114a7e165cf55a1eb663f361276083880d0c3cd8b01978d53966e58b45d84ee9

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecd471f4a10c5b47f80596b11c414515_JaffaCakes118.exe
Size

188KB
MD5

ecd471f4a10c5b47f80596b11c414515
SHA1

199b1d0d627807b02ddf54d8a31355b19659e676
SHA256

114a7e165cf55a1eb663f361276083880d0c3cd8b01978d53966e58b45d84ee9
SHA512

58a85570b9abbee11bb5397589bc1986ade76fdacac7ce0c1a2ef9392e2833e734170a2fe586b0e405cb7315b501f8aa17588f927cfeec5d387406489a4bc501
SSDEEP

3072:Hj4SvdQqQ7b4zxMJsSmJMnTQFlKRilqoq6v/:8DqM4zk02qfMot

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vasos.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ecd471f4a10c5b47f80596b11c414515_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	ecd471f4a10c5b47f80596b11c414515_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
928	vasos.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /L"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /s"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /S"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /t"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /T"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /b"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /x"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /N"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /e"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /X"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /a"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /p"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /D"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /z"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /W"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /j"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /y"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /Z"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /w"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /f"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /F"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /m"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /K"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /d"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /r"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /I"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /M"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /U"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /i"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /C"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /V"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /E"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /B"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /J"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /P"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /o"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /G"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /v"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /o"	ecd471f4a10c5b47f80596b11c414515_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /A"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /Y"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /Q"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /q"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /k"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /R"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /h"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /H"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /u"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /n"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /O"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /g"	vasos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vasos = "C:\\Users\\Admin\\vasos.exe /c"	vasos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecd471f4a10c5b47f80596b11c414515_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vasos.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3196	ecd471f4a10c5b47f80596b11c414515_JaffaCakes118.exe
3196	ecd471f4a10c5b47f80596b11c414515_JaffaCakes118.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe
928	vasos.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3196	ecd471f4a10c5b47f80596b11c414515_JaffaCakes118.exe
928	vasos.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 928	3196	ecd471f4a10c5b47f80596b11c414515_JaffaCakes118.exe	84
PID 3196 wrote to memory of 928	3196	ecd471f4a10c5b47f80596b11c414515_JaffaCakes118.exe	84
PID 3196 wrote to memory of 928	3196	ecd471f4a10c5b47f80596b11c414515_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\ecd471f4a10c5b47f80596b11c414515_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecd471f4a10c5b47f80596b11c414515_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\vasos.exe
  "C:\Users\Admin\vasos.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vasos.exe

Filesize
188KB

MD5
1ef96d1b559f871ee5e794b7404dfb5a

SHA1
889f12f95d9eb6869b1f5795567c9860ffd6ce44

SHA256
270f6c9349e758e53c879ab0f320b3d805e5ca15afc50a685779b6b8e61a4bc4

SHA512
aadba3b2f5f7cf54ef1361a99b7bad3c1c99b003fb459add9c16155af4f73844339e79823d954a242eb252d4c21ac2fde6d907ea55a5d02e8837fd41a2f2ba7b

Download Submit