27dd5bd63ca9c77464409f09d989eb89947f0827f38ec4215ac4474c2b51a367

Analysis

max time kernel
151s
max time network
158s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe
Size

333KB
MD5

e980fd498b9ce9a355f28afca7fe0ca1
SHA1

32803b73a08a5ddf0ace3139230c28ff4c57b7b1
SHA256

27dd5bd63ca9c77464409f09d989eb89947f0827f38ec4215ac4474c2b51a367
SHA512

a69f3f1d5822c27379edf4512464fdbc60a15ed2e42f911babeb130bc79f26a1372032cb0b7e37b83c4269c66e5e9a44b6bf6d71d098b47173505a322abc838c
SSDEEP

6144:XOXev74zue74KwdTJeJr6SLFdVB43K7H9DSbqLTFF3b3nznBnOn/3:zte8lJOzZdMeAud7zBO/3

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2132	ryefap.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\{3603BBC8-8463-AD4E-9CCF-EE96922FCD8B} = "C:\\Users\\Admin\\AppData\\Roaming\\Uzzuba\\ryefap.exe"	ryefap.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 2624	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	29

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe
2132	ryefap.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe
2132	ryefap.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2132	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	28
PID 1712 wrote to memory of 2132	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	28
PID 1712 wrote to memory of 2132	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	28
PID 1712 wrote to memory of 2132	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	28
PID 2132 wrote to memory of 1136	2132	ryefap.exe	19
PID 2132 wrote to memory of 1136	2132	ryefap.exe	19
PID 2132 wrote to memory of 1136	2132	ryefap.exe	19
PID 2132 wrote to memory of 1136	2132	ryefap.exe	19
PID 2132 wrote to memory of 1136	2132	ryefap.exe	19
PID 2132 wrote to memory of 1172	2132	ryefap.exe	20
PID 2132 wrote to memory of 1172	2132	ryefap.exe	20
PID 2132 wrote to memory of 1172	2132	ryefap.exe	20
PID 2132 wrote to memory of 1172	2132	ryefap.exe	20
PID 2132 wrote to memory of 1172	2132	ryefap.exe	20
PID 2132 wrote to memory of 1220	2132	ryefap.exe	21
PID 2132 wrote to memory of 1220	2132	ryefap.exe	21
PID 2132 wrote to memory of 1220	2132	ryefap.exe	21
PID 2132 wrote to memory of 1220	2132	ryefap.exe	21
PID 2132 wrote to memory of 1220	2132	ryefap.exe	21
PID 2132 wrote to memory of 1936	2132	ryefap.exe	23
PID 2132 wrote to memory of 1936	2132	ryefap.exe	23
PID 2132 wrote to memory of 1936	2132	ryefap.exe	23
PID 2132 wrote to memory of 1936	2132	ryefap.exe	23
PID 2132 wrote to memory of 1936	2132	ryefap.exe	23
PID 2132 wrote to memory of 1712	2132	ryefap.exe	27
PID 2132 wrote to memory of 1712	2132	ryefap.exe	27
PID 2132 wrote to memory of 1712	2132	ryefap.exe	27
PID 2132 wrote to memory of 1712	2132	ryefap.exe	27
PID 2132 wrote to memory of 1712	2132	ryefap.exe	27
PID 1712 wrote to memory of 2624	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2624	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2624	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2624	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2624	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2624	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2624	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2624	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	29
PID 1712 wrote to memory of 2624	1712	e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e980fd498b9ce9a355f28afca7fe0ca1_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Roaming\Uzzuba\ryefap.exe
    "C:\Users\Admin\AppData\Roaming\Uzzuba\ryefap.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp654625f9.bat"
    3⤵
    - Deletes itself
    PID:2624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp654625f9.bat

Filesize
271B

MD5
9fe6a9b767b119896d54d4ed9be2b05c

SHA1
ef5e4e4c9fff07e0b075c7e2001ca6e1d7bd0423

SHA256
a52ba9c034fe0d95de283413151677e41ed3fd5d38f099d97f778b0b3c9b5390

SHA512
0303476d31fe2607c2907ab6b185a50f78c423522804c136fa02d3d6030f0eda413a0374d4d24bf82536eb3a33f21fff09a05de7ce176fbca84dfac1b9bdf679

Download Submit
\Users\Admin\AppData\Roaming\Uzzuba\ryefap.exe

Filesize
333KB

MD5
a5a5e64f450d255b7e98f238f1c6480f

SHA1
42084efee8ba58d78c4ed9e105801df3d51eaf50

SHA256
d3b5a88d8e2c3aeedc4abbe6ef2cd71a9d57b7136a1717f58cefb8688e7c60e3

SHA512
fd4ab41376595616f945a0e0157eab0791f5238c9a0dda31fa684c5bbc6580e6c4e8eb790001069d15d7f4f68e419d748596846df6a94a733946bc2cf9a6d0df

Download Submit
memory/1136-15-0x0000000001D00000-0x0000000001D46000-memory.dmp

Filesize
280KB

Download
memory/1136-17-0x0000000001D00000-0x0000000001D46000-memory.dmp

Filesize
280KB

Download
memory/1136-16-0x0000000001D00000-0x0000000001D46000-memory.dmp

Filesize
280KB

Download
memory/1136-14-0x0000000001D00000-0x0000000001D46000-memory.dmp

Filesize
280KB

Download
memory/1136-18-0x0000000001D00000-0x0000000001D46000-memory.dmp

Filesize
280KB

Download
memory/1172-21-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1172-22-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1172-23-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1172-24-0x0000000000250000-0x0000000000296000-memory.dmp

Filesize
280KB

Download
memory/1220-28-0x0000000002A00000-0x0000000002A46000-memory.dmp

Filesize
280KB

Download
memory/1220-29-0x0000000002A00000-0x0000000002A46000-memory.dmp

Filesize
280KB

Download
memory/1220-26-0x0000000002A00000-0x0000000002A46000-memory.dmp

Filesize
280KB

Download
memory/1220-27-0x0000000002A00000-0x0000000002A46000-memory.dmp

Filesize
280KB

Download
memory/1712-46-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1712-49-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1712-2-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1712-6-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1712-69-0x00000000004D0000-0x0000000000516000-memory.dmp

Filesize
280KB

Download
memory/1712-0-0x00000000004D0000-0x0000000000516000-memory.dmp

Filesize
280KB

Download
memory/1712-3-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1712-53-0x00000000005B0000-0x00000000005F6000-memory.dmp

Filesize
280KB

Download
memory/1712-37-0x00000000005B0000-0x00000000005F6000-memory.dmp

Filesize
280KB

Download
memory/1712-39-0x00000000005B0000-0x00000000005F6000-memory.dmp

Filesize
280KB

Download
memory/1712-41-0x00000000005B0000-0x00000000005F6000-memory.dmp

Filesize
280KB

Download
memory/1712-43-0x00000000005B0000-0x00000000005F6000-memory.dmp

Filesize
280KB

Download
memory/1712-45-0x00000000005B0000-0x00000000005F6000-memory.dmp

Filesize
280KB

Download
memory/1712-1-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1712-47-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1712-48-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1712-68-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1712-51-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

Filesize
4KB

Download
memory/1712-50-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1712-52-0x00000000005B0000-0x00000000005F6000-memory.dmp

Filesize
280KB

Download
memory/1936-34-0x0000000001CA0000-0x0000000001CE6000-memory.dmp

Filesize
280KB

Download
memory/1936-33-0x0000000001CA0000-0x0000000001CE6000-memory.dmp

Filesize
280KB

Download
memory/1936-32-0x0000000001CA0000-0x0000000001CE6000-memory.dmp

Filesize
280KB

Download
memory/1936-31-0x0000000001CA0000-0x0000000001CE6000-memory.dmp

Filesize
280KB

Download
memory/2132-11-0x0000000000290000-0x00000000002D6000-memory.dmp

Filesize
280KB

Download
memory/2132-59-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2132-83-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2132-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2132-57-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2624-72-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2624-75-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2624-70-0x00000000000C0000-0x0000000000106000-memory.dmp

Filesize
280KB

Download
memory/2624-71-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2624-58-0x00000000000C0000-0x0000000000106000-memory.dmp

Filesize
280KB

Download
memory/2624-73-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2624-74-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2624-64-0x00000000000C0000-0x0000000000106000-memory.dmp

Filesize
280KB

Download
memory/2624-77-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

Filesize
4KB

Download
memory/2624-76-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2624-78-0x00000000000C0000-0x0000000000106000-memory.dmp

Filesize
280KB

Download
memory/2624-81-0x00000000000C0000-0x0000000000106000-memory.dmp

Filesize
280KB

Download
memory/2624-66-0x00000000000C0000-0x0000000000106000-memory.dmp

Filesize
280KB

Download
memory/2624-62-0x00000000000C0000-0x0000000000106000-memory.dmp

Filesize
280KB

Download