34f844d118a976cf6892313d4ab8b35b8ed4075b7e45675d1c1866f2d858a4c6

Analysis

max time kernel
136s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 00:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f24751b434528e968cff77b39fccf301_JaffaCakes118.exe
Size

448KB
MD5

f24751b434528e968cff77b39fccf301
SHA1

d576f2f3d37c990b05e1fc07ba265e9cc26d971e
SHA256

34f844d118a976cf6892313d4ab8b35b8ed4075b7e45675d1c1866f2d858a4c6
SHA512

4f577a885eb7a6b8fb08c5db2fec727f28fb7800460c7251fa32f0f6c7578e0ef060faab50406740e381f4525e869292db69a01311e06145780b0b386f2ce3cd
SSDEEP

6144:Dfop2pY3jqFk7qFoQudlhixeWrS4ijMI7cG7gF:Dfop2pYI2QudA4gzPF

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	f24751b434528e968cff77b39fccf301_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	f24751b434528e968cff77b39fccf301_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4276	seigoih.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\seigoih = "C:\\Users\\Admin\\seigoih.exe /w"	f24751b434528e968cff77b39fccf301_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4976	f24751b434528e968cff77b39fccf301_JaffaCakes118.exe
4976	f24751b434528e968cff77b39fccf301_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4976	f24751b434528e968cff77b39fccf301_JaffaCakes118.exe
4276	seigoih.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 4276	4976	f24751b434528e968cff77b39fccf301_JaffaCakes118.exe	93
PID 4976 wrote to memory of 4276	4976	f24751b434528e968cff77b39fccf301_JaffaCakes118.exe	93
PID 4976 wrote to memory of 4276	4976	f24751b434528e968cff77b39fccf301_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\f24751b434528e968cff77b39fccf301_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f24751b434528e968cff77b39fccf301_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Users\Admin\seigoih.exe
  "C:\Users\Admin\seigoih.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\seigoih.exe

Filesize
448KB

MD5
c47c86d31f658802da18af5d062cfa3f

SHA1
6eafebe6994126308b39cfe9b29d3186a186697d

SHA256
50b7bdcf94e7acab9a23c4add81c0f432108de1c5c7de1d6a6f16332bb06466e

SHA512
43e349a63ea60727fe6e5f9053c2d4d42a4376db7d900398d8a5d28f458e36832d219a76d925df52dbb03dfa775fc4db39dfaa867267bf88e348d87f4f37d3d0

Download Submit