4af834b5d3f53485fc3df66af0ccf87b7fdd63944023fde7fbe6120255e5aeb0

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 08:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe
Size

307KB
MD5

629a6d1937350ffc1b6058e749d35214
SHA1

553c5619424ebeb8fa98d4ecb405b2eefcff5773
SHA256

4af834b5d3f53485fc3df66af0ccf87b7fdd63944023fde7fbe6120255e5aeb0
SHA512

dce235cd8906153f0db272e1e19c1f36da5d95c1229243fd67ad09ce9f34bb8389755cfa9cb1b85c8337156e2da9f160fc0088004b9cea0243af41bfefb6c7ce
SSDEEP

6144:Ytj4qBy6cqJuzYrB4YbDgEtOLTSqT4aQWeWwBGE47WvWT:Kj3GcBvoEtQTS5aQWKh4i+T

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
296	edmoux.exe

Loads dropped DLL 2 IoCs

pid	Process
1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe
1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Edmoux = "C:\\Users\\Admin\\AppData\\Roaming\\Carizu\\edmoux.exe"	edmoux.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 2740	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	29

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe
296	edmoux.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 296	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	28
PID 1628 wrote to memory of 296	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	28
PID 1628 wrote to memory of 296	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	28
PID 1628 wrote to memory of 296	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	28
PID 296 wrote to memory of 1104	296	edmoux.exe	19
PID 296 wrote to memory of 1104	296	edmoux.exe	19
PID 296 wrote to memory of 1104	296	edmoux.exe	19
PID 296 wrote to memory of 1104	296	edmoux.exe	19
PID 296 wrote to memory of 1104	296	edmoux.exe	19
PID 296 wrote to memory of 1168	296	edmoux.exe	20
PID 296 wrote to memory of 1168	296	edmoux.exe	20
PID 296 wrote to memory of 1168	296	edmoux.exe	20
PID 296 wrote to memory of 1168	296	edmoux.exe	20
PID 296 wrote to memory of 1168	296	edmoux.exe	20
PID 296 wrote to memory of 1196	296	edmoux.exe	21
PID 296 wrote to memory of 1196	296	edmoux.exe	21
PID 296 wrote to memory of 1196	296	edmoux.exe	21
PID 296 wrote to memory of 1196	296	edmoux.exe	21
PID 296 wrote to memory of 1196	296	edmoux.exe	21
PID 296 wrote to memory of 1628	296	edmoux.exe	27
PID 296 wrote to memory of 1628	296	edmoux.exe	27
PID 296 wrote to memory of 1628	296	edmoux.exe	27
PID 296 wrote to memory of 1628	296	edmoux.exe	27
PID 296 wrote to memory of 1628	296	edmoux.exe	27
PID 1628 wrote to memory of 2740	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	29
PID 1628 wrote to memory of 2740	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	29
PID 1628 wrote to memory of 2740	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	29
PID 1628 wrote to memory of 2740	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	29
PID 1628 wrote to memory of 2740	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	29
PID 1628 wrote to memory of 2740	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	29
PID 1628 wrote to memory of 2740	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	29
PID 1628 wrote to memory of 2740	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	29
PID 1628 wrote to memory of 2740	1628	629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\629a6d1937350ffc1b6058e749d35214_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Roaming\Carizu\edmoux.exe
    "C:\Users\Admin\AppData\Roaming\Carizu\edmoux.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\XMZF86E.bat"
    3⤵
    - Deletes itself
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XMZF86E.bat

Filesize
267B

MD5
9227d94e21e7520dfe7bb3b5ea5d8f69

SHA1
4960179d4dea6eadf7dd98483a6cb29a82d53bf5

SHA256
969805a3366023d9c08b3722867a1829236b3a254988f6a4015b67a50a8c011e

SHA512
faf6ecb05b6f9d7ba6192ac1d1b7ed947a5ff76ba2b1d4271437871c07a803bdba9806286e4343dfadbb4437c6390bc3b7a8ce105ba23a29a15c55aa84455af1

Download Submit
\Users\Admin\AppData\Roaming\Carizu\edmoux.exe

Filesize
307KB

MD5
c2ad0258122da4b1bdb830a58adc8df0

SHA1
a63f1adb19fd9dbdcca328a0e5baa09592064d73

SHA256
71a241a7cbb25b173c7e3c12b7805466bfd7f193c484209d9b7069e5fd679b0a

SHA512
887e006b661b7d4d7a872e71f2aa542fa703acf0ee2b037933fe9f57323a0c0c6f0b4b8ed3091d483bbd41df6dc18ebb036bdbf09c25e8bfa392ea0d1501c76c

Download Submit
memory/296-70-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/296-71-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/296-12-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/296-79-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/296-68-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/296-69-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/296-81-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/296-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/296-78-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/296-77-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/296-76-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/296-75-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/296-74-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/296-72-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/296-73-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1104-18-0x0000000000490000-0x00000000004D9000-memory.dmp

Filesize
292KB

Download
memory/1104-19-0x0000000000490000-0x00000000004D9000-memory.dmp

Filesize
292KB

Download
memory/1104-16-0x0000000000490000-0x00000000004D9000-memory.dmp

Filesize
292KB

Download
memory/1104-17-0x0000000000490000-0x00000000004D9000-memory.dmp

Filesize
292KB

Download
memory/1104-20-0x0000000000490000-0x00000000004D9000-memory.dmp

Filesize
292KB

Download
memory/1168-24-0x0000000000130000-0x0000000000179000-memory.dmp

Filesize
292KB

Download
memory/1168-23-0x0000000000130000-0x0000000000179000-memory.dmp

Filesize
292KB

Download
memory/1168-25-0x0000000000130000-0x0000000000179000-memory.dmp

Filesize
292KB

Download
memory/1168-22-0x0000000000130000-0x0000000000179000-memory.dmp

Filesize
292KB

Download
memory/1196-27-0x0000000002DF0000-0x0000000002E39000-memory.dmp

Filesize
292KB

Download
memory/1196-28-0x0000000002DF0000-0x0000000002E39000-memory.dmp

Filesize
292KB

Download
memory/1196-29-0x0000000002DF0000-0x0000000002E39000-memory.dmp

Filesize
292KB

Download
memory/1196-30-0x0000000002DF0000-0x0000000002E39000-memory.dmp

Filesize
292KB

Download
memory/1628-39-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-38-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-46-0x0000000001DF0000-0x0000000001E39000-memory.dmp

Filesize
292KB

Download
memory/1628-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1628-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1628-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1628-35-0x0000000001DF0000-0x0000000001E39000-memory.dmp

Filesize
292KB

Download
memory/1628-54-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1628-36-0x0000000001DF0000-0x0000000001E39000-memory.dmp

Filesize
292KB

Download
memory/1628-40-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-34-0x0000000001DF0000-0x0000000001E39000-memory.dmp

Filesize
292KB

Download
memory/1628-33-0x0000000001DF0000-0x0000000001E39000-memory.dmp

Filesize
292KB

Download
memory/1628-32-0x0000000001DF0000-0x0000000001E39000-memory.dmp

Filesize
292KB

Download
memory/1628-37-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-43-0x0000000001DF0000-0x0000000001E39000-memory.dmp

Filesize
292KB

Download
memory/1628-42-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-44-0x0000000077820000-0x0000000077821000-memory.dmp

Filesize
4KB

Download
memory/1628-41-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1628-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2740-58-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2740-66-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/2740-63-0x0000000077820000-0x0000000077821000-memory.dmp

Filesize
4KB

Download
memory/2740-56-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2740-57-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2740-59-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2740-61-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2740-60-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2740-62-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/2740-55-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2740-53-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/2740-50-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/2740-51-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/2740-52-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download