Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 00:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe
-
Size
232KB
-
MD5
eeb3650eedafbb0b6aa687dc42c1c794
-
SHA1
48c2c09fec2ad9d4dc2e1225cb67b8610f466305
-
SHA256
5917b5c6c74b7a1d4f82568b23ef29a6c6b22c8a7fa54064ab6d65322ff1711f
-
SHA512
de516a4b31958b7268366e2dc467a9fa1679a46e31826dfb6372ce304599f785e47954cf7a9b36823002bdc54870be61088d6881507700482a6cde3977628a27
-
SSDEEP
6144:D3PFKs7dizxRJFBfWEqxF6snji81RUinK5qjbkxYu1S+:DPhYTBXibkx91L
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wipid.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4864 wipid.exe -
Adds Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /i" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /u" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /t" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /e" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /v" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /a" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /z" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /q" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /w" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /b" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /l" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /m" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /j" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /y" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /x" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /n" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /c" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /k" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /o" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /d" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /p" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /f" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /x" eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /r" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /g" wipid.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wipid = "C:\\Users\\Admin\\wipid.exe /s" wipid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wipid.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2040 eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe 2040 eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe 4864 wipid.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2040 eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe 4864 wipid.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2040 wrote to memory of 4864 2040 eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe 91 PID 2040 wrote to memory of 4864 2040 eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe 91 PID 2040 wrote to memory of 4864 2040 eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eeb3650eedafbb0b6aa687dc42c1c794_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\wipid.exe"C:\Users\Admin\wipid.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4864
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD58495b6798c0c4b6254a19ddfae8e45b5
SHA10d04c8ff5f157d6160e33ffe3089fbfbb903f6dc
SHA256e3fa8bbaeda727efb584842e8c7ac3f66dda5c9354b207e608adb1725dd03f83
SHA5129ec52db88b6435f24df46579e8b27f69404d315d997cf673584d3e0adb27e69e2edb2b06867f22fce5b1021b89ca982b2229e703b80459103351631cbe4e6049