15b0cdb08785d2542f4850b75b1daed0fc7fcc616e52614f4e64667e293765df

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe
Size

179KB
MD5

eda3642ff12338e7020cd5349ca75e91
SHA1

a55aa713e9307ca905dbbf92fbc0d0e778690876
SHA256

15b0cdb08785d2542f4850b75b1daed0fc7fcc616e52614f4e64667e293765df
SHA512

12753a188f183aba31ce34bc732f078a0cd4bb5f4eccef2fa8734399237bb501181786326c974e43c8c34905977106b4d930048ab2c6f171b94452915ffbbba4
SSDEEP

3072:aw47FWnfZTDY/bEwKtjj35fuqglO4In4rLAmyHmi2K/6pVl1p+61GUIJK:547FWfZTPw0jFB4I4AhnAVs+n

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1632	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1548	iwan.exe

Loads dropped DLL 2 IoCs

pid	Process
2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe
2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/files/0x000b0000000160cc-5.dat	upx
behavioral1/memory/1548-13-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\{BDC79CD8-A225-5EB1-8C2A-29D50BEB3268} = "C:\\Users\\Admin\\AppData\\Roaming\\Eszyq\\iwan.exe"	iwan.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 1632	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Privacy	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe
1548	iwan.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe
Token: SeSecurityPrivilege	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe
Token: SeSecurityPrivilege	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1548	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	28
PID 2916 wrote to memory of 1548	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	28
PID 2916 wrote to memory of 1548	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	28
PID 2916 wrote to memory of 1548	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	28
PID 1548 wrote to memory of 1120	1548	iwan.exe	19
PID 1548 wrote to memory of 1120	1548	iwan.exe	19
PID 1548 wrote to memory of 1120	1548	iwan.exe	19
PID 1548 wrote to memory of 1120	1548	iwan.exe	19
PID 1548 wrote to memory of 1120	1548	iwan.exe	19
PID 1548 wrote to memory of 1176	1548	iwan.exe	20
PID 1548 wrote to memory of 1176	1548	iwan.exe	20
PID 1548 wrote to memory of 1176	1548	iwan.exe	20
PID 1548 wrote to memory of 1176	1548	iwan.exe	20
PID 1548 wrote to memory of 1176	1548	iwan.exe	20
PID 1548 wrote to memory of 1256	1548	iwan.exe	21
PID 1548 wrote to memory of 1256	1548	iwan.exe	21
PID 1548 wrote to memory of 1256	1548	iwan.exe	21
PID 1548 wrote to memory of 1256	1548	iwan.exe	21
PID 1548 wrote to memory of 1256	1548	iwan.exe	21
PID 1548 wrote to memory of 1804	1548	iwan.exe	23
PID 1548 wrote to memory of 1804	1548	iwan.exe	23
PID 1548 wrote to memory of 1804	1548	iwan.exe	23
PID 1548 wrote to memory of 1804	1548	iwan.exe	23
PID 1548 wrote to memory of 1804	1548	iwan.exe	23
PID 1548 wrote to memory of 2916	1548	iwan.exe	27
PID 1548 wrote to memory of 2916	1548	iwan.exe	27
PID 1548 wrote to memory of 2916	1548	iwan.exe	27
PID 1548 wrote to memory of 2916	1548	iwan.exe	27
PID 1548 wrote to memory of 2916	1548	iwan.exe	27
PID 2916 wrote to memory of 1632	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	29
PID 2916 wrote to memory of 1632	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	29
PID 2916 wrote to memory of 1632	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	29
PID 2916 wrote to memory of 1632	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	29
PID 2916 wrote to memory of 1632	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	29
PID 2916 wrote to memory of 1632	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	29
PID 2916 wrote to memory of 1632	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	29
PID 2916 wrote to memory of 1632	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	29
PID 2916 wrote to memory of 1632	2916	eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe	29
PID 1548 wrote to memory of 1008	1548	iwan.exe	31
PID 1548 wrote to memory of 1008	1548	iwan.exe	31
PID 1548 wrote to memory of 1008	1548	iwan.exe	31
PID 1548 wrote to memory of 1008	1548	iwan.exe	31
PID 1548 wrote to memory of 1008	1548	iwan.exe	31
PID 1548 wrote to memory of 1248	1548	iwan.exe	32
PID 1548 wrote to memory of 1248	1548	iwan.exe	32
PID 1548 wrote to memory of 1248	1548	iwan.exe	32
PID 1548 wrote to memory of 1248	1548	iwan.exe	32
PID 1548 wrote to memory of 1248	1548	iwan.exe	32
PID 1548 wrote to memory of 3056	1548	iwan.exe	35
PID 1548 wrote to memory of 3056	1548	iwan.exe	35
PID 1548 wrote to memory of 3056	1548	iwan.exe	35
PID 1548 wrote to memory of 3056	1548	iwan.exe	35
PID 1548 wrote to memory of 3056	1548	iwan.exe	35
PID 1548 wrote to memory of 3064	1548	iwan.exe	36
PID 1548 wrote to memory of 3064	1548	iwan.exe	36
PID 1548 wrote to memory of 3064	1548	iwan.exe	36
PID 1548 wrote to memory of 3064	1548	iwan.exe	36
PID 1548 wrote to memory of 3064	1548	iwan.exe	36

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eda3642ff12338e7020cd5349ca75e91_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Roaming\Eszyq\iwan.exe
    "C:\Users\Admin\AppData\Roaming\Eszyq\iwan.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7e4584f2.bat"
    3⤵
    - Deletes itself
    PID:1632

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1804

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1008

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1248

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7e4584f2.bat

Filesize
271B

MD5
4295351330eac2fe6b7036f2fa733b0b

SHA1
5600708fa6b6a5c6e63f18d3b488ee21e2afc9a1

SHA256
9a4c0d00b76c3c27af5f5790ded643e2e75b3749547bd930ae25dcf16065d971

SHA512
6a4ec0da4d8db6487b8cbf2fc1961e04f032e1cc8126aade81db1fba0ff60120ff34e14914674e17e5e72f60a346d38f50b08f053273175499594f5ef5a7b630

Download Submit
C:\Users\Admin\AppData\Roaming\Axugu\yrxa.ufu

Filesize
380B

MD5
c3a78eeb6d9469a29003518d450dd936

SHA1
733944b6ca035790bc7bec63633c29a8765ce306

SHA256
c157ea208bb5364b285bce456a2c348f579b1c3346c9fe04584f5239527ebdd5

SHA512
a456f950fa8a6db06b10dfeedaf54a70fc07b534867252fcef10d7212a6593c4a2c446c0b759307b39fbc8853ef085cfe516dfbd92f242607af7bb3f78f941a9

Download Submit
\Users\Admin\AppData\Roaming\Eszyq\iwan.exe

Filesize
179KB

MD5
18a79949943df6a3d8aa68a57c180950

SHA1
33191a991049ffd936164f918362183ac576e574

SHA256
fbb57abf0ab0c20195555cbecca004f3a0e429cb411ba944f280c61af71c7dac

SHA512
475aa016db5f57a105ec69d1a7f11ee3a5b82318b87e4f07559b6eb5109c5eaeaa5db8e7dfbe55e8089c24b90c277eeb81b4ca4cf924aa171285f1d4b35b49a8

Download Submit
memory/1120-15-0x0000000001F10000-0x0000000001F36000-memory.dmp

Filesize
152KB

Download
memory/1120-18-0x0000000001F10000-0x0000000001F36000-memory.dmp

Filesize
152KB

Download
memory/1120-20-0x0000000001F10000-0x0000000001F36000-memory.dmp

Filesize
152KB

Download
memory/1120-22-0x0000000001F10000-0x0000000001F36000-memory.dmp

Filesize
152KB

Download
memory/1120-24-0x0000000001F10000-0x0000000001F36000-memory.dmp

Filesize
152KB

Download
memory/1176-28-0x0000000001FA0000-0x0000000001FC6000-memory.dmp

Filesize
152KB

Download
memory/1176-30-0x0000000001FA0000-0x0000000001FC6000-memory.dmp

Filesize
152KB

Download
memory/1176-32-0x0000000001FA0000-0x0000000001FC6000-memory.dmp

Filesize
152KB

Download
memory/1176-34-0x0000000001FA0000-0x0000000001FC6000-memory.dmp

Filesize
152KB

Download
memory/1256-37-0x0000000002500000-0x0000000002526000-memory.dmp

Filesize
152KB

Download
memory/1256-39-0x0000000002500000-0x0000000002526000-memory.dmp

Filesize
152KB

Download
memory/1256-40-0x0000000002500000-0x0000000002526000-memory.dmp

Filesize
152KB

Download
memory/1256-38-0x0000000002500000-0x0000000002526000-memory.dmp

Filesize
152KB

Download
memory/1548-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1548-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1548-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-249-0x0000000077260000-0x0000000077261000-memory.dmp

Filesize
4KB

Download
memory/1632-158-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/1632-251-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1632-252-0x0000000000050000-0x0000000000076000-memory.dmp

Filesize
152KB

Download
memory/1804-42-0x0000000001CB0000-0x0000000001CD6000-memory.dmp

Filesize
152KB

Download
memory/1804-45-0x0000000001CB0000-0x0000000001CD6000-memory.dmp

Filesize
152KB

Download
memory/1804-44-0x0000000001CB0000-0x0000000001CD6000-memory.dmp

Filesize
152KB

Download
memory/1804-43-0x0000000001CB0000-0x0000000001CD6000-memory.dmp

Filesize
152KB

Download
memory/2916-49-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/2916-72-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-52-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-54-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-56-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-58-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-61-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/2916-60-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-63-0x0000000077260000-0x0000000077261000-memory.dmp

Filesize
4KB

Download
memory/2916-64-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-66-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-68-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-70-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-51-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/2916-74-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-76-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-80-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-144-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2916-50-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/2916-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-157-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/2916-48-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/2916-47-0x00000000002C0000-0x00000000002E6000-memory.dmp

Filesize
152KB

Download
memory/2916-12-0x00000000004B0000-0x00000000004E5000-memory.dmp

Filesize
212KB

Download
memory/2916-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-1-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/2916-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download