Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-10-2024 06:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe
-
Size
288KB
-
MD5
169dcb0a9c96559067317b8de65687fe
-
SHA1
1528dc67122869d8ba85ac4fbdd3467359aa7654
-
SHA256
8ebafe4eaf4e812f1ededafd0260d438727c7b127748aba00cd4c6e5c241652e
-
SHA512
5243ac7bf702438f92bfd343fdf9d95d153f7dff4211b943f654f19209eea8d5a6e81f00bb7b13c5d783076e612e990b3b2468ea5d84141116bbaf6edeff9343
-
SSDEEP
1536:bopXMphhl/dKxHZ+u+SXq/fiTvlATmeX4Z4R4H4i4/o9FKs0z2xoetEPnyexeyZU:7BVww7ucz9/tBH3H3e
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qozef.exe -
Executes dropped EXE 1 IoCs
pid Process 1220 qozef.exe -
Loads dropped DLL 2 IoCs
pid Process 1288 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe 1288 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\qozef = "C:\\Users\\Admin\\qozef.exe" qozef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qozef.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe 1220 qozef.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1288 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe 1220 qozef.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1288 wrote to memory of 1220 1288 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe 29 PID 1288 wrote to memory of 1220 1288 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe 29 PID 1288 wrote to memory of 1220 1288 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe 29 PID 1288 wrote to memory of 1220 1288 169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe 29 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28 PID 1220 wrote to memory of 1288 1220 qozef.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\169dcb0a9c96559067317b8de65687fe_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\qozef.exe"C:\Users\Admin\qozef.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD5831c560656382712d8ef7527c13e9d6c
SHA14604ff2e61015d1ac3828a662130e5811a822e29
SHA2568fe535a104c0041d5f911ea7635b12fe38824420464b5093377e50c302dfc14c
SHA512c17deafd3a1a174d0dcbd71377a5a70f2281b0506292bdbfb108e999ab3115683eee5184e68b721fe16baa27a5c0c5751ce06ccea5ecea0fea64bc7062b02679