02cb135733be516e8d1a042f1d23f95786af40063ded87b773d573e53bd6459b

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 01:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe
Size

232KB
MD5

fb43e96cf70add4431eee55ded3bf264
SHA1

ec1c3caa3f14bbc429145a51009e6751787e1c56
SHA256

02cb135733be516e8d1a042f1d23f95786af40063ded87b773d573e53bd6459b
SHA512

2bfdad883558a139bd6c8a7913f2e182296376cbc77190bb2718d0e69bad11d82dffc7edc107b74b166dc6b44134ba24abed4943366ec1c9dce767d50e8a6cbc
SSDEEP

6144:/q3PFKs7STL6eEqxF6snji81RUinKn3Kt+dNFNFE:APhPDF3E

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cuoodag.exe

Executes dropped EXE 1 IoCs

pid	Process
1952	cuoodag.exe

Loads dropped DLL 2 IoCs

pid	Process
1760	fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe
1760	fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /e"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /s"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /f"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /r"	fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /c"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /t"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /i"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /h"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /z"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /u"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /x"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /v"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /n"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /g"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /d"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /a"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /k"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /r"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /y"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /w"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /l"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /p"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /q"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /m"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /j"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /o"	cuoodag.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuoodag = "C:\\Users\\Admin\\cuoodag.exe /b"	cuoodag.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuoodag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1760	fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe
1952	cuoodag.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1760	fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe
1952	cuoodag.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1952	1760	fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe	30
PID 1760 wrote to memory of 1952	1760	fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe	30
PID 1760 wrote to memory of 1952	1760	fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe	30
PID 1760 wrote to memory of 1952	1760	fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb43e96cf70add4431eee55ded3bf264_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\cuoodag.exe
  "C:\Users\Admin\cuoodag.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\cuoodag.exe

Filesize
232KB

MD5
e601c5c9091a270cab6bc7c3f8172671

SHA1
bfe7f0d1bb9cdfc49261f5c93ed2c428de00fd5c

SHA256
1262a6814d394c7bf0b917f160504028fbd07f47855fe4b5c4a6d67b85ce7a70

SHA512
897db21b2b0f68590039962d5fb81f4332da166a36c532a8e840d2de957176760b7915556fb94e1b8e6eb0798b4e5042f5fc51c45d4b94397fdb05329b16f6b6

Download Submit