c924729c07970363a1f04c4f1f55dd77e882fb81cef042cd26aabd676d00dff4

General

Target

9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exe
Size

88KB
MD5

9f0b859a757d8415d19fa53bda0d1c57
SHA1

fda8f94feb816f1f0016cbc31b33aa68777afab1
SHA256

c924729c07970363a1f04c4f1f55dd77e882fb81cef042cd26aabd676d00dff4
SHA512

86269122008b3725a9a3bf0d7256031c32a85320a900c0ed5cf76fe9cb256ed9701062aa96607d09a789078eb2f497d2f6048e4cd0224efdfb4a85e1c6e3762d
SSDEEP

1536:7FTkQFqSpy8tXG06YpqdXTsYJ/F+FBFIFGFYF7DUZxTZk/a:dcSs0G0mZJC

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

kauvu.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kauvu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

kauvu.exe

pid process

3360 kauvu.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kauvu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /i"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /X"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /U"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /y"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /F"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /d"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /v"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /c"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /s"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /h"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /K"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /P"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /G"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /g"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /I"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /z"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /a"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /R"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /O"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /b"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /D"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /t"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /H"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /p"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /M"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /E"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /f"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /S"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /T"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /m"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /Z"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /L"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /B"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /x"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /V"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /n"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /k"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /A"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /e"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /Y"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /C"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /j"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /q"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /Q"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /w"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /r"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /u"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /l"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /o"	kauvu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kauvu = "C:\\Users\\Admin\\kauvu.exe /W"	kauvu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exekauvu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kauvu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kauvu.exe

pid	process
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe
3360	kauvu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exekauvu.exe

pid process

3124 9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exe
3360 kauvu.exe

pid	process
3124	9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exe
3360	kauvu.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exe

description	pid	process	target process
PID 3124 wrote to memory of 3360	3124	9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exe	kauvu.exe
PID 3124 wrote to memory of 3360	3124	9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exe	kauvu.exe
PID 3124 wrote to memory of 3360	3124	9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exe	kauvu.exe

C:\Users\Admin\AppData\Local\Temp\9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9f0b859a757d8415d19fa53bda0d1c57_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\kauvu.exe
  "C:\Users\Admin\kauvu.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\kauvu.exe

Filesize
88KB

MD5
d10b83b39f8ea38b459731adb1a75d59

SHA1
8c4781e1e0c9c15255f97182e66806031540c07a

SHA256
9649b486aac8dfc7e4775e2cc93f20b1b252fd92ab68d0f73239faebfbab425a

SHA512
710d475cfcb68779ff866fa5fefa2b3bb452d4b9f1fc52283e5b10c6f9917fbf171b0237d6a7d744b9651a100c5b624139120c47ac1fc91b235b1182e83367e9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads