Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 02:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
45744435889e919e4862028b7c8fede1_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
45744435889e919e4862028b7c8fede1_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
45744435889e919e4862028b7c8fede1_JaffaCakes118.exe
-
Size
228KB
-
MD5
45744435889e919e4862028b7c8fede1
-
SHA1
0884745cbf68e97ea351f7047864af9f7170101a
-
SHA256
eb7041ddbc5768ad8c64e988ecf69a09d8fc828d3e4024b052f35fee80ca9f1b
-
SHA512
974dc4fe96ceb8a57f9aff27e695e849e04e4b40df731e86ccbe3b1fe24a3a0cdb8448e3c332c153999563d5a646e13cdbcac68fef1d9656474fec454bfe4659
-
SSDEEP
6144:q2bHpDuIqCHE28LuU4SDOZ+5H88EZeeSzbjnNu91uzqI/:q4DuxamSUDO4HfEZeeSLnA91
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qeupio.exe -
Executes dropped EXE 1 IoCs
pid Process 2696 qeupio.exe -
Loads dropped DLL 2 IoCs
pid Process 2980 45744435889e919e4862028b7c8fede1_JaffaCakes118.exe 2980 45744435889e919e4862028b7c8fede1_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /c" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /Y" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /Z" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /y" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /H" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /p" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /b" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /s" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /C" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /a" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /G" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /h" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /k" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /O" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /r" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /w" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /V" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /e" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /j" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /W" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /z" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /E" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /T" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /g" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /X" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /M" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /f" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /l" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /P" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /t" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /B" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /L" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /D" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /U" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /m" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /S" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /R" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /J" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /i" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /o" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /Q" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /K" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /d" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /n" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /N" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /u" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /x" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /v" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /F" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /A" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /q" qeupio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeupio = "C:\\Users\\Admin\\qeupio.exe /I" qeupio.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 45744435889e919e4862028b7c8fede1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qeupio.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe 2696 qeupio.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2980 45744435889e919e4862028b7c8fede1_JaffaCakes118.exe 2696 qeupio.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2696 2980 45744435889e919e4862028b7c8fede1_JaffaCakes118.exe 30 PID 2980 wrote to memory of 2696 2980 45744435889e919e4862028b7c8fede1_JaffaCakes118.exe 30 PID 2980 wrote to memory of 2696 2980 45744435889e919e4862028b7c8fede1_JaffaCakes118.exe 30 PID 2980 wrote to memory of 2696 2980 45744435889e919e4862028b7c8fede1_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\45744435889e919e4862028b7c8fede1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\45744435889e919e4862028b7c8fede1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\qeupio.exe"C:\Users\Admin\qeupio.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD56566bc20586f939fbdf6d245c47d466f
SHA1e4392bf2841dde475932a3d1acb5008dc871f45f
SHA256935cb4e6a3488c325534dec11caf093adbb94e20616b331dd2ba4a92ba4f944c
SHA512d4e1c68a07d222d3369b2faa1866de278113cbd7ffd586c1d3cccc0356e5cf870a1bf79fd61d9160b5297d577a5acad08c41607856bcb467afde76080fb645ab