6af22eb25856b88152fee68fd0ca9263311d05fa4aa2b1c2503f4fef69a8e1d2

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe
Size

116KB
MD5

eace1f0f82f6dcebb2d5950348e3f373
SHA1

f7adefe5d15ee3adc759d297029ff897c45517a7
SHA256

6af22eb25856b88152fee68fd0ca9263311d05fa4aa2b1c2503f4fef69a8e1d2
SHA512

87670be546b990ab6e036dba37706e88cce3bc51fbd6cf311bf8f473199d52950ec4dfb8bf933f894fe4da07a25a65885a56e1f611227d4626c5cd734b9fdaa9
SSDEEP

1536:w7pxox++Q8Kw6KBOIW4Z8HO1Zwt0f4HeDUEdMOPy9sbgN2wo7JaS1:WpH+QfIr1ZNDUEdTwQL

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	pqroor.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	pqroor.exe

Loads dropped DLL 2 IoCs

pid	Process
1792	eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe
1792	eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /y"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /k"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /Z"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /h"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /G"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /e"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /N"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /L"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /l"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /f"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /Q"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /Y"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /X"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /m"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /n"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /g"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /V"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /v"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /b"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /U"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /D"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /t"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /R"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /x"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /T"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /S"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /P"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /w"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /K"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /p"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /u"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /o"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /z"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /H"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /r"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /W"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /d"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /A"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /J"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /c"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /i"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /C"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /I"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /q"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /B"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /F"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /a"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /B"	eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /s"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /j"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /E"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /M"	pqroor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\pqroor = "C:\\Users\\Admin\\pqroor.exe /O"	pqroor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pqroor.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1792	eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe
2776	pqroor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1792	eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe
2776	pqroor.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2776	1792	eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe	30
PID 1792 wrote to memory of 2776	1792	eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe	30
PID 1792 wrote to memory of 2776	1792	eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe	30
PID 1792 wrote to memory of 2776	1792	eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eace1f0f82f6dcebb2d5950348e3f373_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\pqroor.exe
  "C:\Users\Admin\pqroor.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\pqroor.exe

Filesize
116KB

MD5
0bd117701d1b9bccac6488985dda86d0

SHA1
c91fd0af8dbbab14cbb032c684fa196f2184f799

SHA256
fe8331e3fc07b60a442b2992eaa15e9116d0cc4b3bc69e04f212b33414327446

SHA512
df59a37f36807748e99c366b2b7a9aa57864c93bfd8590e8e8663e4b2a5a409b27bbe492df43082d9e79e558b6ef4801dc55a6f5d8e008eb76de296e727b1d1e

Download Submit