8f3cf1cca75da6c72e5e2d10d9a495f828d8c4313630157a659bc77811743f3b

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba2cd5fc940f8212c788ed3a959db2a0_JaffaCakes118.exe
Size

192KB
MD5

ba2cd5fc940f8212c788ed3a959db2a0
SHA1

ae300eb4225fd1abb1552fceb7d3eab3c476bac8
SHA256

8f3cf1cca75da6c72e5e2d10d9a495f828d8c4313630157a659bc77811743f3b
SHA512

e8510bfc523019cbecc331e8c91dec55cab1a3cd6592ce5b29ac50f478ea68bc27176906958e8edcf5a1a1921be6b8bdef92a661a4cd344a7f2a12907fb6804b
SSDEEP

3072:3wBJIch+RH5UL1iUG3KgKLKRKoVqR5VxerayK/fObT/bGicFgvXb6jGJLX:3wBJdcRZSgKgKLKRKoVqRTxEpK/fObTD

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	raazo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ba2cd5fc940f8212c788ed3a959db2a0_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ba2cd5fc940f8212c788ed3a959db2a0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4464	raazo.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /y"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /K"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /j"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /L"	ba2cd5fc940f8212c788ed3a959db2a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /Y"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /O"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /u"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /J"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /C"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /P"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /Q"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /k"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /F"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /X"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /m"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /U"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /e"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /M"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /B"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /V"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /p"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /f"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /A"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /S"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /d"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /W"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /l"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /L"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /I"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /v"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /c"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /n"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /o"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /s"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /E"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /Z"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /x"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /z"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /T"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /R"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /r"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /G"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /D"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /q"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /b"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /w"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /i"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /h"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /H"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /a"	raazo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raazo = "C:\\Users\\Admin\\raazo.exe /g"	raazo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba2cd5fc940f8212c788ed3a959db2a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raazo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4928	ba2cd5fc940f8212c788ed3a959db2a0_JaffaCakes118.exe
4928	ba2cd5fc940f8212c788ed3a959db2a0_JaffaCakes118.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe
4464	raazo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4928	ba2cd5fc940f8212c788ed3a959db2a0_JaffaCakes118.exe
4464	raazo.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4464	4928	ba2cd5fc940f8212c788ed3a959db2a0_JaffaCakes118.exe	90
PID 4928 wrote to memory of 4464	4928	ba2cd5fc940f8212c788ed3a959db2a0_JaffaCakes118.exe	90
PID 4928 wrote to memory of 4464	4928	ba2cd5fc940f8212c788ed3a959db2a0_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\ba2cd5fc940f8212c788ed3a959db2a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ba2cd5fc940f8212c788ed3a959db2a0_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\raazo.exe
  "C:\Users\Admin\raazo.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\raazo.exe

Filesize
192KB

MD5
1649d811366f91149e23c917b0c36b97

SHA1
4c64e8408c9f4ae216be4ae72b44096ae9dd3332

SHA256
e6fd69fb596b580437e7718ce63de9de53c0bc9687e2835e1ca13673f184d38b

SHA512
17feb0123143c30782d6af8a3e807b713fc34f81c13dba3ad1ac579e03a6ad2cfb0419022e56f0634aa999291c6bce93b6988927ae7f877f31b39f7f467e95b8

Download Submit