edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe
Size

138KB
MD5

04e2cfbb7f231d964afc25006ad4e5bf
SHA1

775b7bf3a30d3bdcc4e68f0cb29c2745ad97e21b
SHA256

edfec48c5b9a18add8442f19cf8ecd8457af25a7251cb34fe2d20616dcf315ef
SHA512

a87f700335722bd8900889eceb4f47f6f0309f6ab23de81dca7267e9253f6b0521d9472cb08a0bf1c52d3bca3f095efc0df2fb7533560853fa0da5f5cbd8a357
SSDEEP

3072:qz71LZQEduEgsW2UPqxUEnqkC0i50/YXiQXT+t/8XIgfUTaXD3kz1QNS:qz71L+QHhUPqxUElQiQwkXhfUThQ4

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
584	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2156	gelet.exe

Loads dropped DLL 2 IoCs

pid	Process
2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe
2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D8B61FEF-C22E-5FBD-33DA-28CDA990F43D} = "C:\\Users\\Admin\\AppData\\Roaming\\Lyuls\\gelet.exe"	gelet.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 584	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Privacy	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4070327C-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe
2156	gelet.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe
Token: SeSecurityPrivilege	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe
Token: SeSecurityPrivilege	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe
Token: SeManageVolumePrivilege	952	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
952	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
952	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
952	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2156	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	28
PID 2116 wrote to memory of 2156	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	28
PID 2116 wrote to memory of 2156	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	28
PID 2116 wrote to memory of 2156	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	28
PID 2156 wrote to memory of 1224	2156	gelet.exe	19
PID 2156 wrote to memory of 1224	2156	gelet.exe	19
PID 2156 wrote to memory of 1224	2156	gelet.exe	19
PID 2156 wrote to memory of 1224	2156	gelet.exe	19
PID 2156 wrote to memory of 1224	2156	gelet.exe	19
PID 2156 wrote to memory of 1296	2156	gelet.exe	20
PID 2156 wrote to memory of 1296	2156	gelet.exe	20
PID 2156 wrote to memory of 1296	2156	gelet.exe	20
PID 2156 wrote to memory of 1296	2156	gelet.exe	20
PID 2156 wrote to memory of 1296	2156	gelet.exe	20
PID 2156 wrote to memory of 1352	2156	gelet.exe	21
PID 2156 wrote to memory of 1352	2156	gelet.exe	21
PID 2156 wrote to memory of 1352	2156	gelet.exe	21
PID 2156 wrote to memory of 1352	2156	gelet.exe	21
PID 2156 wrote to memory of 1352	2156	gelet.exe	21
PID 2156 wrote to memory of 1660	2156	gelet.exe	23
PID 2156 wrote to memory of 1660	2156	gelet.exe	23
PID 2156 wrote to memory of 1660	2156	gelet.exe	23
PID 2156 wrote to memory of 1660	2156	gelet.exe	23
PID 2156 wrote to memory of 1660	2156	gelet.exe	23
PID 2156 wrote to memory of 2116	2156	gelet.exe	27
PID 2156 wrote to memory of 2116	2156	gelet.exe	27
PID 2156 wrote to memory of 2116	2156	gelet.exe	27
PID 2156 wrote to memory of 2116	2156	gelet.exe	27
PID 2156 wrote to memory of 2116	2156	gelet.exe	27
PID 2156 wrote to memory of 952	2156	gelet.exe	29
PID 2156 wrote to memory of 952	2156	gelet.exe	29
PID 2156 wrote to memory of 952	2156	gelet.exe	29
PID 2156 wrote to memory of 952	2156	gelet.exe	29
PID 2156 wrote to memory of 952	2156	gelet.exe	29
PID 2116 wrote to memory of 584	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	30
PID 2116 wrote to memory of 584	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	30
PID 2116 wrote to memory of 584	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	30
PID 2116 wrote to memory of 584	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	30
PID 2116 wrote to memory of 584	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	30
PID 2116 wrote to memory of 584	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	30
PID 2116 wrote to memory of 584	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	30
PID 2116 wrote to memory of 584	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	30
PID 2116 wrote to memory of 584	2116	04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe	30
PID 2156 wrote to memory of 1576	2156	gelet.exe	32
PID 2156 wrote to memory of 1576	2156	gelet.exe	32
PID 2156 wrote to memory of 1576	2156	gelet.exe	32
PID 2156 wrote to memory of 1576	2156	gelet.exe	32
PID 2156 wrote to memory of 1576	2156	gelet.exe	32
PID 2156 wrote to memory of 2332	2156	gelet.exe	33
PID 2156 wrote to memory of 2332	2156	gelet.exe	33
PID 2156 wrote to memory of 2332	2156	gelet.exe	33
PID 2156 wrote to memory of 2332	2156	gelet.exe	33
PID 2156 wrote to memory of 2332	2156	gelet.exe	33
PID 2156 wrote to memory of 2948	2156	gelet.exe	34
PID 2156 wrote to memory of 2948	2156	gelet.exe	34
PID 2156 wrote to memory of 2948	2156	gelet.exe	34
PID 2156 wrote to memory of 2948	2156	gelet.exe	34
PID 2156 wrote to memory of 2948	2156	gelet.exe	34
PID 2156 wrote to memory of 2496	2156	gelet.exe	37
PID 2156 wrote to memory of 2496	2156	gelet.exe	37
PID 2156 wrote to memory of 2496	2156	gelet.exe	37
PID 2156 wrote to memory of 2496	2156	gelet.exe	37
PID 2156 wrote to memory of 2496	2156	gelet.exe	37
PID 2156 wrote to memory of 2908	2156	gelet.exe	38

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1224

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1296

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\04e2cfbb7f231d964afc25006ad4e5bf_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Roaming\Lyuls\gelet.exe
    "C:\Users\Admin\AppData\Roaming\Lyuls\gelet.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa6336941.bat"
    3⤵
    - Deletes itself
    PID:584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1660

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
9c793dbf86d4efdb9c3ee55fbb779069

SHA1
a89125872cb28f6afc145ffd485fe674de4902a1

SHA256
25b748a88eddc3eef6291e5a8894a79728f1cfef095e47cff119e4e40eff5c09

SHA512
c0fcfa7ae02f10b06879968a8a078eeb529549d63b77f8a467902654d9e08c1f12c5df1405ef327b41c6bd5dcaa7b65ae9157a80afaeb9e254104bb59b195336

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpa6336941.bat

Filesize
271B

MD5
b0725ef66b583e77897bf070336c9378

SHA1
de77cfab10b4b9c8b2b0c82997b7c40f5ecfc728

SHA256
5a9505d0e21d18d681b91bf8b37d4953642b0815e7cc807b5d60e6e31fbe25f6

SHA512
3464b8dfbb096dd6454210a733ecbdb9c9e318342a7dba3a43fb2108037f3b2f4dd03330c756f60817e785aff1e6ba79d454aa32ee4514226968c0027f91d543

Download Submit
C:\Users\Admin\AppData\Roaming\Vaepy\uhod.amb

Filesize
380B

MD5
cbea3d52240dd299a6732a254e93d850

SHA1
b601b8fdd08ce6aa43dfec53a426424a0be5b863

SHA256
86b2e32d57cdca659b5a45f771ea1209bb54b8e7dd68d7f5a526bcc068fc40ce

SHA512
f11e9cb8a9e20403f4a80f99819108aa8f0c83938f9933842aa6636846aa9570d662a09cc2ba929f44bf4a868c3f6ffa4ff89eab3a315b59aeb733a2072fc5c2

Download Submit
\Users\Admin\AppData\Roaming\Lyuls\gelet.exe

Filesize
138KB

MD5
b14cefff6089689310a8a8aac432c797

SHA1
575e946ec6bae44ee3d24ab6a5708b8f13f2fa44

SHA256
fc43336f894c2dd11786f0cf0fa8c0f8b5d153a42b25f1cbacce63016c495d99

SHA512
f34c04969a9ae048b9e70354806b060f6558be3eddb45f6fcac569116c24677b594379fa5318c91eee711ca78c1f4ce40d0bec97f5fce8fdbef0bbdc3e9b6e36

Download Submit
memory/1224-14-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1224-16-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1224-18-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1224-10-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1224-12-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1296-22-0x0000000001FA0000-0x0000000001FC7000-memory.dmp

Filesize
156KB

Download
memory/1296-24-0x0000000001FA0000-0x0000000001FC7000-memory.dmp

Filesize
156KB

Download
memory/1296-26-0x0000000001FA0000-0x0000000001FC7000-memory.dmp

Filesize
156KB

Download
memory/1296-28-0x0000000001FA0000-0x0000000001FC7000-memory.dmp

Filesize
156KB

Download
memory/1352-33-0x0000000002D80000-0x0000000002DA7000-memory.dmp

Filesize
156KB

Download
memory/1352-31-0x0000000002D80000-0x0000000002DA7000-memory.dmp

Filesize
156KB

Download
memory/1352-32-0x0000000002D80000-0x0000000002DA7000-memory.dmp

Filesize
156KB

Download
memory/1352-34-0x0000000002D80000-0x0000000002DA7000-memory.dmp

Filesize
156KB

Download
memory/1660-39-0x0000000001C80000-0x0000000001CA7000-memory.dmp

Filesize
156KB

Download
memory/1660-36-0x0000000001C80000-0x0000000001CA7000-memory.dmp

Filesize
156KB

Download
memory/1660-37-0x0000000001C80000-0x0000000001CA7000-memory.dmp

Filesize
156KB

Download
memory/1660-38-0x0000000001C80000-0x0000000001CA7000-memory.dmp

Filesize
156KB

Download
memory/2116-60-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-58-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-43-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2116-44-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2116-45-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2116-46-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-48-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-50-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-52-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-54-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-56-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-42-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2116-64-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-128-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-66-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-41-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2116-68-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-70-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-72-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2116-127-0x0000000076F40000-0x0000000076F41000-memory.dmp

Filesize
4KB

Download
memory/2116-126-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2116-227-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2116-62-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download