911064d52564ea84f288d22b459c64178dbf7fe2aeac2d88728eb11dffcf9090

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed3f45a2be04b59e78b17e8e17269626_JaffaCakes118.exe
Size

140KB
MD5

ed3f45a2be04b59e78b17e8e17269626
SHA1

0a5158a688b08b6b4a91a3522b6ddc73269eb300
SHA256

911064d52564ea84f288d22b459c64178dbf7fe2aeac2d88728eb11dffcf9090
SHA512

66f9167c2975999d59aea7a8ff29a1c3f64d11d49e1298384e85bab3cc245d5729c63c3e667670d17c7452dc208cab5e37c695323e2503d9159e06ad6781ddd3
SSDEEP

1536:tu0FB4TNyLV4Ji2+6wl4fAsyCsJ2AyJOSfNifNuzyWNiEFrsUhKeT4oQu:miCi2+6CXfCZAyJH1i1uz3iE5j4oQu

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ed3f45a2be04b59e78b17e8e17269626_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tiiam.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	ed3f45a2be04b59e78b17e8e17269626_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1372	tiiam.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /E"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /G"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /V"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /Q"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /g"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /P"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /c"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /N"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /Y"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /t"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /U"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /a"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /T"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /D"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /S"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /s"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /r"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /J"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /y"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /K"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /Z"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /n"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /j"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /W"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /R"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /B"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /l"	ed3f45a2be04b59e78b17e8e17269626_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /H"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /e"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /M"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /w"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /k"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /z"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /X"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /u"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /I"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /A"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /m"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /q"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /v"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /d"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /i"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /l"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /h"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /F"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /C"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /o"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /L"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /x"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /p"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /b"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /f"	tiiam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiiam = "C:\\Users\\Admin\\tiiam.exe /O"	tiiam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed3f45a2be04b59e78b17e8e17269626_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tiiam.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	ed3f45a2be04b59e78b17e8e17269626_JaffaCakes118.exe
2792	ed3f45a2be04b59e78b17e8e17269626_JaffaCakes118.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe
1372	tiiam.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2792	ed3f45a2be04b59e78b17e8e17269626_JaffaCakes118.exe
1372	tiiam.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1372	2792	ed3f45a2be04b59e78b17e8e17269626_JaffaCakes118.exe	86
PID 2792 wrote to memory of 1372	2792	ed3f45a2be04b59e78b17e8e17269626_JaffaCakes118.exe	86
PID 2792 wrote to memory of 1372	2792	ed3f45a2be04b59e78b17e8e17269626_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\ed3f45a2be04b59e78b17e8e17269626_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed3f45a2be04b59e78b17e8e17269626_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\tiiam.exe
  "C:\Users\Admin\tiiam.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\tiiam.exe

Filesize
140KB

MD5
46159e2594299ab64381fe5e946bb77f

SHA1
0d527feec25413d242d6305bc0b82c535fe55c17

SHA256
9e3510c3bf018da5621b610af9b743eacf055903cbf0b3b95f0f6d0486b13c8b

SHA512
f3bf4e9e4160fc4d01244c4fa9e720c75d116f4be08c3a9121f94f85febc752718e848b72c8df723225da3543f2493154f3a655dc7baa3da83206143e1e8b52e

Download Submit