66b1da4c304c524360389d8ef1a8a270d522d1fbe007d367c1527b4a10212903

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe
Size

364KB
MD5

b4e87952066b1707b308dc1b2ad13e28
SHA1

a7e7be92beb9f1c521c74cc46723342ea6daadd0
SHA256

66b1da4c304c524360389d8ef1a8a270d522d1fbe007d367c1527b4a10212903
SHA512

612b0ed57bc53afd4bc9b922958b3ffce1fda4c788829f087d10b3e2f32cb75e3afecdffc0de0edd90c75073fcc9885cae00e713df4b342ab8f8848be5dc1dd7
SSDEEP

3072:HdGAiXP90JuGEnvBlHplTOoX56B4uE7U4iy+LwldhzNkYMvMZqvREJH7T6toRG9a:e9yuPnvBBxYJxwphkYMvMZCDOZ

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jienel.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	jienel.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe
2236	b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /u"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /s"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /z"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /c"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /t"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /w"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /q"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /n"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /b"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /v"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /j"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /y"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /d"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /d"	b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /l"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /k"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /i"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /m"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /r"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /f"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /o"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /p"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /e"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /h"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /a"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /x"	jienel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\jienel = "C:\\Users\\Admin\\jienel.exe /g"	jienel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jienel.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe
2728	jienel.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2236	b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe
2728	jienel.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2728	2236	b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2728	2236	b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2728	2236	b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2728	2236	b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4e87952066b1707b308dc1b2ad13e28_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\jienel.exe
  "C:\Users\Admin\jienel.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\jienel.exe

Filesize
364KB

MD5
7fb373423fe38d6882779a2ab431a432

SHA1
c152fa5301e5b4bfa71d2c01c7df9ff6cfb8f104

SHA256
5fcbc8c2845529fcf3806fcd9e6fe8757a7e333ac15c457aef99d3b00e4bef81

SHA512
c098956974da0737930eaefb71071efff8c91aa9564f0ff73d0d00a6beb706a626a3d98695daa764da0535365ffe04f961890dbf73475ba8bcc721b303cc3373

Download Submit