9d3adf9bbd93454402aab73fd2cc5f4b231799123bc5c2f4c5845724a5c19f9a

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 08:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe
Size

96KB
MD5

05160f0b0039f0bca598e09032c720e0
SHA1

69d06086aae11135c355357a9b2d633051aaf843
SHA256

9d3adf9bbd93454402aab73fd2cc5f4b231799123bc5c2f4c5845724a5c19f9a
SHA512

65770f2d2f689b896ae21cad59caaabbfb64dae88761c6a15a2be62c73742b7c392d47584f4e28d7ffbfd9c2143a7e17d617fa23624b96b8d9448dcc1c422922
SSDEEP

1536:bfEg52ebtyVQO8PXychWewjj3RJEEo/k3gzinynEkRldUEPjlijOewNIj/:DE/eUOychazRqEkMCRld8wC/

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xoija.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	xoija.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe
2080	05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /N"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /X"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /J"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /T"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /V"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /x"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /a"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /F"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /Q"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /v"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /O"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /p"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /e"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /E"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /C"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /U"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /Y"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /z"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /j"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /m"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /B"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /k"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /P"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /y"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /w"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /d"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /W"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /f"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /R"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /M"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /H"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /q"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /S"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /L"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /Z"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /A"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /c"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /r"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /h"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /n"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /t"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /g"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /s"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /D"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /u"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /b"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /o"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /K"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /D"	05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /i"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /l"	xoija.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoija = "C:\\Users\\Admin\\xoija.exe /I"	xoija.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoija.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe
2736	xoija.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2080	05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe
2736	xoija.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2736	2080	05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2736	2080	05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2736	2080	05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe	31
PID 2080 wrote to memory of 2736	2080	05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05160f0b0039f0bca598e09032c720e0_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\xoija.exe
  "C:\Users\Admin\xoija.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\xoija.exe

Filesize
96KB

MD5
f08344238ce0cd68d35710f5676ca933

SHA1
f26bc38d6f988a94033ab77c58b05f1803b9c12a

SHA256
7eec220657657af80bbbffc2d364f057f5199202178ec7a062a8eab199764b03

SHA512
df8ec60878d0543001a8967eec4161922a083ac2a55246d85318ebab21e995c90fb615b7a1ad0938e7d7d25be32b477b8632ee39d1ffbf45bad3b244206bad19

Download Submit