Analysis
-
max time kernel
14s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 09:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_8a8f27ab1dd1426f4c83670b661a60dc.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_8a8f27ab1dd1426f4c83670b661a60dc.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
JaffaCakes118_8a8f27ab1dd1426f4c83670b661a60dc.exe
-
Size
260KB
-
MD5
8a8f27ab1dd1426f4c83670b661a60dc
-
SHA1
37b009f482608c90a64e48cf24610701a862d565
-
SHA256
cf4c13acec898e8dfda2ee2cc18af281060b4f1210a7acf3d0ce741a5f7b1df5
-
SHA512
7b88f7473b4096454948b588348451d4d6f9ba00447e624ca6567d9f1dbac6a209fc59d874762b6a73a9e59406c6630cf426d1901b80943c36aa090352c84431
-
SSDEEP
6144:FdVNgTSrMaIl/jcLijfHFEHWzXvjT85R:FaTSrMaIqLlI/H85R
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ziemi.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2348 ziemi.exe -
Loads dropped DLL 2 IoCs
pid Process 2380 JaffaCakes118_8a8f27ab1dd1426f4c83670b661a60dc.exe 2380 JaffaCakes118_8a8f27ab1dd1426f4c83670b661a60dc.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziemi = "C:\\Users\\Admin\\ziemi.exe /P" ziemi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziemi = "C:\\Users\\Admin\\ziemi.exe /D" ziemi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziemi = "C:\\Users\\Admin\\ziemi.exe /x" ziemi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziemi = "C:\\Users\\Admin\\ziemi.exe /s" ziemi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziemi = "C:\\Users\\Admin\\ziemi.exe /o" ziemi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziemi = "C:\\Users\\Admin\\ziemi.exe /X" ziemi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziemi = "C:\\Users\\Admin\\ziemi.exe /C" ziemi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziemi = "C:\\Users\\Admin\\ziemi.exe /M" ziemi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziemi = "C:\\Users\\Admin\\ziemi.exe /J" ziemi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziemi = "C:\\Users\\Admin\\ziemi.exe /W" ziemi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziemi = "C:\\Users\\Admin\\ziemi.exe /a" ziemi.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziemi = "C:\\Users\\Admin\\ziemi.exe /Y" ziemi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8a8f27ab1dd1426f4c83670b661a60dc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ziemi.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2348 ziemi.exe 2348 ziemi.exe 2348 ziemi.exe 2348 ziemi.exe 2348 ziemi.exe 2348 ziemi.exe 2348 ziemi.exe 2348 ziemi.exe 2348 ziemi.exe 2348 ziemi.exe 2348 ziemi.exe 2348 ziemi.exe 2348 ziemi.exe 2348 ziemi.exe 2348 ziemi.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 3068 explorer.exe Token: SeShutdownPrivilege 3068 explorer.exe Token: SeShutdownPrivilege 3068 explorer.exe Token: SeShutdownPrivilege 3068 explorer.exe Token: SeShutdownPrivilege 3068 explorer.exe Token: SeShutdownPrivilege 3068 explorer.exe Token: SeShutdownPrivilege 3068 explorer.exe Token: SeShutdownPrivilege 3068 explorer.exe Token: SeShutdownPrivilege 3068 explorer.exe Token: SeShutdownPrivilege 3068 explorer.exe Token: SeShutdownPrivilege 3068 explorer.exe Token: SeShutdownPrivilege 3068 explorer.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe 3068 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2380 JaffaCakes118_8a8f27ab1dd1426f4c83670b661a60dc.exe 2348 ziemi.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2348 2380 JaffaCakes118_8a8f27ab1dd1426f4c83670b661a60dc.exe 31 PID 2380 wrote to memory of 2348 2380 JaffaCakes118_8a8f27ab1dd1426f4c83670b661a60dc.exe 31 PID 2380 wrote to memory of 2348 2380 JaffaCakes118_8a8f27ab1dd1426f4c83670b661a60dc.exe 31 PID 2380 wrote to memory of 2348 2380 JaffaCakes118_8a8f27ab1dd1426f4c83670b661a60dc.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a8f27ab1dd1426f4c83670b661a60dc.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a8f27ab1dd1426f4c83670b661a60dc.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\ziemi.exe"C:\Users\Admin\ziemi.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2348
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3068
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD5f2e2a3a1e0ffe135e2890006e3a01993
SHA112047777424d2db34efaf1b47083546dd0f9c0d4
SHA25610587a104cc59a1b020f68fba968c90895ff7fc209a056f9a8fa3395b11d5770
SHA5123a57d3e1dc815758050f4891900abc4a1d904b38bc6c797f7f52ff2568c351abeb714459c10527f183c6766783908ac6e73dffc834256cead88729a02557f83c