57c4e8c4a94a7367f4c119e86d4a7b9b6f99726690aebbf8bd77d5385ad71e2b

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 04:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4441c966100f8b18074c76812cf4e95f_JaffaCakes118.exe
Size

420KB
MD5

4441c966100f8b18074c76812cf4e95f
SHA1

4f04990e66db3d70995d0c7e5f88d98c8bab31a1
SHA256

57c4e8c4a94a7367f4c119e86d4a7b9b6f99726690aebbf8bd77d5385ad71e2b
SHA512

854db4b2f55b768823eab64ac5cd113ad4558803c62deb3bb419de4265faccdc2496424813b08f8b1499ddbf8710b82411d3bfefaf8837bcdddfe0be8135a69a
SSDEEP

6144:lwW5jqFk7qFoQudlhiP5+6yCtfGiIAZFG:lf22QudeYr0F

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4441c966100f8b18074c76812cf4e95f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tuohu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4441c966100f8b18074c76812cf4e95f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3692	tuohu.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /b"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /c"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /e"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /n"	4441c966100f8b18074c76812cf4e95f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /s"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /r"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /u"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /m"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /p"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /n"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /a"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /z"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /l"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /f"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /w"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /d"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /h"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /g"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /t"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /i"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /x"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /y"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /o"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /j"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /v"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /k"	tuohu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuohu = "C:\\Users\\Admin\\tuohu.exe /q"	tuohu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5028	4441c966100f8b18074c76812cf4e95f_JaffaCakes118.exe
5028	4441c966100f8b18074c76812cf4e95f_JaffaCakes118.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe
3692	tuohu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5028	4441c966100f8b18074c76812cf4e95f_JaffaCakes118.exe
3692	tuohu.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 3692	5028	4441c966100f8b18074c76812cf4e95f_JaffaCakes118.exe	88
PID 5028 wrote to memory of 3692	5028	4441c966100f8b18074c76812cf4e95f_JaffaCakes118.exe	88
PID 5028 wrote to memory of 3692	5028	4441c966100f8b18074c76812cf4e95f_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\4441c966100f8b18074c76812cf4e95f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4441c966100f8b18074c76812cf4e95f_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\tuohu.exe
  "C:\Users\Admin\tuohu.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\tuohu.exe

Filesize
420KB

MD5
a14347102026cf55a60f78ff51adb024

SHA1
53057c834f804ef0b9843c2ec210cdd32aff7683

SHA256
b580729018c845e18097ec12253cd4cf54657806aa13fa595b87d4b58ad0dd7c

SHA512
d95412038d1918ffe81116af6e8074772b18ed99b8353e98f20c5de2a5e133b36e5028d5aa6345d749483f969ed3ca92815582b38c312a36137ad2533867f6de

Download Submit