79df06218d4e6cd4fa92da8469204b1c6da29593b17ee837ec30704fb5868945

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe
Size

138KB
MD5

fd6adced194a9854b26a2a622b53fed6
SHA1

f98bae76e4577c80ff19380df1bf0dc653507597
SHA256

79df06218d4e6cd4fa92da8469204b1c6da29593b17ee837ec30704fb5868945
SHA512

4c30dc5980268d69fee14724b32e0700cc608182fb8e802d5a1c5786f769394160aa39595dd27123f96ff067b76586a852a119abc48114921f4e4904ad91ed14
SSDEEP

3072:7qwcT3m86A/fn7JRk+9MZAphegNHCllRH9LWHOo5qCx6l/jHnQsQe:7qwcTWVA/v7fk+9MGphegNHCzOu/jQst

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
572	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2760	fowe.exe

Loads dropped DLL 2 IoCs

pid	Process
2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe
2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\{177F885D-88FD-371F-EDCA-1B578AF06519} = "C:\\Users\\Admin\\AppData\\Roaming\\Sehih\\fowe.exe"	fowe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 572	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4F3564DD-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe
2760	fowe.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1924	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1924	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1924	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1924	WinMail.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2760	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	28
PID 2332 wrote to memory of 2760	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	28
PID 2332 wrote to memory of 2760	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	28
PID 2332 wrote to memory of 2760	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	28
PID 2760 wrote to memory of 1252	2760	fowe.exe	19
PID 2760 wrote to memory of 1252	2760	fowe.exe	19
PID 2760 wrote to memory of 1252	2760	fowe.exe	19
PID 2760 wrote to memory of 1252	2760	fowe.exe	19
PID 2760 wrote to memory of 1252	2760	fowe.exe	19
PID 2760 wrote to memory of 1328	2760	fowe.exe	20
PID 2760 wrote to memory of 1328	2760	fowe.exe	20
PID 2760 wrote to memory of 1328	2760	fowe.exe	20
PID 2760 wrote to memory of 1328	2760	fowe.exe	20
PID 2760 wrote to memory of 1328	2760	fowe.exe	20
PID 2760 wrote to memory of 1376	2760	fowe.exe	21
PID 2760 wrote to memory of 1376	2760	fowe.exe	21
PID 2760 wrote to memory of 1376	2760	fowe.exe	21
PID 2760 wrote to memory of 1376	2760	fowe.exe	21
PID 2760 wrote to memory of 1376	2760	fowe.exe	21
PID 2760 wrote to memory of 1224	2760	fowe.exe	23
PID 2760 wrote to memory of 1224	2760	fowe.exe	23
PID 2760 wrote to memory of 1224	2760	fowe.exe	23
PID 2760 wrote to memory of 1224	2760	fowe.exe	23
PID 2760 wrote to memory of 1224	2760	fowe.exe	23
PID 2760 wrote to memory of 2332	2760	fowe.exe	27
PID 2760 wrote to memory of 2332	2760	fowe.exe	27
PID 2760 wrote to memory of 2332	2760	fowe.exe	27
PID 2760 wrote to memory of 2332	2760	fowe.exe	27
PID 2760 wrote to memory of 2332	2760	fowe.exe	27
PID 2332 wrote to memory of 572	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 572	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 572	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 572	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 572	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 572	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 572	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 572	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 572	2332	fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe	30
PID 2760 wrote to memory of 704	2760	fowe.exe	32
PID 2760 wrote to memory of 704	2760	fowe.exe	32
PID 2760 wrote to memory of 704	2760	fowe.exe	32
PID 2760 wrote to memory of 704	2760	fowe.exe	32
PID 2760 wrote to memory of 704	2760	fowe.exe	32
PID 2760 wrote to memory of 2192	2760	fowe.exe	33
PID 2760 wrote to memory of 2192	2760	fowe.exe	33
PID 2760 wrote to memory of 2192	2760	fowe.exe	33
PID 2760 wrote to memory of 2192	2760	fowe.exe	33
PID 2760 wrote to memory of 2192	2760	fowe.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1252

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1376
- C:\Users\Admin\AppData\Local\Temp\fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fd6adced194a9854b26a2a622b53fed6_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Roaming\Sehih\fowe.exe
    "C:\Users\Admin\AppData\Roaming\Sehih\fowe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpfa99be83.bat"
    3⤵
    - Deletes itself
    PID:572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1224

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:704

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
d03b16b4405aa3b64bdabdfbb3257590

SHA1
67edfb3382f9d60031466f7562dfdf2569d449a3

SHA256
aefb04222d25c592f56c12cc807169ba5f90ca6b393c05cd506bd1b8035b933c

SHA512
d149ce804555f2117c3104ef8908676f6c59a69effdf2173c91d2d710be1b9459088fb4c3f92c646e242ae8e8ba17efd6d6829aa57fe10daf24d8caa9d053976

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfa99be83.bat

Filesize
271B

MD5
88c0acb9d704c826de1a372035b27bbc

SHA1
d44a7880d6dbfc831fd47f8a5bbee397870f8549

SHA256
c34fc74483b2f50e91a00b4155e3d96b48160971a25191c86dced1c46af21178

SHA512
91f059a94f28fc8d91555973b8551639869eb771ccdf5251cc3ff3644747f005b011cc3ac2de0c3fa0f7a637e741f2f281f2d0e94ff377710955ed7743743eb3

Download Submit
C:\Users\Admin\AppData\Roaming\Wieqnu\ehceo.coe

Filesize
380B

MD5
2057d86c06e034fba502526cebf4b9ec

SHA1
2fc15d89d74c32537541989bf489ffc7887e1551

SHA256
02fc80fe1ef3e3ef47dbd56afb1326284d7789a7925400e8fde1a4cf8e35d212

SHA512
cd2fb5340dd08d695ee1451d3eaeaced1d46304fce95ef9a1950e65f5729aee2f3f2d4c9fb673b4cf58fabeb53b36896ee8c9142eed93ed53fd0e8b498c4f5f2

Download Submit
\Users\Admin\AppData\Roaming\Sehih\fowe.exe

Filesize
138KB

MD5
e82250b10628e0788f76aff8d0ac4300

SHA1
655803250fb60f62d9f83190f3ee1e1d65646995

SHA256
720562ccfb97be9bdf55998b6ce69aa68a8d216290b5186f481f0e8b7179865b

SHA512
5dd135caa21e9dc2efc5961553f98684c2d8f92e890f98566ad5ddf873b1926b555549b3902c663c978d8275f0e9536633f63dea56ca280a75292e33a52a250e

Download Submit
memory/572-219-0x00000000773D0000-0x00000000773D1000-memory.dmp

Filesize
4KB

Download
memory/572-216-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/572-308-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/572-309-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/572-217-0x00000000773D0000-0x00000000773D1000-memory.dmp

Filesize
4KB

Download
memory/1224-32-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1224-38-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1224-34-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1224-36-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/1252-12-0x0000000001F10000-0x0000000001F37000-memory.dmp

Filesize
156KB

Download
memory/1252-14-0x0000000001F10000-0x0000000001F37000-memory.dmp

Filesize
156KB

Download
memory/1252-10-0x0000000001F10000-0x0000000001F37000-memory.dmp

Filesize
156KB

Download
memory/1252-18-0x0000000001F10000-0x0000000001F37000-memory.dmp

Filesize
156KB

Download
memory/1252-16-0x0000000001F10000-0x0000000001F37000-memory.dmp

Filesize
156KB

Download
memory/1328-21-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1328-24-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1328-23-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1328-22-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1376-29-0x0000000002950000-0x0000000002977000-memory.dmp

Filesize
156KB

Download
memory/1376-28-0x0000000002950000-0x0000000002977000-memory.dmp

Filesize
156KB

Download
memory/1376-27-0x0000000002950000-0x0000000002977000-memory.dmp

Filesize
156KB

Download
memory/1376-26-0x0000000002950000-0x0000000002977000-memory.dmp

Filesize
156KB

Download
memory/2332-73-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/2332-68-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-66-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-64-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-62-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-60-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-58-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-56-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-54-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-52-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-50-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-48-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-46-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-137-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-72-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-75-0x00000000773D0000-0x00000000773D1000-memory.dmp

Filesize
4KB

Download
memory/2332-213-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/2332-70-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2332-41-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/2332-42-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/2332-43-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/2332-45-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/2332-44-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download