Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28/09/2024, 09:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe
-
Size
124KB
-
MD5
fc0944e817e5ee1515f81fd00a899486
-
SHA1
376599d0ff17c72581606474ee6901a9aa2fc526
-
SHA256
84b02d85384f135adc0894bc1272238b971a0a7a01f9f43dfbf9bb0e9b3b3eb6
-
SHA512
3127a601c46a285507e1e7ba75d49a57af891d42b5bf56d3b9a825459545a61eefd5673f0fb84b2bdb229c16e1df328fe5b91506bebb4130edc47f38c313f718
-
SSDEEP
3072:U20sCbZSukOY8hrJFVcM/N/5sfqDfwqm4nYm:30sork6hrJ3cON/5sGq4p
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" maibin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 5420 maibin.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /l" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /V" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /W" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /q" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /M" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /y" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /e" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /c" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /p" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /T" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /N" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /L" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /Y" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /u" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /v" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /a" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /B" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /U" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /Z" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /i" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /f" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /F" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /z" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /n" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /G" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /R" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /k" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /K" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /m" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /I" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /X" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /E" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /t" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /x" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /C" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /j" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /D" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /g" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /a" fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /O" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /o" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /H" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /b" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /w" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /h" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /A" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /s" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /Q" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /P" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /d" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /S" maibin.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maibin = "C:\\Users\\Admin\\maibin.exe /J" maibin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maibin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1276 fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe 1276 fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe 5420 maibin.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1276 fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe 5420 maibin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1276 wrote to memory of 5420 1276 fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe 85 PID 1276 wrote to memory of 5420 1276 fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe 85 PID 1276 wrote to memory of 5420 1276 fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc0944e817e5ee1515f81fd00a899486_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\maibin.exe"C:\Users\Admin\maibin.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5420
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5f91f103b1d809e3a6a099d2d011f20dd
SHA1f9809b6b4994fb790aa48f8cfd2105fd8d399f84
SHA256593cb70a03d86522c5f3a977ced3f9e35ccabd9feea3d93f5dfa7fd46ee4d8ca
SHA512ad026024b714aeee4671272fa30cff182b7a17b87b0fff4ad67a931dc36182fddd0ab8fc873ed7b6e83d58ee96fdc912c837835412f056703d3a6fe4aa7c5187