e3063ca257c155a54a05a2f717a036775c6d056247646e0d3556c8d5b73d23fb

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 02:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
Size

40KB
MD5

2957c436a7adcf35ea1f55e80063053f
SHA1

319a6eadf73d0c1de47693ecae385ac9cea0ee25
SHA256

e3063ca257c155a54a05a2f717a036775c6d056247646e0d3556c8d5b73d23fb
SHA512

e4a6b13db23cddc2467fa51ab8b40a3e86b347eb3df158f5007862b8055bdcadb9fdcf84bf5eea86716892234f22e784ada90dde580b4f1c1df97af65cff5f88
SSDEEP

768:daNIX6DV6Q2GH8qiNHXwHvbSCehr8HR0pvc:dOLPH8qgKgrQ4vc

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Admin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
432	Admin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	Admin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe
432	Admin.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe
432	Admin.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe
432	Admin.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe
432	Admin.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe
432	Admin.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe
432	Admin.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe
432	Admin.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe
432	Admin.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe
432	Admin.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe
432	Admin.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe
432	Admin.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe
432	Admin.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe
432	Admin.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
432	Admin.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 432	4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe	86
PID 4468 wrote to memory of 432	4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe	86
PID 4468 wrote to memory of 432	4468	2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2957c436a7adcf35ea1f55e80063053f_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\Admin.exe
  "C:\Users\Admin\Admin.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Admin.exe

Filesize
40KB

MD5
24aff90146d4e2051554eea5c85ceecd

SHA1
e36ca5dfa00ff3a4a42a6a85e2bfb98e5f911af4

SHA256
583350317a53c9e3a048a894274fc8280806d908430686a60cb7b5a84033c462

SHA512
65e7e066a3a49c610fc3a4d42e8497f8ce6b031740af2e61ebcd92ba0dd6e2d75cfa7c2d35d0b405a75e8119ab8b3a924952977ac8ce6131346c05b87940a508

Download Submit