R"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /N"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /q"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /K"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /u"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /U"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /a"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /C"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /V"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /E"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /y"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /Q"	qoataf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoataf = "C:\\Users\\Admin\\qoataf.exe /I"	qoataf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoataf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe
1964	qoataf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1732	8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe
1964	qoataf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1964	1732	8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1964	1732	8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1964	1732	8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1964	1732	8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e3ed334025768858bec204049ce3e52_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\qoataf.exe
  "C:\Users\Admin\qoataf.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\qoataf.exe

Filesize
124KB

MD5
161f21c45431ef7df60d2094aa93ad18

SHA1
3b53b5cada7b38fae146fabf5fa366b79589d3de

SHA256
e1e79e773d7c98b129d8c0e8d337d9f1b825aa65c4ed811fc665c287767495ed

SHA512
27eaa41b98340b96d6f3b10264470df1e19b9cf7655cda588d502ad72a5c789afc3e2be3648da42950aed074782100a368390c79a1f3ead291cd2eec10986ea2

Download Submit