Analysis
-
max time kernel
100s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-10-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe
-
Size
320KB
-
MD5
562d0bb7551275effd57b42bf140e40a
-
SHA1
20cec1861dfb575b99d41573c83b0f41ddf0a86c
-
SHA256
a3a2c609b31ddfabd30a9b0b1d2eee475c6e8d1d26261454d540f815c0547d9d
-
SHA512
de1fbde18226f5b23ebf3064de82cc410147bf9e59b0a01f11bb56532bc076c90b4534ddfda3eae9aa69e1ebaf1a38e7dceb703db8e3c8179941282fe5aee820
-
SSDEEP
6144:0X+OBRtoITkA53pK122OWXHCmHZW50l7F9R6ew+:cNBRtMcow2OWXH5HZW5qHRX
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" waawon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3520 waawon.exe -
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /o" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /h" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /h" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /b" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /t" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /k" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /s" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /e" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /n" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /r" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /y" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /y" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /i" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /x" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /b" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /k" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /d" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /a" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /g" 562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /v" 562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /a" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /g" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /j" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /w" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /c" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /s" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /u" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /f" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /j" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /d" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /c" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /x" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /p" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /g" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /q" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /i" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /u" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /v" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /e" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /t" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /p" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /o" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /w" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /q" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /r" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /m" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /v" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /n" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /m" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /f" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /l" waawon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /z" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /l" waawon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waawon = "C:\\Users\\Admin\\waawon.exe /z" waawon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language waawon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2584 562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe 2584 562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe 3520 waawon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2584 562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe 3520 waawon.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2584 wrote to memory of 3520 2584 562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe 92 PID 2584 wrote to memory of 3520 2584 562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe 92 PID 2584 wrote to memory of 3520 2584 562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\562d0bb7551275effd57b42bf140e40a_JaffaCakes118.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\waawon.exe"C:\Users\Admin\waawon.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3520
-
Network
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestns1.helpupdates.comIN AResponse
-
Remote address:8.8.8.8:53Requestns1.helpupdates.netIN AResponsens1.helpupdates.netIN A107.178.223.183ns1.helpupdates.netIN A34.70.133.246ns1.helpupdates.netIN A104.155.138.21ns1.helpupdates.netIN A35.225.36.88
-
Remote address:8.8.8.8:53Requestns1.helpupdater.netIN AResponsens1.helpupdater.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Requestns1.helpupdated.comIN AResponse
-
Remote address:8.8.8.8:53Requestns1.helpupdated.netIN AResponsens1.helpupdated.netIN A18.205.186.231
-
Remote address:8.8.8.8:53Requestns1.helpupdated.orgIN AResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request75.117.19.2.in-addr.arpaIN PTRResponse75.117.19.2.in-addr.arpaIN PTRa2-19-117-75deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTRResponse
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
122.0kB 3.5MB 2564 2557
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
133.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
65 B 128 B 1 1
DNS Request
ns1.helpupdates.com
-
65 B 129 B 1 1
DNS Request
ns1.helpupdates.net
DNS Response
107.178.223.18334.70.133.246104.155.138.2135.225.36.88
-
65 B 81 B 1 1
DNS Request
ns1.helpupdater.net
DNS Response
193.166.255.171
-
65 B 138 B 1 1
DNS Request
ns1.helpupdated.com
-
65 B 81 B 1 1
DNS Request
ns1.helpupdated.net
DNS Response
18.205.186.231
-
65 B 147 B 1 1
DNS Request
ns1.helpupdated.org
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
75.117.19.2.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.28.10150.171.27.10
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
10.28.171.150.in-addr.arpa
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD52d19ca3f3e03e9deb992802625c7c5ad
SHA165dd624a864858a6af24352533dcdac504de0d6b
SHA2566e2bda428f6cb96159030b5933470c328b145b924d50e7cf102a405a208b6e18
SHA512d29ac9d1097a07d7b510c634ea64ac80851bee2b93a762082be9fb29a6309b5fc39d78bd6443c9d3d1a4e31307348fef540f5e2d832f7c2cbee7aa8c53029daf