df8ccc38121b8e4d9c41cde612464948469bb302f52153ccbb31bbee71734f51

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36d1879ee37ea792b98517c1614f0c6e_JaffaCakes118.exe
Size

148KB
MD5

36d1879ee37ea792b98517c1614f0c6e
SHA1

cec84f5ef1200849239cc84cc62e40184a4399eb
SHA256

df8ccc38121b8e4d9c41cde612464948469bb302f52153ccbb31bbee71734f51
SHA512

70831c2edb6d3e2286bba0d60e161e059218eb03306bdb204aa3663a78b8cd858776cd33bec3954565e9d0d41c56c716297bc274fe5d43d824d2cf17819d5eb8
SSDEEP

3072:Ado+tgRs59j/pvkqBBac+RAGq1bg7Yfgst6OzOS79pgRZkhQJAOAI4oQZiEwSt5:uoibj/pvkqBBac+RAGq1bZHtrzOS77kM

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	36d1879ee37ea792b98517c1614f0c6e_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xoaedi.exe

Executes dropped EXE 1 IoCs

pid	Process
2076	xoaedi.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	36d1879ee37ea792b98517c1614f0c6e_JaffaCakes118.exe
2064	36d1879ee37ea792b98517c1614f0c6e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /E"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /t"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /Q"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /A"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /B"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /H"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /T"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /N"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /C"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /Z"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /L"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /r"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /Y"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /k"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /i"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /V"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /m"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /F"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /K"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /W"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /d"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /z"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /S"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /a"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /x"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /g"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /R"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /u"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /y"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /m"	36d1879ee37ea792b98517c1614f0c6e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /P"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /l"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /b"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /s"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /o"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /G"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /I"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /h"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /w"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /c"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /j"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /U"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /O"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /e"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /p"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /D"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /q"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /f"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /n"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /v"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /J"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /M"	xoaedi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoaedi = "C:\\Users\\Admin\\xoaedi.exe /X"	xoaedi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	36d1879ee37ea792b98517c1614f0c6e_JaffaCakes118.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe
2076	xoaedi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2064	36d1879ee37ea792b98517c1614f0c6e_JaffaCakes118.exe
2076	xoaedi.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2076	2064	36d1879ee37ea792b98517c1614f0c6e_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2076	2064	36d1879ee37ea792b98517c1614f0c6e_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2076	2064	36d1879ee37ea792b98517c1614f0c6e_JaffaCakes118.exe	29
PID 2064 wrote to memory of 2076	2064	36d1879ee37ea792b98517c1614f0c6e_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\36d1879ee37ea792b98517c1614f0c6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36d1879ee37ea792b98517c1614f0c6e_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\xoaedi.exe
  "C:\Users\Admin\xoaedi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\xoaedi.exe

Filesize
148KB

MD5
3467b407d8596bbe275f28e704d49cce

SHA1
bac750209a3df144b46ed37231ee53b69562e1c1

SHA256
80ee6c600745f162bc92ac6958d226e00ee01b049259a288f46a090467835432

SHA512
11d312d05e381b8d35547545ef8057534ae15b26ba6d18967b71f527c11d4b832c39d2b220932f775c43cd01e558339245565510dcf61a94e43fdcf59b53367b

Download Submit