7728ec8707b55826bdcc248557fad8b530c0254a07ba8b056fc49aceb0b97a90

Analysis

max time kernel
149s
max time network
29s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe
Size

100KB
MD5

0e6f15c53a8519608dc2c625eb474418
SHA1

3868bd9a7efe8ab389e6e8e248cf9efb7d3593f4
SHA256

7728ec8707b55826bdcc248557fad8b530c0254a07ba8b056fc49aceb0b97a90
SHA512

cfa80971da2973552d4ae4a51847e96cb2970e6160cc2bd7a2d95c7a852674c2b1bbdb63e2cdcbf67854f80a1ae7a2081b2f762e4b3e752962617e2dc48f9a98
SSDEEP

1536:DPWwcX220mQAxJKIRGWcOUP7vXArnY1ZqAefzyes5NIjnZF8:rsQTNAfzyeuCnP8

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	buuyoot.exe

Executes dropped EXE 1 IoCs

pid	Process
2860	buuyoot.exe

Loads dropped DLL 2 IoCs

pid	Process
1080	0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe
1080	0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /t"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /A"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /u"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /r"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /y"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /q"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /J"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /b"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /R"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /i"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /L"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /D"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /f"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /x"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /Y"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /M"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /z"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /X"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /O"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /l"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /j"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /T"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /n"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /Q"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /I"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /V"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /Y"	0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /E"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /C"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /P"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /h"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /H"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /a"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /G"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /c"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /s"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /Z"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /k"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /v"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /m"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /e"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /o"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /S"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /K"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /d"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /N"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /F"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /p"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /g"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /U"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /B"	buuyoot.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\buuyoot = "C:\\Users\\Admin\\buuyoot.exe /w"	buuyoot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buuyoot.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1080	0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe
2860	buuyoot.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1080	0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe
2860	buuyoot.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2860	1080	0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe	30
PID 1080 wrote to memory of 2860	1080	0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe	30
PID 1080 wrote to memory of 2860	1080	0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe	30
PID 1080 wrote to memory of 2860	1080	0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e6f15c53a8519608dc2c625eb474418_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\buuyoot.exe
  "C:\Users\Admin\buuyoot.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\buuyoot.exe

Filesize
100KB

MD5
9baf9b25be85c79d5c47ec56ba4e07f3

SHA1
5e47b3ccbf301134608984a83f0f497e1818f4db

SHA256
493e424490c344287b2607c7e7c9d70245fb5df24e887805ba364f71e4a135af

SHA512
0847f523be9dadc747f09627df831daaaa1031cdc1868eda2ee1dc48089100402e1bb9316873cefa8e092df366a55686dde813230a151f08f021ae9320e09b75

Download Submit