d948645ac8278216d4f6158dab5051a9c97721f67cfbb160731c40746ec6da6c

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49e5f1c876838d2cb38b8d2e2455f2b7_JaffaCakes118.exe
Size

88KB
MD5

49e5f1c876838d2cb38b8d2e2455f2b7
SHA1

88904bc83529c1c2facb4c34fc09ecd1d0e462ba
SHA256

d948645ac8278216d4f6158dab5051a9c97721f67cfbb160731c40746ec6da6c
SHA512

6fe42a2dcffb53637058a6ff6243f348b6134d583793b674bae300aae7b8636ba69b39a5a54269282483376826f0fc8ae875703cef96ff6b36e6432336b21ab5
SSDEEP

1536:no2rSpy8tXG06YpqdXTsYJ/F+FBFIFGFYF7DUZxTZhza:rSs0G0mZM+

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xiaah.exe

Executes dropped EXE 1 IoCs

pid	Process
1804	xiaah.exe

Loads dropped DLL 2 IoCs

pid	Process
2992	49e5f1c876838d2cb38b8d2e2455f2b7_JaffaCakes118.exe
2992	49e5f1c876838d2cb38b8d2e2455f2b7_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /E"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /z"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /n"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /t"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /G"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /u"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /C"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /I"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /q"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /c"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /R"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /p"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /Q"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /S"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /A"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /j"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /B"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /K"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /y"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /g"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /s"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /h"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /Y"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /U"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /b"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /d"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /m"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /w"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /P"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /H"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /V"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /k"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /f"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /M"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /l"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /v"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /i"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /J"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /T"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /D"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /F"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /N"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /o"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /L"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /W"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /e"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /a"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /x"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /r"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /X"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /O"	xiaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiaah = "C:\\Users\\Admin\\xiaah.exe /Z"	xiaah.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe
1804	xiaah.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2992	49e5f1c876838d2cb38b8d2e2455f2b7_JaffaCakes118.exe
1804	xiaah.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1804	2992	49e5f1c876838d2cb38b8d2e2455f2b7_JaffaCakes118.exe	31
PID 2992 wrote to memory of 1804	2992	49e5f1c876838d2cb38b8d2e2455f2b7_JaffaCakes118.exe	31
PID 2992 wrote to memory of 1804	2992	49e5f1c876838d2cb38b8d2e2455f2b7_JaffaCakes118.exe	31
PID 2992 wrote to memory of 1804	2992	49e5f1c876838d2cb38b8d2e2455f2b7_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\49e5f1c876838d2cb38b8d2e2455f2b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49e5f1c876838d2cb38b8d2e2455f2b7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\xiaah.exe
  "C:\Users\Admin\xiaah.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\xiaah.exe

Filesize
88KB

MD5
a6c471a74395d3458eb5c138404032c9

SHA1
30dc31dad4d3d51d947cf50789be9807542ece05

SHA256
f80b999dd17f90bdd5cd5f1120321d307fbb2a197ff270c935c5abde19aff4b2

SHA512
e306a39cf114b60138d3af12d77d44417996e274733103dfe1a8b91726623de33d42e7a21b00cc45167170597c0dc919c0ee9cce7920e75712de86b5c4c2f225

Download Submit