f5a8d30578442b6a2419906dad36d0e75ce5d45b0444f64adfa8684fc3590227

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1a3ccc0d840b9fce75fc1aff4638aa7_JaffaCakes118.exe
Size

204KB
MD5

c1a3ccc0d840b9fce75fc1aff4638aa7
SHA1

2c1b04da0b5cf68afad297b68c67b03101b7bd80
SHA256

f5a8d30578442b6a2419906dad36d0e75ce5d45b0444f64adfa8684fc3590227
SHA512

5dce5906e8315745409ad688916811f20b3f896c91f7cf7f3655645161bd785cfe3fb1cae4397e375f0d813cd5b87441806eb4e9a8eb3c13b4757c7ac1782bae
SSDEEP

1536:Qv+OouHo1vzxHwxWDExNy3tQ9CW5EZWHakMwP9W6uXNh9h1AWa11GBPIdRONd+ww:CHo1DD00tQ9nLHbB9WTk9+Jgqmltvx

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c1a3ccc0d840b9fce75fc1aff4638aa7_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xiuqiir.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	c1a3ccc0d840b9fce75fc1aff4638aa7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2240	xiuqiir.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /l"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /p"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /z"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /e"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /u"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /w"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /f"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /v"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /d"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /a"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /t"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /c"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /q"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /j"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /n"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /j"	c1a3ccc0d840b9fce75fc1aff4638aa7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /r"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /b"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /s"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /g"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /i"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /y"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /m"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /k"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /o"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /h"	xiuqiir.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiuqiir = "C:\\Users\\Admin\\xiuqiir.exe /x"	xiuqiir.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1a3ccc0d840b9fce75fc1aff4638aa7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xiuqiir.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3580	c1a3ccc0d840b9fce75fc1aff4638aa7_JaffaCakes118.exe
3580	c1a3ccc0d840b9fce75fc1aff4638aa7_JaffaCakes118.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe
2240	xiuqiir.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3580	c1a3ccc0d840b9fce75fc1aff4638aa7_JaffaCakes118.exe
2240	xiuqiir.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 2240	3580	c1a3ccc0d840b9fce75fc1aff4638aa7_JaffaCakes118.exe	91
PID 3580 wrote to memory of 2240	3580	c1a3ccc0d840b9fce75fc1aff4638aa7_JaffaCakes118.exe	91
PID 3580 wrote to memory of 2240	3580	c1a3ccc0d840b9fce75fc1aff4638aa7_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\c1a3ccc0d840b9fce75fc1aff4638aa7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1a3ccc0d840b9fce75fc1aff4638aa7_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\xiuqiir.exe
  "C:\Users\Admin\xiuqiir.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\xiuqiir.exe

Filesize
204KB

MD5
bea46263ebd17e38a15540454271519c

SHA1
019ed0958aa1daec1737d4a597a32cf0fdd0f9b1

SHA256
219b1887f67771d28c4464ff02844b03c032f20ec723d7fbd1b6bf5d0f46a5ad

SHA512
a9d843b100b9e0b6972eab1ff1c8c43d6aa0064c173234b758e0678fc695b5a43565cd764f0b3aba53c5e325dd6b362fe2884d79314a1f0b8d56b5520078de50

Download Submit