46e459673eaf3e5e92a0c4d4c2f5dd5072bc293ba73b4cdbdb8e869150d9a482

Analysis

max time kernel
168s
max time network
170s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 10:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe
Size

320KB
MD5

eae3babb47d0e85ea88b436d1cb741e5
SHA1

93e8d356e19ec86a31945ba3c05898521f49e885
SHA256

46e459673eaf3e5e92a0c4d4c2f5dd5072bc293ba73b4cdbdb8e869150d9a482
SHA512

5a18180442590a25cb2cef09a811bc8065470a1c42efeaa8299a51a7818b69012e4cbc64e63cfcdd1487918b2eed37540e1de59aa3bc79a301a68d206d384e54
SSDEEP

6144:u0PZv5LLLLLLLL555vbbPZrrXZLrrrrUPeYlmxJRAPKXsKO72r9seZ+3SbBAlkuD:u1hloKyXrOk9hgSbBA2Qf

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2376	zoup.exe
2552	zoup.exe

Loads dropped DLL 2 IoCs

pid	Process
1496	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe
1496	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\{716CE7C8-8449-AD4E-8B2B-CDD0BB2BEECD} = "C:\\Users\\Admin\\AppData\\Roaming\\Onhun\\zoup.exe"	zoup.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 1496	1468	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	27
PID 2376 set thread context of 2552	2376	zoup.exe	29

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe
2552	zoup.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1496	1468	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	27
PID 1468 wrote to memory of 1496	1468	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	27
PID 1468 wrote to memory of 1496	1468	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	27
PID 1468 wrote to memory of 1496	1468	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	27
PID 1468 wrote to memory of 1496	1468	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	27
PID 1468 wrote to memory of 1496	1468	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	27
PID 1468 wrote to memory of 1496	1468	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	27
PID 1468 wrote to memory of 1496	1468	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	27
PID 1468 wrote to memory of 1496	1468	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	27
PID 1496 wrote to memory of 2376	1496	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	28
PID 1496 wrote to memory of 2376	1496	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	28
PID 1496 wrote to memory of 2376	1496	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	28
PID 1496 wrote to memory of 2376	1496	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	28
PID 2376 wrote to memory of 2552	2376	zoup.exe	29
PID 2376 wrote to memory of 2552	2376	zoup.exe	29
PID 2376 wrote to memory of 2552	2376	zoup.exe	29
PID 2376 wrote to memory of 2552	2376	zoup.exe	29
PID 2376 wrote to memory of 2552	2376	zoup.exe	29
PID 2376 wrote to memory of 2552	2376	zoup.exe	29
PID 2376 wrote to memory of 2552	2376	zoup.exe	29
PID 2376 wrote to memory of 2552	2376	zoup.exe	29
PID 2376 wrote to memory of 2552	2376	zoup.exe	29
PID 1496 wrote to memory of 2744	1496	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	30
PID 1496 wrote to memory of 2744	1496	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	30
PID 1496 wrote to memory of 2744	1496	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	30
PID 1496 wrote to memory of 2744	1496	eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe	30
PID 2552 wrote to memory of 1220	2552	zoup.exe	19
PID 2552 wrote to memory of 1220	2552	zoup.exe	19
PID 2552 wrote to memory of 1220	2552	zoup.exe	19
PID 2552 wrote to memory of 1220	2552	zoup.exe	19
PID 2552 wrote to memory of 1220	2552	zoup.exe	19
PID 2552 wrote to memory of 1332	2552	zoup.exe	20
PID 2552 wrote to memory of 1332	2552	zoup.exe	20
PID 2552 wrote to memory of 1332	2552	zoup.exe	20
PID 2552 wrote to memory of 1332	2552	zoup.exe	20
PID 2552 wrote to memory of 1332	2552	zoup.exe	20
PID 2552 wrote to memory of 1396	2552	zoup.exe	21
PID 2552 wrote to memory of 1396	2552	zoup.exe	21
PID 2552 wrote to memory of 1396	2552	zoup.exe	21
PID 2552 wrote to memory of 1396	2552	zoup.exe	21
PID 2552 wrote to memory of 1396	2552	zoup.exe	21

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1220

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eae3babb47d0e85ea88b436d1cb741e5_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Users\Admin\AppData\Roaming\Onhun\zoup.exe
      "C:\Users\Admin\AppData\Roaming\Onhun\zoup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Users\Admin\AppData\Roaming\Onhun\zoup.exe
        
        "C:\Users\Admin\AppData\Roaming\Onhun\zoup.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp555ef192.bat"
      4⤵
      Deletes itself
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp555ef192.bat

Filesize
271B

MD5
68bb159612764c8de9e73e2c455e1af7

SHA1
41c695bd5578125ec35a7832dda3c633524adab0

SHA256
b9fbc5ebd3f57bdbe2a43fbf203b7b954ffa6b19fff8f2bcbb8db478205d45b0

SHA512
93e161b39459a620094e3421a6520eb596c634d27b170c72c01960e2e2a8ab51eb6f99b9f5fd166134ccaa85e1f159563dac4b4e456265fcca355b433a6e656b

Download Submit
\Users\Admin\AppData\Roaming\Onhun\zoup.exe

Filesize
320KB

MD5
7b925dbf829fd6d22ce07a1958a6957c

SHA1
224174b65a82a00d615e0593e0bf9abb600e6a01

SHA256
3817911b9a822e9dab97054ee78708bcf9fb374db0a612ab57bc6826339d0e99

SHA512
0d1dcb7e49e15e5d4ab5ac4cfc33c2cb046fa0f63a70f0f061c4f5c61ba17aee810dd6724264dd34d3bcd6dd7e70823e47f46c06007d8971463b5f5e75373788

Download Submit
memory/1220-55-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1220-54-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1220-53-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1220-52-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1332-61-0x0000000001C20000-0x0000000001C64000-memory.dmp

Filesize
272KB

Download
memory/1332-60-0x0000000001C20000-0x0000000001C64000-memory.dmp

Filesize
272KB

Download
memory/1332-58-0x0000000001C20000-0x0000000001C64000-memory.dmp

Filesize
272KB

Download
memory/1332-57-0x0000000001C20000-0x0000000001C64000-memory.dmp

Filesize
272KB

Download
memory/1396-66-0x0000000002640000-0x0000000002684000-memory.dmp

Filesize
272KB

Download
memory/1396-65-0x0000000002640000-0x0000000002684000-memory.dmp

Filesize
272KB

Download
memory/1396-64-0x0000000002640000-0x0000000002684000-memory.dmp

Filesize
272KB

Download
memory/1396-63-0x0000000002640000-0x0000000002684000-memory.dmp

Filesize
272KB

Download
memory/1468-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1468-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1496-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1496-28-0x0000000000550000-0x00000000005A5000-memory.dmp

Filesize
340KB

Download
memory/1496-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1496-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1496-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1496-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1496-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1496-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1496-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1496-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1496-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1496-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2376-29-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2376-43-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2552-76-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-67-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-75-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-77-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-78-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-79-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download