Analysis
-
max time kernel
150s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 12:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe
-
Size
100KB
-
MD5
30764c57031bb1ec0db8399a74e7109a
-
SHA1
651512776882e788795e542b1fb7791f2d061a13
-
SHA256
fb4b8d1ceea7e61cc9149cdaef4437e130b30a67fab3ad334147b73df2b79889
-
SHA512
5ebb60c24207ac07dec0c4fd34d39db6a12323cd1d9a3e7196706cbfb0229274b1b5002863058f380d6a9950e842829f409b54dd8ffc2c799ade918ff52b0246
-
SSDEEP
1536:gzWUcX220mQaCGXxJKIRGWcOUP7vXArnY1ZqAefzyes5NIjnZMx:wkQamNAfzyeuCnix
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xaifo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation 30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2112 xaifo.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /Z" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /Y" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /c" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /A" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /h" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /s" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /z" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /F" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /X" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /E" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /O" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /l" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /d" 30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /W" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /L" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /v" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /T" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /e" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /C" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /b" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /u" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /o" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /H" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /G" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /r" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /V" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /n" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /f" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /x" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /R" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /M" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /a" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /B" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /Q" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /y" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /q" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /d" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /I" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /i" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /j" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /w" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /U" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /p" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /S" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /J" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /P" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /K" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /N" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /m" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /k" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /D" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /g" xaifo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaifo = "C:\\Users\\Admin\\xaifo.exe /t" xaifo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1716 30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe 1716 30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe 2112 xaifo.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1716 30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe 2112 xaifo.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1716 wrote to memory of 2112 1716 30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe 85 PID 1716 wrote to memory of 2112 1716 30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe 85 PID 1716 wrote to memory of 2112 1716 30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\30764c57031bb1ec0db8399a74e7109a_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\xaifo.exe"C:\Users\Admin\xaifo.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5592f28dcfd49e325e4be2df8f7c8d8d9
SHA1614e68298e16a1539ba0898c165c54fd63ceacd4
SHA25643a0fabd4ecf7302d215df042dfb2253cf665fecaa2da4b017888308ea7fe9ee
SHA512b94fdf036a090b7299975051aa9f51fb6a4b847366b43c34af9ae0ad2d93c491235e1b1cbeec978fe64056283f2783d0e27fc3d14c12cc0d9a0b49a8ac070b68