c06762d298cb4f60489106f84b5e8799c6e39e2a4d75a4bdaf2dd060a4c164da

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe
Size

228KB
MD5

08398bf14a0e9f103524295e32fe72ef
SHA1

276d0d81bad472cced37fff3bd9353ec5e0a156a
SHA256

c06762d298cb4f60489106f84b5e8799c6e39e2a4d75a4bdaf2dd060a4c164da
SHA512

e6d4b798caec12102ee7e83153c1b1a3aa75928992eef583073387760a36c6c0a4bf0568331db2510091d59626a38da34a44f896ce8a365c18a5cf7f4afd16b3
SSDEEP

6144:9ER3PFKs7aaOKW8alhrEqxF6snji81RUinKGHgD7Sh:9EdPhvENPH670

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wqsav.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	wqsav.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe
2604	08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /x"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /d"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /r"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /n"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /u"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /y"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /h"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /b"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /l"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /o"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /j"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /k"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /g"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /v"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /q"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /c"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /e"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /b"	08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /s"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /m"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /w"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /i"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /t"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /a"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /p"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /z"	wqsav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wqsav = "C:\\Users\\Admin\\wqsav.exe /f"	wqsav.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqsav.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2604	08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe
2620	wqsav.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2604	08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe
2620	wqsav.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2620	2604	08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2620	2604	08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2620	2604	08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2620	2604	08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08398bf14a0e9f103524295e32fe72ef_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\wqsav.exe
  "C:\Users\Admin\wqsav.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\wqsav.exe

Filesize
228KB

MD5
833debf3e84fea19dc029815cef0fbd5

SHA1
039476de531cd4b6747f103d7907e1776bd646a2

SHA256
804b8d51178a14d3c8397b44cdf5b69ae29f6b972e578614c710ff195d95bb55

SHA512
60cfbd17d276c8094d08adb361afa488427c90775928289cc7acfa11a0b9380df60a8484b000a0069b20771c16de58e3a4fa69e7c72e1c3fd6c5badb25d952fc

Download Submit