9815291be0b9c2751a4b6f80d20aa3a7b345f05d5af65803cc6bd1d7b936c9cb

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe
Size

11.2MB
MD5

02ca776f1433b26f8e22470d5e14e691
SHA1

f66a1c6c35f60b26b15d61e6127b1a8d4b96b7b5
SHA256

9815291be0b9c2751a4b6f80d20aa3a7b345f05d5af65803cc6bd1d7b936c9cb
SHA512

a070226461822b28be76f9dcc9217836e8992026b22386848211a72c3d5d8914d8cc70e56ef543b92b5a07d70c1c4c3298dd004870100aad110e55f75779e658
SSDEEP

3072:mS0QW1HtJlsMzvVGlah6sSb93YwbZfl4KVmulbuQfQM28zV57P/dLC35sK:vp2HtJ5VGgV5ml4KVmulbuQl28z+m

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3064	qurau.exe
2620	qurau.exe

Loads dropped DLL 2 IoCs

pid	Process
2272	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe
2272	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\{68FE305A-FED4-C820-9117-C69D82510A3F} = "C:\\Users\\Admin\\AppData\\Roaming\\Honu\\qurau.exe"	qurau.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 2272	2156	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	28
PID 3064 set thread context of 2620	3064	qurau.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy	cmd.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe
2620	qurau.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2272	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2156	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe
3064	qurau.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2272	2156	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2272	2156	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2272	2156	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2272	2156	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2272	2156	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2272	2156	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2272	2156	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2272	2156	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2272	2156	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	28
PID 2272 wrote to memory of 3064	2272	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	29
PID 2272 wrote to memory of 3064	2272	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	29
PID 2272 wrote to memory of 3064	2272	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	29
PID 2272 wrote to memory of 3064	2272	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	29
PID 3064 wrote to memory of 2620	3064	qurau.exe	30
PID 3064 wrote to memory of 2620	3064	qurau.exe	30
PID 3064 wrote to memory of 2620	3064	qurau.exe	30
PID 3064 wrote to memory of 2620	3064	qurau.exe	30
PID 3064 wrote to memory of 2620	3064	qurau.exe	30
PID 3064 wrote to memory of 2620	3064	qurau.exe	30
PID 3064 wrote to memory of 2620	3064	qurau.exe	30
PID 3064 wrote to memory of 2620	3064	qurau.exe	30
PID 3064 wrote to memory of 2620	3064	qurau.exe	30
PID 2272 wrote to memory of 2532	2272	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2532	2272	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2532	2272	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2532	2272	02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe	31
PID 2620 wrote to memory of 1044	2620	qurau.exe	17
PID 2620 wrote to memory of 1044	2620	qurau.exe	17
PID 2620 wrote to memory of 1044	2620	qurau.exe	17
PID 2620 wrote to memory of 1044	2620	qurau.exe	17
PID 2620 wrote to memory of 1044	2620	qurau.exe	17
PID 2620 wrote to memory of 1060	2620	qurau.exe	18
PID 2620 wrote to memory of 1060	2620	qurau.exe	18
PID 2620 wrote to memory of 1060	2620	qurau.exe	18
PID 2620 wrote to memory of 1060	2620	qurau.exe	18
PID 2620 wrote to memory of 1060	2620	qurau.exe	18
PID 2620 wrote to memory of 1112	2620	qurau.exe	20
PID 2620 wrote to memory of 1112	2620	qurau.exe	20
PID 2620 wrote to memory of 1112	2620	qurau.exe	20
PID 2620 wrote to memory of 1112	2620	qurau.exe	20
PID 2620 wrote to memory of 1112	2620	qurau.exe	20
PID 2620 wrote to memory of 2532	2620	qurau.exe	31
PID 2620 wrote to memory of 2532	2620	qurau.exe	31
PID 2620 wrote to memory of 2532	2620	qurau.exe	31
PID 2620 wrote to memory of 2532	2620	qurau.exe	31
PID 2620 wrote to memory of 2532	2620	qurau.exe	31
PID 2620 wrote to memory of 2700	2620	qurau.exe	32
PID 2620 wrote to memory of 2700	2620	qurau.exe	32
PID 2620 wrote to memory of 2700	2620	qurau.exe	32
PID 2620 wrote to memory of 2700	2620	qurau.exe	32
PID 2620 wrote to memory of 2700	2620	qurau.exe	32
PID 2620 wrote to memory of 852	2620	qurau.exe	33
PID 2620 wrote to memory of 852	2620	qurau.exe	33
PID 2620 wrote to memory of 852	2620	qurau.exe	33
PID 2620 wrote to memory of 852	2620	qurau.exe	33
PID 2620 wrote to memory of 852	2620	qurau.exe	33
PID 2620 wrote to memory of 1584	2620	qurau.exe	34
PID 2620 wrote to memory of 1584	2620	qurau.exe	34
PID 2620 wrote to memory of 1584	2620	qurau.exe	34
PID 2620 wrote to memory of 1584	2620	qurau.exe	34
PID 2620 wrote to memory of 1584	2620	qurau.exe	34
PID 2620 wrote to memory of 2012	2620	qurau.exe	35
PID 2620 wrote to memory of 2012	2620	qurau.exe	35
PID 2620 wrote to memory of 2012	2620	qurau.exe	35

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1044

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1060

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\02ca776f1433b26f8e22470d5e14e691_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Users\Admin\AppData\Roaming\Honu\qurau.exe
      "C:\Users\Admin\AppData\Roaming\Honu\qurau.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Users\Admin\AppData\Roaming\Honu\qurau.exe
        
        C:\Users\Admin\AppData\Roaming\Honu\qurau.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0e159c81.bat"
      4⤵
      Deletes itself
      Modifies Internet Explorer settings
      PID:2532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1289120724236059428-563250135-1806542591971671635-1701042541-164505183-1940701770"
1⤵
PID:2700

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:852

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp0e159c81.bat

Filesize
271B

MD5
9bf4f7e62b8f9fd0f4c3bb1fc93f4d27

SHA1
2b18ad613af9ed378339f3297a00aea321eb89b8

SHA256
900b805c877a7cbc06c9586330a946218c7dbc2a0fe91128876f1b46fa7009a6

SHA512
6d3d321101e57241fc98cf1d4811bf8e469bba0394200d08755b71f162cdb34ae1c7bc5bf0d28ab89bdb898524ffc9cfc0111b1e70baccdbcb9318e970df258a

Download Submit
\Users\Admin\AppData\Roaming\Honu\qurau.exe

Filesize
11.2MB

MD5
e9d2f9c83b974013d816b9860d69e557

SHA1
67c4bb70e005fcb64d3f1e673aa87a1a55703f02

SHA256
67cad55e935ad8f59ea398297c231c670ad7923bdf737584bcbadcbd516b9fd2

SHA512
9d3e3784f2aad392b6f0912c03fa1f14fa124642ab3b014ab7da3e0cf7e11ab9065c4d454a1a572abd487cb7ef71a0a9f70eb5bc3eebfd7021bfa819d61005ef

Download Submit
memory/1044-31-0x0000000001DB0000-0x0000000001DCA000-memory.dmp

Filesize
104KB

Download
memory/1044-30-0x0000000001DB0000-0x0000000001DCA000-memory.dmp

Filesize
104KB

Download
memory/1044-34-0x0000000001DB0000-0x0000000001DCA000-memory.dmp

Filesize
104KB

Download
memory/1044-32-0x0000000001DB0000-0x0000000001DCA000-memory.dmp

Filesize
104KB

Download
memory/1044-33-0x0000000001DB0000-0x0000000001DCA000-memory.dmp

Filesize
104KB

Download
memory/1060-37-0x0000000001F10000-0x0000000001F2A000-memory.dmp

Filesize
104KB

Download
memory/1060-39-0x0000000001F10000-0x0000000001F2A000-memory.dmp

Filesize
104KB

Download
memory/1060-43-0x0000000001F10000-0x0000000001F2A000-memory.dmp

Filesize
104KB

Download
memory/1060-41-0x0000000001F10000-0x0000000001F2A000-memory.dmp

Filesize
104KB

Download
memory/1112-48-0x0000000002E20000-0x0000000002E3A000-memory.dmp

Filesize
104KB

Download
memory/1112-46-0x0000000002E20000-0x0000000002E3A000-memory.dmp

Filesize
104KB

Download
memory/1112-47-0x0000000002E20000-0x0000000002E3A000-memory.dmp

Filesize
104KB

Download
memory/1112-49-0x0000000002E20000-0x0000000002E3A000-memory.dmp

Filesize
104KB

Download
memory/2272-29-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2272-2-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2272-7-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2272-4-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2272-5-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2272-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2532-54-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2532-72-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-53-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2532-55-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2532-56-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2532-103-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2532-66-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-64-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-62-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-60-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-58-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-52-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2532-70-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-68-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-74-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-78-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-76-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-86-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-84-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-82-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2532-81-0x0000000077670000-0x0000000077671000-memory.dmp

Filesize
4KB

Download
memory/2532-80-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2620-25-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2620-125-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download