5489fd95ccd263e254fe71ed8f227540854d3d6ac48c72a99cf384579cfca0cf

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 04:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe
Size

256KB
MD5

02a7740de855d2790ee5df23f71005a9
SHA1

f8e9dd23f4f2a78105f4d055ca3365156be816f8
SHA256

5489fd95ccd263e254fe71ed8f227540854d3d6ac48c72a99cf384579cfca0cf
SHA512

334996386958c8031019d991eb338c3ed07460378fc92f7e60ed4a673a39576950c27adb6f085b8a0524363edaba7b5c373c90e7caae452e62e915caa3c2d918
SSDEEP

6144:SYlMkl24UDer8cAUJ66WH67T54LZ07M4M8NVb+A:rlMkSDU8UJV8uTS90oGvb3

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2136	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	oniqp.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe
2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2977E268-58FD-AD4F-BE57-976F9EF8B472} = "C:\\Users\\Admin\\AppData\\Roaming\\Moum\\oniqp.exe"	oniqp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2400 set thread context of 2136	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Privacy	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe
2992	oniqp.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe
2992	oniqp.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2992	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2992	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2992	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2992	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	28
PID 2992 wrote to memory of 1080	2992	oniqp.exe	18
PID 2992 wrote to memory of 1080	2992	oniqp.exe	18
PID 2992 wrote to memory of 1080	2992	oniqp.exe	18
PID 2992 wrote to memory of 1080	2992	oniqp.exe	18
PID 2992 wrote to memory of 1080	2992	oniqp.exe	18
PID 2992 wrote to memory of 1088	2992	oniqp.exe	19
PID 2992 wrote to memory of 1088	2992	oniqp.exe	19
PID 2992 wrote to memory of 1088	2992	oniqp.exe	19
PID 2992 wrote to memory of 1088	2992	oniqp.exe	19
PID 2992 wrote to memory of 1088	2992	oniqp.exe	19
PID 2992 wrote to memory of 1168	2992	oniqp.exe	21
PID 2992 wrote to memory of 1168	2992	oniqp.exe	21
PID 2992 wrote to memory of 1168	2992	oniqp.exe	21
PID 2992 wrote to memory of 1168	2992	oniqp.exe	21
PID 2992 wrote to memory of 1168	2992	oniqp.exe	21
PID 2992 wrote to memory of 1788	2992	oniqp.exe	23
PID 2992 wrote to memory of 1788	2992	oniqp.exe	23
PID 2992 wrote to memory of 1788	2992	oniqp.exe	23
PID 2992 wrote to memory of 1788	2992	oniqp.exe	23
PID 2992 wrote to memory of 1788	2992	oniqp.exe	23
PID 2992 wrote to memory of 2400	2992	oniqp.exe	27
PID 2992 wrote to memory of 2400	2992	oniqp.exe	27
PID 2992 wrote to memory of 2400	2992	oniqp.exe	27
PID 2992 wrote to memory of 2400	2992	oniqp.exe	27
PID 2992 wrote to memory of 2400	2992	oniqp.exe	27
PID 2400 wrote to memory of 2136	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	29
PID 2400 wrote to memory of 2136	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	29
PID 2400 wrote to memory of 2136	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	29
PID 2400 wrote to memory of 2136	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	29
PID 2400 wrote to memory of 2136	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	29
PID 2400 wrote to memory of 2136	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	29
PID 2400 wrote to memory of 2136	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	29
PID 2400 wrote to memory of 2136	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	29
PID 2400 wrote to memory of 2136	2400	02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1080

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1088

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1168
- C:\Users\Admin\AppData\Local\Temp\02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\02a7740de855d2790ee5df23f71005a9_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Roaming\Moum\oniqp.exe
    "C:\Users\Admin\AppData\Roaming\Moum\oniqp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp42734246.bat"
    3⤵
    - Deletes itself
    PID:2136

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp42734246.bat

Filesize
271B

MD5
173446ad804c025c2b81092314a69ee4

SHA1
9f3489f5830365206c702ad56edc89cfe6ea522e

SHA256
1fb7794432867b28ec6e4426c4082f977d56225c790bb798592c10da68289490

SHA512
85f0f2ef55908f228ef3bc753ef5f9efd8bc5eae35efae1e12491244771abd49424f69ec2b92cdeeaf8008e2432a37c04eb25cbd4430d871610b0837579f3467

Download Submit
\Users\Admin\AppData\Roaming\Moum\oniqp.exe

Filesize
256KB

MD5
9f4dd44f4b7a26e39ef4848b162bce49

SHA1
e90bcebac653816f2e3b351afaaa146e0eb10efb

SHA256
91a527353ad474ef5425ace961e54b62f2abf96c4f2ab21b1d1df2b0e6a067e2

SHA512
f30745bf87bbfe41df23e62660853d3c629ce12bbb201c75be4d5fee35e8d5fdf1294d5a2b441477a05f1fb796d263bfa9305f8de2a7b7fa8d49453b8850f76e

Download Submit
memory/1080-19-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/1080-25-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/1080-21-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/1080-23-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/1080-27-0x0000000000320000-0x000000000035F000-memory.dmp

Filesize
252KB

Download
memory/1088-35-0x00000000001D0000-0x000000000020F000-memory.dmp

Filesize
252KB

Download
memory/1088-31-0x00000000001D0000-0x000000000020F000-memory.dmp

Filesize
252KB

Download
memory/1088-33-0x00000000001D0000-0x000000000020F000-memory.dmp

Filesize
252KB

Download
memory/1088-37-0x00000000001D0000-0x000000000020F000-memory.dmp

Filesize
252KB

Download
memory/1168-40-0x0000000002E20000-0x0000000002E5F000-memory.dmp

Filesize
252KB

Download
memory/1168-41-0x0000000002E20000-0x0000000002E5F000-memory.dmp

Filesize
252KB

Download
memory/1168-42-0x0000000002E20000-0x0000000002E5F000-memory.dmp

Filesize
252KB

Download
memory/1168-43-0x0000000002E20000-0x0000000002E5F000-memory.dmp

Filesize
252KB

Download
memory/1788-47-0x0000000001C80000-0x0000000001CBF000-memory.dmp

Filesize
252KB

Download
memory/1788-45-0x0000000001C80000-0x0000000001CBF000-memory.dmp

Filesize
252KB

Download
memory/1788-46-0x0000000001C80000-0x0000000001CBF000-memory.dmp

Filesize
252KB

Download
memory/1788-48-0x0000000001C80000-0x0000000001CBF000-memory.dmp

Filesize
252KB

Download
memory/2400-54-0x0000000001E20000-0x0000000001E5F000-memory.dmp

Filesize
252KB

Download
memory/2400-70-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-52-0x0000000001E20000-0x0000000001E5F000-memory.dmp

Filesize
252KB

Download
memory/2400-55-0x0000000001E20000-0x0000000001E5F000-memory.dmp

Filesize
252KB

Download
memory/2400-53-0x0000000001E20000-0x0000000001E5F000-memory.dmp

Filesize
252KB

Download
memory/2400-0-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2400-1-0x00000000002A0000-0x00000000002E6000-memory.dmp

Filesize
280KB

Download
memory/2400-161-0x00000000002A0000-0x00000000002E6000-memory.dmp

Filesize
280KB

Download
memory/2400-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-68-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-80-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-78-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-99-0x00000000776F0000-0x00000000776F1000-memory.dmp

Filesize
4KB

Download
memory/2400-76-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-72-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-74-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-50-0x0000000001E20000-0x0000000001E5F000-memory.dmp

Filesize
252KB

Download
memory/2400-66-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-64-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-62-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-60-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-58-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-56-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-51-0x0000000001E20000-0x0000000001E5F000-memory.dmp

Filesize
252KB

Download
memory/2400-4-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-138-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2400-163-0x0000000001E20000-0x0000000001E5F000-memory.dmp

Filesize
252KB

Download
memory/2992-16-0x0000000000320000-0x0000000000366000-memory.dmp

Filesize
280KB

Download
memory/2992-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2992-15-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2992-282-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download