3099b9b76694dc4e239af592aeccbd61916d06ef26b867270fd2f48b5c2afee7

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa9630a92d6fe5793c1bd4108fbe69e0_JaffaCakes118.exe
Size

172KB
MD5

fa9630a92d6fe5793c1bd4108fbe69e0
SHA1

e90c273be96ac5a86bec5e623c8decfbff5ef2b6
SHA256

3099b9b76694dc4e239af592aeccbd61916d06ef26b867270fd2f48b5c2afee7
SHA512

69b7da2928baf9915afb00be8fd90bbdf698ba0fd1ef0c1173face34a5baa53b749c01297570a12a4755771a6856f3e4d101e9ce1706cae358f8ef2c82d05c0d
SSDEEP

3072:8uFYk4kXsggdXoszSIRkaRenJ9HVNa3j2VA8TWHjKZwzX3RfyY3WRv3E3i5:8irXTgdXoszSIRkaRenJ9HVNm2VA8TWY

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	guuubi.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	fa9630a92d6fe5793c1bd4108fbe69e0_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3392	guuubi.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /K"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /i"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /X"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /b"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /j"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /f"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /A"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /S"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /t"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /B"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /d"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /L"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /c"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /y"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /s"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /l"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /G"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /a"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /e"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /q"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /n"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /D"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /o"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /u"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /m"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /h"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /r"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /U"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /z"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /W"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /V"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /v"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /M"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /N"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /H"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /E"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /J"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /I"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /p"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /g"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /Y"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /O"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /T"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /C"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /k"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /P"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /F"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /R"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /Z"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /Q"	guuubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\guuubi = "C:\\Users\\Admin\\guuubi.exe /x"	guuubi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa9630a92d6fe5793c1bd4108fbe69e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guuubi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe
3392	guuubi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1408	fa9630a92d6fe5793c1bd4108fbe69e0_JaffaCakes118.exe
3392	guuubi.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 3392	1408	fa9630a92d6fe5793c1bd4108fbe69e0_JaffaCakes118.exe	89
PID 1408 wrote to memory of 3392	1408	fa9630a92d6fe5793c1bd4108fbe69e0_JaffaCakes118.exe	89
PID 1408 wrote to memory of 3392	1408	fa9630a92d6fe5793c1bd4108fbe69e0_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\fa9630a92d6fe5793c1bd4108fbe69e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa9630a92d6fe5793c1bd4108fbe69e0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\guuubi.exe
  "C:\Users\Admin\guuubi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4444,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\guuubi.exe

Filesize
172KB

MD5
3975332322e15b5a625847bb052cfe6c

SHA1
59f52214b44c10d2d334a63efabf54eb0223999f

SHA256
aa24227bfbda5db0486eabc1f3385d6387643b7d49d0bf4a8e9789b54c56ac3f

SHA512
9ace560ec1f9ca6cb0204f03dfd42a21c79e4d555082649602536e322350f6334b2d8db61903ea574ac70ca2c4ed40d085b34bf1b95522743891ad307c3dc495

Download Submit