9614c56b333802d0656bd4f28eb53db00d37ae1c443f2c0ea95e0dfb5985b69f

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edd2ed1589df04b86669626e756d1e5a_JaffaCakes118.exe
Size

228KB
MD5

edd2ed1589df04b86669626e756d1e5a
SHA1

d4b071d93b1d254923cf6fb0441c7c25c307b796
SHA256

9614c56b333802d0656bd4f28eb53db00d37ae1c443f2c0ea95e0dfb5985b69f
SHA512

1c2d1dc4fa9e2b0ae732141802f18c9a12f6df0ffabc1dbdf2c67f3e0073dafca47d0e2ae6cba807f268eb6bf2dee5c211ccdee81b82a731901a3df9aed5b752
SSDEEP

6144:JKI93dwqsNy5ibpNjl4EqxF6snji81RUinKICw9:8IJdQxlC

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	edd2ed1589df04b86669626e756d1e5a_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kaesu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	edd2ed1589df04b86669626e756d1e5a_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
348	kaesu.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /h"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /x"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /i"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /n"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /m"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /z"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /w"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /u"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /v"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /e"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /a"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /w"	edd2ed1589df04b86669626e756d1e5a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /r"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /y"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /p"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /l"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /j"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /f"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /t"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /q"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /o"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /d"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /g"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /s"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /b"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /c"	kaesu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaesu = "C:\\Users\\Admin\\kaesu.exe /k"	kaesu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edd2ed1589df04b86669626e756d1e5a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kaesu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3076	edd2ed1589df04b86669626e756d1e5a_JaffaCakes118.exe
3076	edd2ed1589df04b86669626e756d1e5a_JaffaCakes118.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe
348	kaesu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3076	edd2ed1589df04b86669626e756d1e5a_JaffaCakes118.exe
348	kaesu.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 348	3076	edd2ed1589df04b86669626e756d1e5a_JaffaCakes118.exe	88
PID 3076 wrote to memory of 348	3076	edd2ed1589df04b86669626e756d1e5a_JaffaCakes118.exe	88
PID 3076 wrote to memory of 348	3076	edd2ed1589df04b86669626e756d1e5a_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\edd2ed1589df04b86669626e756d1e5a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edd2ed1589df04b86669626e756d1e5a_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Users\Admin\kaesu.exe
  "C:\Users\Admin\kaesu.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\kaesu.exe

Filesize
228KB

MD5
059f3e29df0cd79cc8a5be5d563f8c89

SHA1
759a73ae0d7d23c270397955b22e674cbb691f17

SHA256
f098a88f716a886fd5fb695b5def89ac1e0cdc9b28066d8049b022fc7a5d0242

SHA512
eac3c132f8e1f5d9d762787b835669a3c3541a6cde7a3ead5ed5617188b2bd1d3ecec1d19abff0926290876eef8dfdae4081dc7db4d3c71b789cf52613202e65

Download Submit