3f2f58700adba3abc7c1f30b41a8fd06164fe015d9d5cc793e17ce5ead8ce58b

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01592e1dd2f283bc26fc08935a750fc8_JaffaCakes118.exe
Size

88KB
MD5

01592e1dd2f283bc26fc08935a750fc8
SHA1

a0712b802ce5899d9dac8558b674f3c2f01cffe8
SHA256

3f2f58700adba3abc7c1f30b41a8fd06164fe015d9d5cc793e17ce5ead8ce58b
SHA512

4ec06d8809dc11a1253a55370547f68a55533c737627885081e2a965ecae68e29e95ef8e563f944ee26cdfb348ccb6f42cf5e0fcfa4b0a42e2d3b7d18a2b5823
SSDEEP

1536:J+e0fSpy8tXG06YpqdXTsYJ/F+FBFIFGFYF7DUZxTZFua:eSs0G0mZYn

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	posup.exe

Executes dropped EXE 1 IoCs

pid	Process
2824	posup.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	01592e1dd2f283bc26fc08935a750fc8_JaffaCakes118.exe
2708	01592e1dd2f283bc26fc08935a750fc8_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /E"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /A"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /D"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /d"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /w"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /V"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /m"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /S"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /h"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /s"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /x"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /C"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /q"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /J"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /P"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /z"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /c"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /I"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /i"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /r"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /O"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /Q"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /Y"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /H"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /G"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /l"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /M"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /R"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /n"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /L"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /o"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /X"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /N"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /b"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /v"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /t"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /U"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /a"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /k"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /B"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /u"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /W"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /g"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /F"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /K"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /Z"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /p"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /e"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /T"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /y"	posup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\posup = "C:\\Users\\Admin\\posup.exe /j"	posup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01592e1dd2f283bc26fc08935a750fc8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	posup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe
2824	posup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2708	01592e1dd2f283bc26fc08935a750fc8_JaffaCakes118.exe
2824	posup.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2824	2708	01592e1dd2f283bc26fc08935a750fc8_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2824	2708	01592e1dd2f283bc26fc08935a750fc8_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2824	2708	01592e1dd2f283bc26fc08935a750fc8_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2824	2708	01592e1dd2f283bc26fc08935a750fc8_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\01592e1dd2f283bc26fc08935a750fc8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01592e1dd2f283bc26fc08935a750fc8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\posup.exe
  "C:\Users\Admin\posup.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\posup.exe

Filesize
88KB

MD5
c24b535d4ff6352b1757d5a40bb028f1

SHA1
7dfa528331e5ea8b5067fa06d05df700f62fa543

SHA256
6a14cf965c589e28704197219c5f098018b0a068a98e0adf516364f45f0d5bef

SHA512
123027f9c62bf2210b181fbee27519a5536e3f12a536598458489d3309d76bfc8273456fac6dc9d6f2da1d2d7d39888a0f2f2e3eec8ab682d03613e191eaf034

Download Submit