Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-09-2024 08:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d17faede4b36b6c4a9dae848910cac5e_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
d17faede4b36b6c4a9dae848910cac5e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d17faede4b36b6c4a9dae848910cac5e_JaffaCakes118.exe
-
Size
136KB
-
MD5
d17faede4b36b6c4a9dae848910cac5e
-
SHA1
8af659064da622f15bf99acf1acdc46307c75802
-
SHA256
12dc511c91e0b4133d6b8bc341989802cef5b2b1304e7fbc0e09895234fea0f3
-
SHA512
1fc425de96f7458ecef26605009342fa3dd4843c3bc1ca3464e91a037ef47dc29545648fddc3a634a60b3230519b35f1236916456d1621cd24b57a9734c7f8b0
-
SSDEEP
3072:fJ8aF8EHAaNKWY9pkWdHOYBs7HTbcnp886/kWRBg156CEf+2XC4bskzIYgBSw:fcEt9Y9pkWdHOYBs7HTbcnp886/kWA03
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fuizom.exe -
Executes dropped EXE 1 IoCs
pid Process 2212 fuizom.exe -
Loads dropped DLL 2 IoCs
pid Process 2376 d17faede4b36b6c4a9dae848910cac5e_JaffaCakes118.exe 2376 d17faede4b36b6c4a9dae848910cac5e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /f" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /k" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /Q" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /J" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /F" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /E" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /Y" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /r" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /W" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /X" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /G" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /y" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /M" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /i" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /a" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /q" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /P" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /m" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /R" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /B" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /U" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /e" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /T" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /z" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /c" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /Z" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /p" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /N" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /j" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /g" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /D" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /n" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /s" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /I" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /d" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /V" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /u" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /C" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /v" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /h" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /S" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /x" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /A" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /O" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /t" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /L" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /l" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /b" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /H" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /o" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /w" fuizom.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuizom = "C:\\Users\\Admin\\fuizom.exe /K" fuizom.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d17faede4b36b6c4a9dae848910cac5e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fuizom.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe 2212 fuizom.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2376 d17faede4b36b6c4a9dae848910cac5e_JaffaCakes118.exe 2212 fuizom.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2212 2376 d17faede4b36b6c4a9dae848910cac5e_JaffaCakes118.exe 29 PID 2376 wrote to memory of 2212 2376 d17faede4b36b6c4a9dae848910cac5e_JaffaCakes118.exe 29 PID 2376 wrote to memory of 2212 2376 d17faede4b36b6c4a9dae848910cac5e_JaffaCakes118.exe 29 PID 2376 wrote to memory of 2212 2376 d17faede4b36b6c4a9dae848910cac5e_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d17faede4b36b6c4a9dae848910cac5e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d17faede4b36b6c4a9dae848910cac5e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\fuizom.exe"C:\Users\Admin\fuizom.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2212
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5fc9ce071358c11288d8ee3497200e157
SHA1bbc976f9c8bb3071eabf32dfd74b52ca21886cac
SHA256a4fc9180aaf04879132bc5e6c128b4c2191bd41126ad4ba1713a2996337d84e7
SHA51266ae63e192535184aa3e807f9ae3f3d1ed07695d6f6252d74a3c7921865a7927d73130079680d1dae962ba3384c2fd0a11a5e24c1ac88a7703abef9eaa9ecd3f