Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 04:20
Static task
static1
Behavioral task
behavioral1
Sample
ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe
-
Size
240KB
-
MD5
ef0e9664f27e0d9c7ac3bdcce41a66d1
-
SHA1
1bf832213b27353512115862c606be8fff355076
-
SHA256
d5fc6a14ea415f0a1ed4eb227861aa0591c55930279203cc48b854e2a1367a3c
-
SHA512
c9e9be1b6ffb96b1e499c9fe1ec3e85454adadb8c95c72469c2cf41009bbd9323ccf0dd1c753d8b8b0d337f1cd894c63f0a85a64a73dbe6427899efc0b987e17
-
SSDEEP
6144:JUC3dwqsNwemAB0EqxF6snji81RUinKchhyZS3c:bdQQJsAM
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" booihe.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 928 booihe.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /b" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /s" ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /r" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /n" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /o" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /x" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /p" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /u" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /k" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /y" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /c" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /i" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /t" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /d" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /s" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /f" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /v" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /j" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /w" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /l" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /z" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /q" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /e" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /m" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /h" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /a" booihe.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\booihe = "C:\\Users\\Admin\\booihe.exe /g" booihe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language booihe.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4920 ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe 4920 ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe 928 booihe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4920 ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe 928 booihe.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4920 wrote to memory of 928 4920 ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe 87 PID 4920 wrote to memory of 928 4920 ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe 87 PID 4920 wrote to memory of 928 4920 ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ef0e9664f27e0d9c7ac3bdcce41a66d1_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\booihe.exe"C:\Users\Admin\booihe.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:928
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5a31073296e77b5397cad998444da920f
SHA1c3f3ee640a44742372c55b5b8229c96cd8efb321
SHA25617f127ac35302fdee0f41390f40a7a3c0a2fac5796c24b6b29c06727d101a09f
SHA5122684a786cf15693a442067c4e0e4a1be1012986ff9c1b2c94e1907b2f52580214e9b1a16cc056a29d31957cbd56ca21a79ebc0aece0df022ff813df1b3486a71