4efefd8b0713d163eb63a8275d2ffbe54744a3aefd3a1cf3cae3554ae65609d0

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed8b389ad909e9070be66576ba10cd64_JaffaCakes118.exe
Size

100KB
MD5

ed8b389ad909e9070be66576ba10cd64
SHA1

96b4b7b9de945ea94a30420c467a874327e12b77
SHA256

4efefd8b0713d163eb63a8275d2ffbe54744a3aefd3a1cf3cae3554ae65609d0
SHA512

986e543ebab14f769654dde033b7b2ba3d2376b663ddc6c88622d5f7b6054f502866759c9713673ad1153bb57750f6090be496efc191c8c11904da3b90c3b16b
SSDEEP

1536:tAtGY82NTzweMGAc4ohrPXo+73Rez8b0SyuNIjnZq:qwBurPX7CuCnY

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ed8b389ad909e9070be66576ba10cd64_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hiuci.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ed8b389ad909e9070be66576ba10cd64_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4528	hiuci.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /W"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /j"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /a"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /D"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /R"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /q"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /P"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /N"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /X"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /A"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /w"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /E"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /y"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /k"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /f"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /m"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /H"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /p"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /I"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /B"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /d"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /i"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /n"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /t"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /L"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /o"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /Y"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /s"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /G"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /M"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /Z"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /x"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /c"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /e"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /z"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /h"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /b"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /v"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /O"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /S"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /U"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /r"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /T"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /u"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /g"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /B"	ed8b389ad909e9070be66576ba10cd64_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /C"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /K"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /J"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /F"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /Q"	hiuci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiuci = "C:\\Users\\Admin\\hiuci.exe /V"	hiuci.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed8b389ad909e9070be66576ba10cd64_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hiuci.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3508	ed8b389ad909e9070be66576ba10cd64_JaffaCakes118.exe
3508	ed8b389ad909e9070be66576ba10cd64_JaffaCakes118.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe
4528	hiuci.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3508	ed8b389ad909e9070be66576ba10cd64_JaffaCakes118.exe
4528	hiuci.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4528	3508	ed8b389ad909e9070be66576ba10cd64_JaffaCakes118.exe	93
PID 3508 wrote to memory of 4528	3508	ed8b389ad909e9070be66576ba10cd64_JaffaCakes118.exe	93
PID 3508 wrote to memory of 4528	3508	ed8b389ad909e9070be66576ba10cd64_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\ed8b389ad909e9070be66576ba10cd64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed8b389ad909e9070be66576ba10cd64_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\hiuci.exe
  "C:\Users\Admin\hiuci.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3768,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\hiuci.exe

Filesize
100KB

MD5
8c7673b2fe56cb51adcaea47a9f171c5

SHA1
bd0af0cdc015b8fbba754a826ab640e65c21e344

SHA256
8dbf4614cdeae1fb48444230323f0f1873af2ef5b9adbb019791b8fc03f26a0a

SHA512
aaf3bc3fc4d1ae016dd5cfccab3f0191910a4b03ff6a89b84adc5ed10d115ded4a29642087f766f2e0bad5bade535cfe1d4345d514cea38b4a2dcd52c04aac8b

Download Submit