5c1a093155a50132f6f0c8ae43e3afbeeeca0af19e628b56a674920e71dd987f

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
Size

146KB
MD5

f40f1611ab3f0f2e68e6510f0dccd9a3
SHA1

5059996065bf2851c4ebde7830c91ca88f5fd580
SHA256

5c1a093155a50132f6f0c8ae43e3afbeeeca0af19e628b56a674920e71dd987f
SHA512

0715f3a760996a97279ec89ad275cdeb0e5b9e0f5ab7a6376b5a315df605f152bc06b58d9ce7fe0b55b232586976b83dc054d39790ee2cb15d3636325f92c3a2
SSDEEP

3072:lfzYe0x+5ZHydrsuLcKMvhXL/MkkVtJI3ED3tSG6:lfzYe0xcHydYuLiv54VzI3E96

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1572	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2140	ymwa.exe

Loads dropped DLL 2 IoCs

pid	Process
2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Epomen = "C:\\Users\\Admin\\AppData\\Roaming\\Pohi\\ymwa.exe"	ymwa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 1572	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Privacy	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4D1D7CD9-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe
2140	ymwa.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1412	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1412	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1412	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1412	WinMail.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2140	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	28
PID 2828 wrote to memory of 2140	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	28
PID 2828 wrote to memory of 2140	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	28
PID 2828 wrote to memory of 2140	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	28
PID 2140 wrote to memory of 1120	2140	ymwa.exe	19
PID 2140 wrote to memory of 1120	2140	ymwa.exe	19
PID 2140 wrote to memory of 1120	2140	ymwa.exe	19
PID 2140 wrote to memory of 1120	2140	ymwa.exe	19
PID 2140 wrote to memory of 1120	2140	ymwa.exe	19
PID 2140 wrote to memory of 1172	2140	ymwa.exe	20
PID 2140 wrote to memory of 1172	2140	ymwa.exe	20
PID 2140 wrote to memory of 1172	2140	ymwa.exe	20
PID 2140 wrote to memory of 1172	2140	ymwa.exe	20
PID 2140 wrote to memory of 1172	2140	ymwa.exe	20
PID 2140 wrote to memory of 1204	2140	ymwa.exe	21
PID 2140 wrote to memory of 1204	2140	ymwa.exe	21
PID 2140 wrote to memory of 1204	2140	ymwa.exe	21
PID 2140 wrote to memory of 1204	2140	ymwa.exe	21
PID 2140 wrote to memory of 1204	2140	ymwa.exe	21
PID 2140 wrote to memory of 1924	2140	ymwa.exe	23
PID 2140 wrote to memory of 1924	2140	ymwa.exe	23
PID 2140 wrote to memory of 1924	2140	ymwa.exe	23
PID 2140 wrote to memory of 1924	2140	ymwa.exe	23
PID 2140 wrote to memory of 1924	2140	ymwa.exe	23
PID 2140 wrote to memory of 2828	2140	ymwa.exe	27
PID 2140 wrote to memory of 2828	2140	ymwa.exe	27
PID 2140 wrote to memory of 2828	2140	ymwa.exe	27
PID 2140 wrote to memory of 2828	2140	ymwa.exe	27
PID 2140 wrote to memory of 2828	2140	ymwa.exe	27
PID 2828 wrote to memory of 1572	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1572	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1572	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1572	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1572	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1572	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1572	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1572	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	30
PID 2828 wrote to memory of 1572	2828	f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2552	2140	ymwa.exe	32
PID 2140 wrote to memory of 2552	2140	ymwa.exe	32
PID 2140 wrote to memory of 2552	2140	ymwa.exe	32
PID 2140 wrote to memory of 2552	2140	ymwa.exe	32
PID 2140 wrote to memory of 2552	2140	ymwa.exe	32
PID 2140 wrote to memory of 2284	2140	ymwa.exe	33
PID 2140 wrote to memory of 2284	2140	ymwa.exe	33
PID 2140 wrote to memory of 2284	2140	ymwa.exe	33
PID 2140 wrote to memory of 2284	2140	ymwa.exe	33
PID 2140 wrote to memory of 2284	2140	ymwa.exe	33
PID 2140 wrote to memory of 1544	2140	ymwa.exe	34
PID 2140 wrote to memory of 1544	2140	ymwa.exe	34
PID 2140 wrote to memory of 1544	2140	ymwa.exe	34
PID 2140 wrote to memory of 1544	2140	ymwa.exe	34
PID 2140 wrote to memory of 1544	2140	ymwa.exe	34
PID 2140 wrote to memory of 636	2140	ymwa.exe	37
PID 2140 wrote to memory of 636	2140	ymwa.exe	37
PID 2140 wrote to memory of 636	2140	ymwa.exe	37
PID 2140 wrote to memory of 636	2140	ymwa.exe	37
PID 2140 wrote to memory of 636	2140	ymwa.exe	37
PID 2140 wrote to memory of 2952	2140	ymwa.exe	38
PID 2140 wrote to memory of 2952	2140	ymwa.exe	38
PID 2140 wrote to memory of 2952	2140	ymwa.exe	38
PID 2140 wrote to memory of 2952	2140	ymwa.exe	38
PID 2140 wrote to memory of 2952	2140	ymwa.exe	38

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f40f1611ab3f0f2e68e6510f0dccd9a3_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Roaming\Pohi\ymwa.exe
    "C:\Users\Admin\AppData\Roaming\Pohi\ymwa.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp75a1f4ec.bat"
    3⤵
    - Deletes itself
    PID:1572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1924

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2284

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
208b14689de5468c9314aa6f7421f562

SHA1
252e9aa04fcd765d6529287a3b468419b873d20a

SHA256
1a0ffb04c66b0166bb2bcd348148f19c1b46f803004036b1007f866a3827b4b2

SHA512
5ba121c6815ac9517090cdbe40c383063e74b17d656ba539f524ee2902b483a1a699ec3e3f2d90ce0956a5c5807878b216ad7c8b48e2a47e15254fdac869b76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp75a1f4ec.bat

Filesize
271B

MD5
aef4017c13cec8ba06d664498f4e9183

SHA1
bacc058674c831b1ae5fefb83ba1b34e8dca51a1

SHA256
f627968dc60668d233f9f0ab2f6b0a35f54667d79e39e8872cb578bcc8264bdc

SHA512
f446c6f321059c03a2bd3431ffc772c9b3913b382a189864659720a0e3c9ef068fc130d8de19c724ebfee6a443bdf0424c372656bb4ee870bfadf46057e01f81

Download Submit
C:\Users\Admin\AppData\Roaming\Regi\motar.vos

Filesize
4KB

MD5
528f52912e4ec67430ad55259dd819a8

SHA1
661208b72c6783a96dd307eb392db63a42fcce9e

SHA256
0d71b3d3f55554352fc9e5b44ee60b9eedd9464f68f45dbbf24e403cc148549a

SHA512
8fa2c981d13fd3328ddf3f1307c58f4a9c5299937f24a6f35da61698ac9365922d921224356eb9974deff4b1685181d869a967ca1fa67b2d8484b96cc90797ef

Download Submit
\Users\Admin\AppData\Roaming\Pohi\ymwa.exe

Filesize
146KB

MD5
a097b354cdb6bd6c2f071fcda83b1522

SHA1
b018ef44b8a04f12b6a15fbae1832782d775cc33

SHA256
74deb3fa397b028be0092caf077a44bac9d3e3865b8c564670255e1f634e1ea1

SHA512
f577820cfe59728d5badebcb7fdeb6973968cd880a03e86a6e6bde11c60b9f454682763fcd35dfe64a2cc68b98cb57b37e4725f83074e84df2b0b9f95e0cce98

Download Submit
memory/1120-26-0x0000000001B80000-0x0000000001BB9000-memory.dmp

Filesize
228KB

Download
memory/1120-25-0x0000000001B80000-0x0000000001BB9000-memory.dmp

Filesize
228KB

Download
memory/1120-23-0x0000000001B80000-0x0000000001BB9000-memory.dmp

Filesize
228KB

Download
memory/1120-24-0x0000000001B80000-0x0000000001BB9000-memory.dmp

Filesize
228KB

Download
memory/1120-22-0x0000000001B80000-0x0000000001BB9000-memory.dmp

Filesize
228KB

Download
memory/1172-29-0x00000000001A0000-0x00000000001D9000-memory.dmp

Filesize
228KB

Download
memory/1172-31-0x00000000001A0000-0x00000000001D9000-memory.dmp

Filesize
228KB

Download
memory/1172-33-0x00000000001A0000-0x00000000001D9000-memory.dmp

Filesize
228KB

Download
memory/1172-35-0x00000000001A0000-0x00000000001D9000-memory.dmp

Filesize
228KB

Download
memory/1204-39-0x0000000002990000-0x00000000029C9000-memory.dmp

Filesize
228KB

Download
memory/1204-40-0x0000000002990000-0x00000000029C9000-memory.dmp

Filesize
228KB

Download
memory/1204-38-0x0000000002990000-0x00000000029C9000-memory.dmp

Filesize
228KB

Download
memory/1204-41-0x0000000002990000-0x00000000029C9000-memory.dmp

Filesize
228KB

Download
memory/1572-346-0x00000000776C0000-0x00000000776C1000-memory.dmp

Filesize
4KB

Download
memory/1572-543-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1572-542-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1572-344-0x0000000000050000-0x0000000000089000-memory.dmp

Filesize
228KB

Download
memory/1924-46-0x0000000001C90000-0x0000000001CC9000-memory.dmp

Filesize
228KB

Download
memory/1924-45-0x0000000001C90000-0x0000000001CC9000-memory.dmp

Filesize
228KB

Download
memory/1924-44-0x0000000001C90000-0x0000000001CC9000-memory.dmp

Filesize
228KB

Download
memory/1924-43-0x0000000001C90000-0x0000000001CC9000-memory.dmp

Filesize
228KB

Download
memory/2140-554-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2140-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2828-55-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2828-52-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/2828-51-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/2828-50-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/2828-59-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2828-58-0x00000000776C0000-0x00000000776C1000-memory.dmp

Filesize
4KB

Download
memory/2828-61-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/2828-63-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2828-65-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/2828-67-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2828-69-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/2828-71-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2828-73-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/2828-75-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2828-77-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/2828-79-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2828-241-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2828-56-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/2828-49-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/2828-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2828-341-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/2828-48-0x00000000004F0000-0x0000000000529000-memory.dmp

Filesize
228KB

Download
memory/2828-6-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2828-4-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2828-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2828-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2828-0-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download