d9e0aaaf76c8a7e484af6e30e9240ed5a6b4bc3a89f5cc674ea6d65399359ae4

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29924917e3156e690c2e426d7766d8f2_JaffaCakes118.exe
Size

104KB
MD5

29924917e3156e690c2e426d7766d8f2
SHA1

7810cb9a3d5f37d8076e559e693ad2ef3178f276
SHA256

d9e0aaaf76c8a7e484af6e30e9240ed5a6b4bc3a89f5cc674ea6d65399359ae4
SHA512

4e5591bcf0814b0c5cb290783cdd9a352d5ccb615ff78747ccf5ab938bf0b37c55e51f718b9f677da085756c206693840a53aa4082f9d599d57532967a8fc756
SSDEEP

1536:NSBn2J8+xp+Q/fGnOmXdvSh2cQlIJ/dH/5QOuyXRRRyRAR/RwRDyYWrMktgFgzgg:1+I+QW2Qcx/f6y4BoDJ

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ziavos.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	29924917e3156e690c2e426d7766d8f2_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4272	ziavos.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /T"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /G"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /A"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /j"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /F"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /D"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /o"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /B"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /t"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /g"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /x"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /c"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /r"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /k"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /q"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /h"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /N"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /s"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /l"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /f"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /e"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /K"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /I"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /Q"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /m"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /w"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /R"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /Z"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /u"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /V"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /v"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /d"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /L"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /H"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /y"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /i"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /U"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /X"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /n"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /P"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /z"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /a"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /b"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /C"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /S"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /E"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /p"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /Y"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /W"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /O"	ziavos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziavos = "C:\\Users\\Admin\\ziavos.exe /M"	ziavos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29924917e3156e690c2e426d7766d8f2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziavos.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe
4272	ziavos.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
736	29924917e3156e690c2e426d7766d8f2_JaffaCakes118.exe
4272	ziavos.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 4272	736	29924917e3156e690c2e426d7766d8f2_JaffaCakes118.exe	86
PID 736 wrote to memory of 4272	736	29924917e3156e690c2e426d7766d8f2_JaffaCakes118.exe	86
PID 736 wrote to memory of 4272	736	29924917e3156e690c2e426d7766d8f2_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\29924917e3156e690c2e426d7766d8f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29924917e3156e690c2e426d7766d8f2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\ziavos.exe
  "C:\Users\Admin\ziavos.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ziavos.exe

Filesize
104KB

MD5
53f4034c40324d7a8f4d64f350bdb969

SHA1
b56452f29c7aecb5420af11d9419f499f0a9db43

SHA256
9c2769453a1417acde3bb1c1bdab81fdeab0cec648a76d20a5731fee7698d283

SHA512
1ca2932e9b049f650186fbab4b194db988e587b6de7f5e3c9762a1337347149039326f598b4dd285ffb2ee3e57556825ef3344fdb59e7058d636bf0ae3761b5c

Download Submit