e0ff33bd4000d69244737960d8e7aa97e4f9cadd60101da977b01117c77fd9fa

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb5d3deb7bad4169e39438ec0a64c1e4_JaffaCakes118.exe
Size

388KB
MD5

eb5d3deb7bad4169e39438ec0a64c1e4
SHA1

d1db3b0a0d5440f9c812b992d49e88405ac42f86
SHA256

e0ff33bd4000d69244737960d8e7aa97e4f9cadd60101da977b01117c77fd9fa
SHA512

e3f13f75a707a4affb3e2c05e01f116fb21fc492819c43df5d9844b517d459e03e7bab8960f7665881cb4cbeb4828f809df22e8302f3c3714053f94739ee5351
SSDEEP

12288:u8sxtxPNwXgcaDO094E7j/D9uyCaWy+B:uBjx1wQcS4E/D9uyRWyq

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2684	oDi20430pKiHg20430.exe

Executes dropped EXE 1 IoCs

pid	Process
2684	oDi20430pKiHg20430.exe

Loads dropped DLL 1 IoCs

pid	Process
2000	eb5d3deb7bad4169e39438ec0a64c1e4_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2000-6-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/memory/2000-12-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/memory/2684-20-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/memory/2684-24-0x0000000000400000-0x00000000004D7000-memory.dmp	upx
behavioral1/memory/2684-33-0x0000000000400000-0x00000000004D7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oDi20430pKiHg20430 = "C:\\ProgramData\\oDi20430pKiHg20430\\oDi20430pKiHg20430.exe"	oDi20430pKiHg20430.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	oDi20430pKiHg20430.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2000	eb5d3deb7bad4169e39438ec0a64c1e4_JaffaCakes118.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	eb5d3deb7bad4169e39438ec0a64c1e4_JaffaCakes118.exe
Token: SeDebugPrivilege	2684	oDi20430pKiHg20430.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2684	oDi20430pKiHg20430.exe
2684	oDi20430pKiHg20430.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2684	2000	eb5d3deb7bad4169e39438ec0a64c1e4_JaffaCakes118.exe	28
PID 2000 wrote to memory of 2684	2000	eb5d3deb7bad4169e39438ec0a64c1e4_JaffaCakes118.exe	28
PID 2000 wrote to memory of 2684	2000	eb5d3deb7bad4169e39438ec0a64c1e4_JaffaCakes118.exe	28
PID 2000 wrote to memory of 2684	2000	eb5d3deb7bad4169e39438ec0a64c1e4_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\eb5d3deb7bad4169e39438ec0a64c1e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb5d3deb7bad4169e39438ec0a64c1e4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\ProgramData\oDi20430pKiHg20430\oDi20430pKiHg20430.exe
  "C:\ProgramData\oDi20430pKiHg20430\oDi20430pKiHg20430.exe" "C:\Users\Admin\AppData\Local\Temp\eb5d3deb7bad4169e39438ec0a64c1e4_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oDi20430pKiHg20430\oDi20430pKiHg20430

Filesize
192B

MD5
f2584ce4d0f7b66dbfee2a4f46f87c55

SHA1
6cebe453b802c03780097b1f60bcb92344a98b7d

SHA256
7834b48c54b2ca58198868448bd57dcd9a3130208cc613142dcb20e1a07e4e1e

SHA512
249913a0fd494ef6e4e458c267eb6a22526c3fda3a313cf6d2de9c7e931824562b6f312e97c8accbee8745faadf431617da25833473624724ee2c389b4cb6b40

Download Submit
\ProgramData\oDi20430pKiHg20430\oDi20430pKiHg20430.exe

Filesize
388KB

MD5
eb5d3deb7bad4169e39438ec0a64c1e4

SHA1
d1db3b0a0d5440f9c812b992d49e88405ac42f86

SHA256
e0ff33bd4000d69244737960d8e7aa97e4f9cadd60101da977b01117c77fd9fa

SHA512
e3f13f75a707a4affb3e2c05e01f116fb21fc492819c43df5d9844b517d459e03e7bab8960f7665881cb4cbeb4828f809df22e8302f3c3714053f94739ee5351

Download Submit
memory/2000-0-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2000-6-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2000-12-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2684-20-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2684-24-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2684-33-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download