Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 05:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe
-
Size
116KB
-
MD5
eaa9123b8339467296c5eb414eb3f2a2
-
SHA1
48c67b5525e7e9c76af9598bf1f8435a6e8a247a
-
SHA256
619850966aeeb29f63a25efe60fbb2ae76ac506e1eb92a63c7e09635df48c3cd
-
SHA512
f3dfd6506c358fb91da5746c041212e067f13eb34fec7b33c99d03bafab1859c998dc8b96cad2ca8b78c340934553a3b3830cb6860411f0d9d8f5a45de67857f
-
SSDEEP
1536:f5JghTZdSg3Ojs8koyAFx57YjHzZ5oFDOukt5ycQg:xCHog+jMLdjHzboUuyLX
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" muaexi.exe -
Executes dropped EXE 1 IoCs
pid Process 1588 muaexi.exe -
Loads dropped DLL 2 IoCs
pid Process 1564 eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe 1564 eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /u" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /f" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /m" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /w" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /k" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /s" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /n" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /d" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /e" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /v" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /q" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /p" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /y" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /z" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /o" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /c" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /r" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /h" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /i" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /x" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /l" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /g" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /q" eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /a" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /b" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /j" muaexi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\muaexi = "C:\\Users\\Admin\\muaexi.exe /t" muaexi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language muaexi.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1564 eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe 1588 muaexi.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1564 eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe 1588 muaexi.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1564 wrote to memory of 1588 1564 eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe 30 PID 1564 wrote to memory of 1588 1564 eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe 30 PID 1564 wrote to memory of 1588 1564 eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe 30 PID 1564 wrote to memory of 1588 1564 eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eaa9123b8339467296c5eb414eb3f2a2_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\muaexi.exe"C:\Users\Admin\muaexi.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1588
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD585a624682253ecd3db6d6d3c5321c9e4
SHA118cfb99f60fbe597e2712b3071b94d2917240b09
SHA256490f7f988200ef2db1e88aa98725101ad663e685becffb04aaab22e8eefeebf4
SHA51248432247c3913ae351c9a077ab3e69493f87449c13c72614c09a900b0468b7e29fd0f407e5e6e04051eb15f6f1b388fb5c48bb4beda61c0fbbfc03803f6b145c