c81673360f7d0e5ad6d78c96d541a4f3bd90b22286050a96131a6aa7deff9ffb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6fb6cbafd13be0a4dee4199c8a1ced9_JaffaCakes118.exe
Size

196KB
MD5

d6fb6cbafd13be0a4dee4199c8a1ced9
SHA1

8cd7fecfc147afd0f23ba0eb383bce959f758a64
SHA256

c81673360f7d0e5ad6d78c96d541a4f3bd90b22286050a96131a6aa7deff9ffb
SHA512

67ac10c3a52a50187d121f4866118e077efbd1ff88de9710754e07b36e7a59e64f3d54f7631dba3774a686a7d513be946d367001fd13c8c7d1279fc68b5b7c21
SSDEEP

3072:t2SVnPybzV8Q3io0ce4LTI208YioBK9QRO8qeXQ:txVnPybzV8Oio0ctLTt08doLRO8qeg

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d6fb6cbafd13be0a4dee4199c8a1ced9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	veobeox.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	d6fb6cbafd13be0a4dee4199c8a1ced9_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2068	veobeox.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /V"	d6fb6cbafd13be0a4dee4199c8a1ced9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /s"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /l"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /f"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /h"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /e"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /d"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /J"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /k"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /Z"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /H"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /a"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /O"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /W"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /U"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /L"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /i"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /T"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /Y"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /o"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /B"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /c"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /G"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /v"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /M"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /N"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /P"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /b"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /n"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /j"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /I"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /F"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /E"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /p"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /S"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /w"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /A"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /R"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /r"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /Q"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /K"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /g"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /q"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /m"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /D"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /u"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /y"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /C"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /z"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /V"	veobeox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veobeox = "C:\\Users\\Admin\\veobeox.exe /x"	veobeox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6fb6cbafd13be0a4dee4199c8a1ced9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	veobeox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4616	d6fb6cbafd13be0a4dee4199c8a1ced9_JaffaCakes118.exe
4616	d6fb6cbafd13be0a4dee4199c8a1ced9_JaffaCakes118.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe
2068	veobeox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4616	d6fb6cbafd13be0a4dee4199c8a1ced9_JaffaCakes118.exe
2068	veobeox.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 2068	4616	d6fb6cbafd13be0a4dee4199c8a1ced9_JaffaCakes118.exe	90
PID 4616 wrote to memory of 2068	4616	d6fb6cbafd13be0a4dee4199c8a1ced9_JaffaCakes118.exe	90
PID 4616 wrote to memory of 2068	4616	d6fb6cbafd13be0a4dee4199c8a1ced9_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\d6fb6cbafd13be0a4dee4199c8a1ced9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6fb6cbafd13be0a4dee4199c8a1ced9_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\veobeox.exe
  "C:\Users\Admin\veobeox.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\veobeox.exe

Filesize
196KB

MD5
98304de23a917dd1cc2b62c752d13e3d

SHA1
4924fb7d0e768e9f825d84d9271e74253cf1a02b

SHA256
4e97e4395dfa2996833eb632bbe975c21c090d690a7c5551ed0c92b7f02875c6

SHA512
4f2a284335c6c17832a7cbcc2851c922c62221ba07c01a4febcc0c133b87341cd837e187921d38b7744b232bc85a95f59c3d6b6cb5bf2c50145aba8302744dda

Download Submit