9d5517b5485a0bbe3649ff0b7f3d45d289208471704759514aaefd24615de59f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe
Size

224KB
MD5

026c6a13c4a35e87f2dd384c81ec88db
SHA1

882e9cb9a0f87203a3bd5323f310ded6c9f96fc9
SHA256

9d5517b5485a0bbe3649ff0b7f3d45d289208471704759514aaefd24615de59f
SHA512

a76c9fde522ff3e79bfa9cf915bf0adc13ea6133516173d725043bc345ae0e9edcc802d27b457f7257118be77fcbae1a7d2b86da78a6c21d58f29c25b0ff0db0
SSDEEP

6144:9pY1DifkpJFhSpe/+Ij7NweeJEKlJ85eg/0ISDhfq:9pYRisJXKIj3e6Rvd/

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yieseur.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2896	yieseur.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /O"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /v"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /V"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /l"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /Y"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /B"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /b"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /H"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /J"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /i"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /c"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /y"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /q"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /r"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /M"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /G"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /P"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /e"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /x"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /j"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /p"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /d"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /F"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /A"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /T"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /w"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /u"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /t"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /Z"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /g"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /a"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /f"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /z"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /Q"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /L"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /C"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /I"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /U"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /X"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /m"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /N"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /K"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /k"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /R"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /S"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /n"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /s"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /o"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /W"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /h"	yieseur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yieseur = "C:\\Users\\Admin\\yieseur.exe /D"	yieseur.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe
2896	yieseur.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
732	026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe
2896	yieseur.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 2896	732	026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe	87
PID 732 wrote to memory of 2896	732	026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe	87
PID 732 wrote to memory of 2896	732	026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\026c6a13c4a35e87f2dd384c81ec88db_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:732
- C:\Users\Admin\yieseur.exe
  "C:\Users\Admin\yieseur.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\yieseur.exe

Filesize
224KB

MD5
01184d34b3bddd36da72dd34c52fa270

SHA1
341a4a536bd39a5850bc89c9f7518493715795e4

SHA256
0b72a70606a14519469ac96827ecee39e67a088d2f3a6a5a3b54438bfd9d6955

SHA512
4b955e650949e56d2a85924700d8105d1bb02dc725c6485621aa68918d1f181cfc01f1b8889c7fff09b47094e693170a5ca6b80fec137eefb92ed1c07cd345ee

Download Submit