1b76184870057f01915b5f3db3b777749f70579066a7ba97586b656f2495502e

Analysis

max time kernel
149s
max time network
135s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe
Size

284KB
MD5

a78f12e732071f88e7ac2a9480f4de18
SHA1

e5cb2eb92421586a5ea3bd8aa8ebf1967f3ed41e
SHA256

1b76184870057f01915b5f3db3b777749f70579066a7ba97586b656f2495502e
SHA512

57980a82152733edec022a89a9b6ddd1feb4a2b472dcf559200f3996300ddf66e87eefa29644157c8caadef0ee8031ae9761688897c27aaaffd6470046f9aa61
SSDEEP

6144:jfX6QcxQRhNyKQ9ezwA2Rv4gnw+lJVomcEk9dk/FLGY+Kt/dPLsx02Gf6vIqGnuJ:GjVIrbQdnHcllaXYDoDM3fiUa

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gitew.exe

Executes dropped EXE 1 IoCs

pid	Process
2164	gitew.exe

Loads dropped DLL 2 IoCs

pid	Process
1532	a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe
1532	a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /o"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /z"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /t"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /h"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /q"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /M"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /k"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /g"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /u"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /K"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /R"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /I"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /x"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /j"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /J"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /B"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /A"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /U"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /s"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /H"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /P"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /e"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /m"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /V"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /S"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /Z"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /y"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /G"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /a"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /N"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /W"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /r"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /w"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /f"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /C"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /E"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /D"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /Y"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /p"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /g"	a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /d"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /X"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /i"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /Q"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /F"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /l"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /O"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /L"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /c"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /n"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /v"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /b"	gitew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\gitew = "C:\\Users\\Admin\\gitew.exe /T"	gitew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gitew.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1532	a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe
2164	gitew.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1532	a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe
2164	gitew.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2164	1532	a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe	28
PID 1532 wrote to memory of 2164	1532	a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe	28
PID 1532 wrote to memory of 2164	1532	a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe	28
PID 1532 wrote to memory of 2164	1532	a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a78f12e732071f88e7ac2a9480f4de18_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\gitew.exe
  "C:\Users\Admin\gitew.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\gitew.exe

Filesize
284KB

MD5
ccfeb488270f52a372e4609c3b0669da

SHA1
2fd071ab95046e44a00d4cb5e667b8ecd9c937bb

SHA256
ab3c45085b07c565dea4d8e4cb2dd488741b31a91a841f240410a4131a2ab513

SHA512
bb862a38e9bd1f94f95d830d2af6082fb0edb2da68365cbfec9d020ad7325d9870527103fdd17a2ac3ed8798012987315f5d104d1104a97ceac325e9235da290

Download Submit