085c9edfbb616fb44d91832579d5d774955c69d090757bd98c6572993729c55f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da209969c33db24fa5c7116d2e7fd5bf_JaffaCakes118.exe
Size

228KB
MD5

da209969c33db24fa5c7116d2e7fd5bf
SHA1

db8a6bfa43908adddff9dccbd89fef9c514c8d2a
SHA256

085c9edfbb616fb44d91832579d5d774955c69d090757bd98c6572993729c55f
SHA512

0155ff48eae7b7a2b7abdcd7f2529e566243868481745d1aec1fcd4f190454c1a6e476711d3ec138e7be191131704612305513c62f112ed3eeac2458e94b9730
SSDEEP

6144:MLGDh4jLt4NVcWgyGELwXiS8T+bbhn7aRjS5ZgBbfh:yGWntWyD1LiS8lS5ZIJ

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	da209969c33db24fa5c7116d2e7fd5bf_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zeiip.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	da209969c33db24fa5c7116d2e7fd5bf_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2320	zeiip.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /h"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /F"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /Z"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /A"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /G"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /W"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /B"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /Y"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /x"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /t"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /k"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /K"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /T"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /R"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /J"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /w"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /r"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /o"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /l"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /d"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /e"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /p"	da209969c33db24fa5c7116d2e7fd5bf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /M"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /N"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /U"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /u"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /n"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /S"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /m"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /c"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /b"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /v"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /I"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /f"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /P"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /p"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /L"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /z"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /E"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /D"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /i"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /V"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /s"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /C"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /Q"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /j"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /g"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /a"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /H"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /y"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /X"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /O"	zeiip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zeiip = "C:\\Users\\Admin\\zeiip.exe /q"	zeiip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da209969c33db24fa5c7116d2e7fd5bf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zeiip.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3508	da209969c33db24fa5c7116d2e7fd5bf_JaffaCakes118.exe
3508	da209969c33db24fa5c7116d2e7fd5bf_JaffaCakes118.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe
2320	zeiip.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3508	da209969c33db24fa5c7116d2e7fd5bf_JaffaCakes118.exe
2320	zeiip.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 2320	3508	da209969c33db24fa5c7116d2e7fd5bf_JaffaCakes118.exe	85
PID 3508 wrote to memory of 2320	3508	da209969c33db24fa5c7116d2e7fd5bf_JaffaCakes118.exe	85
PID 3508 wrote to memory of 2320	3508	da209969c33db24fa5c7116d2e7fd5bf_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\da209969c33db24fa5c7116d2e7fd5bf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da209969c33db24fa5c7116d2e7fd5bf_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\zeiip.exe
  "C:\Users\Admin\zeiip.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\zeiip.exe

Filesize
228KB

MD5
59363ba16c898afed30b9e474e6dad24

SHA1
79ff7a400ab9947a6dfe3b8ef28bbb95c964fe69

SHA256
98b93a51efaaf6dbf360906c385fe6343cb594050e28ab3591d4e0ce40b44adb

SHA512
298ec1496de0317b706de63cdb3c6060a03b64433d9e5210e516c38b6671c9b2d00d06083ed448c86debd4a65d637cc87d211761d0e1b353bdaa11edaf6eedfd

Download Submit