Analysis
-
max time kernel
149s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 04:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe
-
Size
152KB
-
MD5
ecdda6fdb5072617d936eb827c7187f7
-
SHA1
3e8da0b81b15339935929e6d77ca1e686a11be85
-
SHA256
a6cfc30230f60be473e541ca02cc81141ee7091efbad6b1edcea7621e905d783
-
SHA512
44f2d0963b9b466447a40449fb26e82e345db8bb476fc4af63536eade02d2eba5529a4ebdb91554e71606eb25e9c4ad6b5cc5c6e7f107e6eede443ae51a244a1
-
SSDEEP
3072:7mlwPTYhjIgx+7MxJUbaxI3zQyzLBuT+ZAok:6x+7Mxa0yzd1k
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nihoj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4488 nihoj.exe -
Adds Run key to start application 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /a" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /k" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /z" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /c" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /v" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /A" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /x" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /Y" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /X" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /E" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /l" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /b" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /u" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /S" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /I" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /T" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /Q" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /U" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /L" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /K" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /y" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /O" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /i" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /d" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /N" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /B" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /M" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /G" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /R" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /e" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /m" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /f" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /w" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /H" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /V" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /n" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /C" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /F" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /j" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /t" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /h" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /P" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /W" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /S" ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /J" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /D" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /r" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /Z" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /o" nihoj.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nihoj = "C:\\Users\\Admin\\nihoj.exe /s" nihoj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nihoj.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2120 ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe 2120 ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe 4488 nihoj.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2120 ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe 4488 nihoj.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2120 wrote to memory of 4488 2120 ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe 82 PID 2120 wrote to memory of 4488 2120 ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe 82 PID 2120 wrote to memory of 4488 2120 ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecdda6fdb5072617d936eb827c7187f7_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\nihoj.exe"C:\Users\Admin\nihoj.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4488
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD5a45fd7f581c1e30841d472b02f1efb46
SHA106102f668e5132bbab7f5d24a701b953e502ad77
SHA256718d9cf4fc348680ec4ddaa5f9b95d46e3afdba4053a64bf4d95cb1c93d5b521
SHA512424bc310563ba0eab99a1d12dd1e96964268e9bd4897f69018fa4cd9ec0ad93074dfdcb9570220d89fab7f19fcbce9f4408ff531811777382115b95a6de21610