bfdf9f9ad699fe7fbc729805c2599c248a9a4dadd88456685426bfd78b824bf8

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe
Size

100KB
MD5

bcde94ed4e934d908c4a493dfc156479
SHA1

6ca1d92439c34c4d2379b580a62bb42aba1aad4c
SHA256

bfdf9f9ad699fe7fbc729805c2599c248a9a4dadd88456685426bfd78b824bf8
SHA512

ea0b27b73ca0b6d8fc834e1be430210965835381c29d599f54a23f6c257dc8b251897ab0fed11074857ca6034914cae9ef4330a5aa32a4f6bfebab968166e5e3
SSDEEP

1536:Fts8iAuismywsbUgLw0wF9MGM9K/oKtNgCMbA1bL3N+NM5UfpNIjnZzb:gQg/KLOM5iCnBb

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yoebeo.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	yoebeo.exe

Loads dropped DLL 2 IoCs

pid	Process
1916	bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe
1916	bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /c"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /I"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /y"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /m"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /F"	bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /t"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /R"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /a"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /K"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /Z"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /J"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /u"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /g"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /b"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /O"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /L"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /j"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /r"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /f"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /s"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /o"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /n"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /S"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /M"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /q"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /B"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /V"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /E"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /Y"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /k"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /P"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /U"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /A"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /d"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /Q"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /x"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /z"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /H"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /l"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /e"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /p"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /T"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /F"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /i"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /W"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /v"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /w"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /X"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /N"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /h"	yoebeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\yoebeo = "C:\\Users\\Admin\\yoebeo.exe /D"	yoebeo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yoebeo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1916	bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe
2732	yoebeo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1916	bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe
2732	yoebeo.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2732	1916	bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe	30
PID 1916 wrote to memory of 2732	1916	bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe	30
PID 1916 wrote to memory of 2732	1916	bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe	30
PID 1916 wrote to memory of 2732	1916	bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bcde94ed4e934d908c4a493dfc156479_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\yoebeo.exe
  "C:\Users\Admin\yoebeo.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\yoebeo.exe

Filesize
100KB

MD5
06b84f52b8263ea9ce79b6c6eb813bae

SHA1
356b20d394e7c36d3ee04bc670c9151990c3f7e8

SHA256
953cd5138fad18d2a23c2639c69d81dffca62c1a6d487fc9e18ec208b8ba04eb

SHA512
e915bdd0a051330e2589bf426e650653a96b2022e8b24f00ba17d45d9467949e121f130e41f7505f7186338cab9bbe4eb24a39caef9c2b8d712d74918506d282

Download Submit