723bd965799be0155e306ff70a102c15c997e3a8bdf8ee0a7b8ab2c8112a2b9c

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 15:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe
Size

333KB
MD5

07508e746c6a7f3758998bd97b8f608b
SHA1

e5a31e1a46f677f5926046e5a1edf002a34ac09e
SHA256

723bd965799be0155e306ff70a102c15c997e3a8bdf8ee0a7b8ab2c8112a2b9c
SHA512

cd7d76718682fbf4a337052467b4bb45f8a9c4b2ab684891df5c4e04d1f46ea4bdac1e51d3c463c97dbe147b274b598929d3341ca6d916a151e952476c9f4729
SSDEEP

6144:Z80UKaRzEfaGOH16F1xx+rHMYbvcOdNS0KCGOgmLArll67y0vAbGRB1ze0:Z80UKaRIwH16Dxxsxvck6Ogm6ll62oRH

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1640	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1744	weovqi.exe

Loads dropped DLL 1 IoCs

pid	Process
2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E8BE2F68-5812-AD4F-F172-4D96D7386E8B} = "C:\\Users\\Admin\\AppData\\Roaming\\Zaonj\\weovqi.exe"	weovqi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 1640	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Privacy	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe
1744	weovqi.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe
1744	weovqi.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1744	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	28
PID 2972 wrote to memory of 1744	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	28
PID 2972 wrote to memory of 1744	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	28
PID 2972 wrote to memory of 1744	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	28
PID 1744 wrote to memory of 1108	1744	weovqi.exe	19
PID 1744 wrote to memory of 1108	1744	weovqi.exe	19
PID 1744 wrote to memory of 1108	1744	weovqi.exe	19
PID 1744 wrote to memory of 1108	1744	weovqi.exe	19
PID 1744 wrote to memory of 1108	1744	weovqi.exe	19
PID 1744 wrote to memory of 1168	1744	weovqi.exe	20
PID 1744 wrote to memory of 1168	1744	weovqi.exe	20
PID 1744 wrote to memory of 1168	1744	weovqi.exe	20
PID 1744 wrote to memory of 1168	1744	weovqi.exe	20
PID 1744 wrote to memory of 1168	1744	weovqi.exe	20
PID 1744 wrote to memory of 1208	1744	weovqi.exe	21
PID 1744 wrote to memory of 1208	1744	weovqi.exe	21
PID 1744 wrote to memory of 1208	1744	weovqi.exe	21
PID 1744 wrote to memory of 1208	1744	weovqi.exe	21
PID 1744 wrote to memory of 1208	1744	weovqi.exe	21
PID 1744 wrote to memory of 2044	1744	weovqi.exe	23
PID 1744 wrote to memory of 2044	1744	weovqi.exe	23
PID 1744 wrote to memory of 2044	1744	weovqi.exe	23
PID 1744 wrote to memory of 2044	1744	weovqi.exe	23
PID 1744 wrote to memory of 2044	1744	weovqi.exe	23
PID 1744 wrote to memory of 2972	1744	weovqi.exe	27
PID 1744 wrote to memory of 2972	1744	weovqi.exe	27
PID 1744 wrote to memory of 2972	1744	weovqi.exe	27
PID 1744 wrote to memory of 2972	1744	weovqi.exe	27
PID 1744 wrote to memory of 2972	1744	weovqi.exe	27
PID 2972 wrote to memory of 1640	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	29
PID 2972 wrote to memory of 1640	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	29
PID 2972 wrote to memory of 1640	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	29
PID 2972 wrote to memory of 1640	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	29
PID 2972 wrote to memory of 1640	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	29
PID 2972 wrote to memory of 1640	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	29
PID 2972 wrote to memory of 1640	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	29
PID 2972 wrote to memory of 1640	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	29
PID 2972 wrote to memory of 1640	2972	07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\07508e746c6a7f3758998bd97b8f608b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Roaming\Zaonj\weovqi.exe
    "C:\Users\Admin\AppData\Roaming\Zaonj\weovqi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3c488f75.bat"
    3⤵
    - Deletes itself
    PID:1640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3c488f75.bat

Filesize
271B

MD5
0e2bd85e2ea5f257445b79f693452f9d

SHA1
36980c929882f0cc22860a140726a143129cf964

SHA256
d003c57595ff6c1e3b7c1854f553d2cdb2c0a6731b58a6a91ff7bdbe392f68c0

SHA512
f7b60e8eab5eabd0dcf8e070a50311b2e61ce5c8dd8cb9300d812fa93c70ed9cabe5d6424a742b5769b33f2c31873935f4a4202200381929881161f01c208635

Download Submit
\Users\Admin\AppData\Roaming\Zaonj\weovqi.exe

Filesize
333KB

MD5
1531e3719eec86874382b6b84b4a4f06

SHA1
2b8c88f5f07700b21416ca1f9126cb67a98ff6d7

SHA256
e4405510f09602cf570da29bd94c23f4794eec97531c61baadf6bc1bc5895321

SHA512
532769e69e0d00e6bccb404f57aa146bf3e94f1755f171c16fb4bff6acc0eb501ee819b0186aaa57efdac1320a51205a99034ae86af8c4e51b5a68544d7c858c

Download Submit
memory/1108-22-0x0000000002180000-0x00000000021C2000-memory.dmp

Filesize
264KB

Download
memory/1108-18-0x0000000002180000-0x00000000021C2000-memory.dmp

Filesize
264KB

Download
memory/1108-20-0x0000000002180000-0x00000000021C2000-memory.dmp

Filesize
264KB

Download
memory/1108-16-0x0000000002180000-0x00000000021C2000-memory.dmp

Filesize
264KB

Download
memory/1108-24-0x0000000002180000-0x00000000021C2000-memory.dmp

Filesize
264KB

Download
memory/1168-30-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1168-27-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1168-28-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1168-29-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1208-35-0x0000000002920000-0x0000000002962000-memory.dmp

Filesize
264KB

Download
memory/1208-32-0x0000000002920000-0x0000000002962000-memory.dmp

Filesize
264KB

Download
memory/1208-33-0x0000000002920000-0x0000000002962000-memory.dmp

Filesize
264KB

Download
memory/1208-34-0x0000000002920000-0x0000000002962000-memory.dmp

Filesize
264KB

Download
memory/1744-13-0x00000000004D0000-0x0000000000529000-memory.dmp

Filesize
356KB

Download
memory/1744-12-0x00000000002B0000-0x00000000002F2000-memory.dmp

Filesize
264KB

Download
memory/1744-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1744-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2044-40-0x0000000001D90000-0x0000000001DD2000-memory.dmp

Filesize
264KB

Download
memory/2044-39-0x0000000001D90000-0x0000000001DD2000-memory.dmp

Filesize
264KB

Download
memory/2044-38-0x0000000001D90000-0x0000000001DD2000-memory.dmp

Filesize
264KB

Download
memory/2044-41-0x0000000001D90000-0x0000000001DD2000-memory.dmp

Filesize
264KB

Download
memory/2972-45-0x00000000004F0000-0x0000000000532000-memory.dmp

Filesize
264KB

Download
memory/2972-57-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-0-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download
memory/2972-46-0x00000000004F0000-0x0000000000532000-memory.dmp

Filesize
264KB

Download
memory/2972-47-0x00000000004F0000-0x0000000000532000-memory.dmp

Filesize
264KB

Download
memory/2972-48-0x00000000004F0000-0x0000000000532000-memory.dmp

Filesize
264KB

Download
memory/2972-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-55-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-53-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-51-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-49-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-61-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-59-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-44-0x00000000004F0000-0x0000000000532000-memory.dmp

Filesize
264KB

Download
memory/2972-63-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-65-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-69-0x0000000077410000-0x0000000077411000-memory.dmp

Filesize
4KB

Download
memory/2972-70-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-72-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-74-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-76-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-132-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-154-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-155-0x00000000004F0000-0x0000000000532000-memory.dmp

Filesize
264KB

Download
memory/2972-1-0x0000000000380000-0x00000000003D9000-memory.dmp

Filesize
356KB

Download
memory/2972-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download