Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 03:29
Static task
static1
Behavioral task
behavioral1
Sample
026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe
-
Size
224KB
-
MD5
026c6a13c4a35e87f2dd384c81ec88db
-
SHA1
882e9cb9a0f87203a3bd5323f310ded6c9f96fc9
-
SHA256
9d5517b5485a0bbe3649ff0b7f3d45d289208471704759514aaefd24615de59f
-
SHA512
a76c9fde522ff3e79bfa9cf915bf0adc13ea6133516173d725043bc345ae0e9edcc802d27b457f7257118be77fcbae1a7d2b86da78a6c21d58f29c25b0ff0db0
-
SSDEEP
6144:9pY1DifkpJFhSpe/+Ij7NweeJEKlJ85eg/0ISDhfq:9pYRisJXKIj3e6Rvd/
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yieseur.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2896 yieseur.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /O" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /v" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /V" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /l" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /Y" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /B" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /b" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /H" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /J" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /i" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /c" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /y" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /q" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /r" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /M" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /G" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /P" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /e" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /x" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /j" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /p" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /d" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /F" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /A" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /T" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /w" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /u" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /t" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /Z" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /g" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /a" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /f" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /z" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /Q" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /L" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /C" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /I" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /U" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /X" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /m" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /N" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /K" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /k" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /R" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /S" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /n" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /s" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /o" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /W" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /h" yieseur.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /D" yieseur.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe 2896 yieseur.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 732 026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe 2896 yieseur.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 732 wrote to memory of 2896 732 026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe 87 PID 732 wrote to memory of 2896 732 026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe 87 PID 732 wrote to memory of 2896 732 026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Users\Admin\yieseur.exe"C:\Users\Admin\yieseur.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD501184d34b3bddd36da72dd34c52fa270
SHA1341a4a536bd39a5850bc89c9f7518493715795e4
SHA2560b72a70606a14519469ac96827ecee39e67a088d2f3a6a5a3b54438bfd9d6955
SHA5124b955e650949e56d2a85924700d8105d1bb02dc725c6485621aa68918d1f181cfc01f1b8889c7fff09b47094e693170a5ca6b80fec137eefb92ed1c07cd345ee