2341e219a4f0a093d41a5e0ed06f9bf29018bce746076ae1aee2d2694580237f

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
Size

290KB
MD5

69348937a51e422014c5b459bf3eb3e6
SHA1

097b7e45db2205d375cd1a2f9227b9a2b903c897
SHA256

2341e219a4f0a093d41a5e0ed06f9bf29018bce746076ae1aee2d2694580237f
SHA512

206208526995f7f6f2820347e7a68fbeeee62984024e50733096b51700327339ba26b16676ebbc4564c9baf8596fb95bad63e7607cf23c14a5eb5110bec36e3d
SSDEEP

6144:5fsOV09Du+Rc9DMQtc9LMojzmx1i68Nbk67pkkDvarkdYLx3IhpDM:JX2C9DGh1wi6AkephDv1Y13QpDM

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1492 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

boapz.exe

pid process

2116 boapz.exe
Loads dropped DLL 2 IoCs

Processes:

69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe

pid process

2988 69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
2988 69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe

pid	process
1492	cmd.exe

pid	process
2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

boapz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8AB77948-8466-AD4E-E8B6-6988D6F14A95} = "C:\\Users\\Admin\\AppData\\Roaming\\Yrax\\boapz.exe"	boapz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe

description pid process target process

PID 2988 set thread context of 1492 2988 69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe cmd.exe

description	pid	process	target process
PID 2988 set thread context of 1492	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Privacy	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

boapz.exe

pid	process
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe
2116	boapz.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe

description	pid	process
Token: SeSecurityPrivilege	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exeboapz.exe

pid process

2988 69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
2116 boapz.exe

pid	process
2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
2116	boapz.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exeboapz.exe

description	pid	process	target process
PID 2988 wrote to memory of 2116	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	boapz.exe
PID 2988 wrote to memory of 2116	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	boapz.exe
PID 2988 wrote to memory of 2116	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	boapz.exe
PID 2988 wrote to memory of 2116	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	boapz.exe
PID 2116 wrote to memory of 1076	2116	boapz.exe	taskhost.exe
PID 2116 wrote to memory of 1076	2116	boapz.exe	taskhost.exe
PID 2116 wrote to memory of 1076	2116	boapz.exe	taskhost.exe
PID 2116 wrote to memory of 1076	2116	boapz.exe	taskhost.exe
PID 2116 wrote to memory of 1076	2116	boapz.exe	taskhost.exe
PID 2116 wrote to memory of 1168	2116	boapz.exe	Dwm.exe
PID 2116 wrote to memory of 1168	2116	boapz.exe	Dwm.exe
PID 2116 wrote to memory of 1168	2116	boapz.exe	Dwm.exe
PID 2116 wrote to memory of 1168	2116	boapz.exe	Dwm.exe
PID 2116 wrote to memory of 1168	2116	boapz.exe	Dwm.exe
PID 2116 wrote to memory of 1204	2116	boapz.exe	Explorer.EXE
PID 2116 wrote to memory of 1204	2116	boapz.exe	Explorer.EXE
PID 2116 wrote to memory of 1204	2116	boapz.exe	Explorer.EXE
PID 2116 wrote to memory of 1204	2116	boapz.exe	Explorer.EXE
PID 2116 wrote to memory of 1204	2116	boapz.exe	Explorer.EXE
PID 2116 wrote to memory of 2304	2116	boapz.exe	DllHost.exe
PID 2116 wrote to memory of 2304	2116	boapz.exe	DllHost.exe
PID 2116 wrote to memory of 2304	2116	boapz.exe	DllHost.exe
PID 2116 wrote to memory of 2304	2116	boapz.exe	DllHost.exe
PID 2116 wrote to memory of 2304	2116	boapz.exe	DllHost.exe
PID 2116 wrote to memory of 2988	2116	boapz.exe	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
PID 2116 wrote to memory of 2988	2116	boapz.exe	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
PID 2116 wrote to memory of 2988	2116	boapz.exe	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
PID 2116 wrote to memory of 2988	2116	boapz.exe	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
PID 2116 wrote to memory of 2988	2116	boapz.exe	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
PID 2988 wrote to memory of 1492	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1492	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1492	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1492	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1492	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1492	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1492	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1492	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	cmd.exe
PID 2988 wrote to memory of 1492	2988	69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1076

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69348937a51e422014c5b459bf3eb3e6_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Roaming\Yrax\boapz.exe
"C:\Users\Admin\AppData\Roaming\Yrax\boapz.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0449f0dc.bat"
3⤵
- Deletes itself
PID:1492

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp0449f0dc.bat

Filesize
271B

MD5
2db84bb88ac752bd5155fe2a80d5bed6

SHA1
89b1597b4e708d510098ca6c218a8d761b3aea6d

SHA256
f2ff9f18ccc57ffbf956f9617cbbb2b8dba93b6c4251a3b2983c6f73c781c53e

SHA512
bac6109ac771d2ac52201cb21a7537000f5288aa2f5eb6675d0da6f74742dfbdde312271fcbddb0cf144c36d2eb781a35edc835521bacfd07c89a1454ac06077

Download Submit
C:\Users\Admin\AppData\Roaming\Uxamd\oqyx.ocb

Filesize
380B

MD5
c6c0ea1880d35bae4fe66a737f30c659

SHA1
e8c88897231c63470440e5d3c1c4946b0c3daa66

SHA256
0101730598843df3de076118768a086f8a15e4b243e2cefd87c279e79a9157bc

SHA512
3315aceda2859f32ac09f11f2722ec94567fc8d687d7c5fb8c63f0b0b6fa76e8add98cb3e22cd9c50c33fb4ace4ed118dac20b33053a26806d7966abdb586b92

Download Submit
\Users\Admin\AppData\Roaming\Yrax\boapz.exe

Filesize
290KB

MD5
5c889af9370ff628f108598fcd7c5946

SHA1
3700bf42a3b86fbbb5902ba8c1d0b6d9bcf1565d

SHA256
fa3f8b432b78764dc3a67e55f08d716f03f09c541973885a92c74a7286aded07

SHA512
7d734f74b53de03e004cb472c57f71faaa96e191bd774a46fb5765fb693e8ea7900e45ef4bfb50d2b866071bf182ddd7621b3a9d98a1adde380fc6a840b559cc

Download Submit
memory/1076-27-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1076-19-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1076-26-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1076-21-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1076-23-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1168-33-0x0000000001C30000-0x0000000001C71000-memory.dmp

Filesize
260KB

Download
memory/1168-32-0x0000000001C30000-0x0000000001C71000-memory.dmp

Filesize
260KB

Download
memory/1168-30-0x0000000001C30000-0x0000000001C71000-memory.dmp

Filesize
260KB

Download
memory/1168-31-0x0000000001C30000-0x0000000001C71000-memory.dmp

Filesize
260KB

Download
memory/1204-38-0x0000000002980000-0x00000000029C1000-memory.dmp

Filesize
260KB

Download
memory/1204-37-0x0000000002980000-0x00000000029C1000-memory.dmp

Filesize
260KB

Download
memory/1204-36-0x0000000002980000-0x00000000029C1000-memory.dmp

Filesize
260KB

Download
memory/1204-35-0x0000000002980000-0x00000000029C1000-memory.dmp

Filesize
260KB

Download
memory/2116-15-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2116-16-0x0000000000360000-0x00000000003B0000-memory.dmp

Filesize
320KB

Download
memory/2116-279-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2116-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2304-43-0x0000000001CD0000-0x0000000001D11000-memory.dmp

Filesize
260KB

Download
memory/2304-40-0x0000000001CD0000-0x0000000001D11000-memory.dmp

Filesize
260KB

Download
memory/2304-42-0x0000000001CD0000-0x0000000001D11000-memory.dmp

Filesize
260KB

Download
memory/2304-41-0x0000000001CD0000-0x0000000001D11000-memory.dmp

Filesize
260KB

Download
memory/2988-80-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-70-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-53-0x0000000001D00000-0x0000000001D41000-memory.dmp

Filesize
260KB

Download
memory/2988-56-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-51-0x0000000001D00000-0x0000000001D41000-memory.dmp

Filesize
260KB

Download
memory/2988-160-0x00000000004C0000-0x0000000000510000-memory.dmp

Filesize
320KB

Download
memory/2988-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-49-0x0000000001D00000-0x0000000001D41000-memory.dmp

Filesize
260KB

Download
memory/2988-45-0x0000000001D00000-0x0000000001D41000-memory.dmp

Filesize
260KB

Download
memory/2988-58-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-60-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-62-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-64-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-66-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-68-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-54-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-74-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-76-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-136-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-78-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-0-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2988-48-0x0000000001D00000-0x0000000001D41000-memory.dmp

Filesize
260KB

Download
memory/2988-135-0x0000000077B20000-0x0000000077B21000-memory.dmp

Filesize
4KB

Download
memory/2988-72-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2988-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-1-0x00000000004C0000-0x0000000000510000-memory.dmp

Filesize
320KB

Download
memory/2988-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download