3d9cb635fc8f7a867df8ca43cda7c8557b606eb027ac8d3fb07e86b4b162941d

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe
Size

364KB
MD5

ed33f4ef88292e62529b24f6137e7d58
SHA1

4786a62fa8994400c51523691f2f67863504122d
SHA256

3d9cb635fc8f7a867df8ca43cda7c8557b606eb027ac8d3fb07e86b4b162941d
SHA512

574495d03c6910bebd77a66590d80afab409d343c4f1f5101f5e18a2637584ade9c29c1108e73b0475a9f466c93bf69a9e9f465529775b90760002567fe04923
SSDEEP

3072:wtGAiXP9YJuGEnvBuHplTOoX56B4uE7U4iy+LwldhzNkYMvMZqvRtJ6toRG9DOsS:t92uPnvBcxYJxwphkYMvMZXDO

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ziiwiam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	ziiwiam.exe

Loads dropped DLL 2 IoCs

pid	Process
2724	ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe
2724	ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /k"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /x"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /l"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /t"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /f"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /e"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /n"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /u"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /z"	ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /j"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /p"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /a"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /v"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /s"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /z"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /d"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /i"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /o"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /g"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /y"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /m"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /q"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /r"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /w"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /b"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /c"	ziiwiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziiwiam = "C:\\Users\\Admin\\ziiwiam.exe /h"	ziiwiam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziiwiam.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2724	ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe
2732	ziiwiam.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2724	ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe
2732	ziiwiam.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2732	2724	ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2732	2724	ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2732	2724	ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2732	2724	ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed33f4ef88292e62529b24f6137e7d58_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\ziiwiam.exe
  "C:\Users\Admin\ziiwiam.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ziiwiam.exe

Filesize
364KB

MD5
8b491642c8ae1d4ffc8f876bf6ffcd0e

SHA1
a70b758cb640e064312a02516363fbff23422582

SHA256
aa9b0f2440055d1111e55c7533e4092baa5bfac567483ad4dd3cb4be4fe77ba3

SHA512
91dff700fcefd5f2a07848fa98ba35f4d4dd9df2d3458c2e9c42641d47f4d78b20664b2a13e9881b46251474e4f8fa56a7795a3514442a92bfd602d4f7ac5b89

Download Submit