Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 15:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
70224cf8d1eaff523e8d5894562365c0_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
70224cf8d1eaff523e8d5894562365c0_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
70224cf8d1eaff523e8d5894562365c0_JaffaCakes118.exe
-
Size
248KB
-
MD5
70224cf8d1eaff523e8d5894562365c0
-
SHA1
e20468699ae11b8074e51ff98435d8baaed9e242
-
SHA256
fe30588b519e218becab8cf303d6412de9e3cb00699a1d08d989e8dfa508793a
-
SHA512
1f369999597379ee91b5c208edc07aca771dbf5fecdfa499bb0fc848d0dcf05307fb5051333eb25c879c08e53c4f10de1a425113a252d0089ec25520700e467c
-
SSDEEP
6144:kD07X6Y0d/RCH3erL/sLAsLPfc/UDgKJ1s4EWqZA7Q/DxoI3sDP4QtNINHKbhFJc:D7Xh0d/RCHOrL/sLAsLP9+AKtF3sDwnG
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xeuvoq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation 70224cf8d1eaff523e8d5894562365c0_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 5040 xeuvoq.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /E" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /O" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /D" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /k" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /s" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /x" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /I" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /S" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /n" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /Q" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /Z" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /c" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /y" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /R" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /G" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /Y" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /w" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /N" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /l" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /F" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /t" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /J" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /V" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /g" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /i" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /q" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /m" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /P" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /K" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /U" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /C" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /z" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /a" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /W" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /d" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /j" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /M" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /A" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /u" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /v" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /L" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /H" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /p" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /r" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /X" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /f" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /B" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /b" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /o" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /e" xeuvoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xeuvoq = "C:\\Users\\Admin\\xeuvoq.exe /h" xeuvoq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70224cf8d1eaff523e8d5894562365c0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xeuvoq.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe 5040 xeuvoq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5104 70224cf8d1eaff523e8d5894562365c0_JaffaCakes118.exe 5040 xeuvoq.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5104 wrote to memory of 5040 5104 70224cf8d1eaff523e8d5894562365c0_JaffaCakes118.exe 89 PID 5104 wrote to memory of 5040 5104 70224cf8d1eaff523e8d5894562365c0_JaffaCakes118.exe 89 PID 5104 wrote to memory of 5040 5104 70224cf8d1eaff523e8d5894562365c0_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\70224cf8d1eaff523e8d5894562365c0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\70224cf8d1eaff523e8d5894562365c0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\xeuvoq.exe"C:\Users\Admin\xeuvoq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5040
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5e201a7317c1a4c01babd930f7a9f404c
SHA19dd9c7114986c6cba099a5411bd194ec41ee30ee
SHA2561b52eecf3869ea971e419f8c0a7dfae2439a46d0d3dad29588334791156e29a3
SHA51260a0771a0169757361cc1ec485216e4bca773526155351441017a2a228c4d13fcc8d53b58366af16af2fbae17b1c04c32ff381b57b43423dc6daaf5f80d776cf