f3855ec515053d845f8c5ffbac0e5dc6bd776b6225473ff05d0f5cd6d23c43cf

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe
Size

311KB
MD5

07662e26777c9b88ecd97697c529a4e6
SHA1

f02ade58d0292b4732d62ee57c4bb9adfae84147
SHA256

f3855ec515053d845f8c5ffbac0e5dc6bd776b6225473ff05d0f5cd6d23c43cf
SHA512

bac09541d1157774e2fc48c27a7a23c67e4001be3c9836d5d33ec6ef01d5a2f777fb8a930dd98676b035a5178e5f877dd3899aec0a93297cf5127d2e75991726
SSDEEP

6144:DjeEsjVznrzaDbb02BAFnq/1R9lQax5G+02wwluU1Fu0QUGb0o73b7+NDphr:3ViVjrzS49IbQrSuUbdQUGn3n+Fr

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1216	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2668	cotit.exe
2596	cotit.exe

Loads dropped DLL 2 IoCs

pid	Process
2960	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe
2960	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2284-1-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/2284-17-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/files/0x0037000000013108-31.dat	upx
behavioral1/memory/2668-34-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/2668-54-0x0000000000400000-0x0000000000489000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2977E268-58FD-AD4F-BE57-976F9EF8B472} = "C:\\Users\\Admin\\AppData\\Roaming\\Edism\\cotit.exe"	cotit.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 2960	2284	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	28
PID 2668 set thread context of 2596	2668	cotit.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Privacy	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe
2596	cotit.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2960	2284	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2960	2284	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2960	2284	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2960	2284	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2960	2284	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2960	2284	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2960	2284	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2960	2284	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	28
PID 2284 wrote to memory of 2960	2284	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	28
PID 2960 wrote to memory of 2668	2960	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	29
PID 2960 wrote to memory of 2668	2960	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	29
PID 2960 wrote to memory of 2668	2960	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	29
PID 2960 wrote to memory of 2668	2960	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	29
PID 2668 wrote to memory of 2596	2668	cotit.exe	30
PID 2668 wrote to memory of 2596	2668	cotit.exe	30
PID 2668 wrote to memory of 2596	2668	cotit.exe	30
PID 2668 wrote to memory of 2596	2668	cotit.exe	30
PID 2668 wrote to memory of 2596	2668	cotit.exe	30
PID 2668 wrote to memory of 2596	2668	cotit.exe	30
PID 2668 wrote to memory of 2596	2668	cotit.exe	30
PID 2668 wrote to memory of 2596	2668	cotit.exe	30
PID 2668 wrote to memory of 2596	2668	cotit.exe	30
PID 2596 wrote to memory of 1064	2596	cotit.exe	18
PID 2596 wrote to memory of 1064	2596	cotit.exe	18
PID 2596 wrote to memory of 1064	2596	cotit.exe	18
PID 2596 wrote to memory of 1064	2596	cotit.exe	18
PID 2596 wrote to memory of 1064	2596	cotit.exe	18
PID 2596 wrote to memory of 1144	2596	cotit.exe	20
PID 2596 wrote to memory of 1144	2596	cotit.exe	20
PID 2596 wrote to memory of 1144	2596	cotit.exe	20
PID 2596 wrote to memory of 1144	2596	cotit.exe	20
PID 2596 wrote to memory of 1144	2596	cotit.exe	20
PID 2596 wrote to memory of 1168	2596	cotit.exe	21
PID 2596 wrote to memory of 1168	2596	cotit.exe	21
PID 2596 wrote to memory of 1168	2596	cotit.exe	21
PID 2596 wrote to memory of 1168	2596	cotit.exe	21
PID 2596 wrote to memory of 1168	2596	cotit.exe	21
PID 2596 wrote to memory of 2356	2596	cotit.exe	23
PID 2596 wrote to memory of 2356	2596	cotit.exe	23
PID 2596 wrote to memory of 2356	2596	cotit.exe	23
PID 2596 wrote to memory of 2356	2596	cotit.exe	23
PID 2596 wrote to memory of 2356	2596	cotit.exe	23
PID 2596 wrote to memory of 2960	2596	cotit.exe	28
PID 2596 wrote to memory of 2960	2596	cotit.exe	28
PID 2596 wrote to memory of 2960	2596	cotit.exe	28
PID 2596 wrote to memory of 2960	2596	cotit.exe	28
PID 2596 wrote to memory of 2960	2596	cotit.exe	28
PID 2960 wrote to memory of 1216	2960	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	31
PID 2960 wrote to memory of 1216	2960	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	31
PID 2960 wrote to memory of 1216	2960	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	31
PID 2960 wrote to memory of 1216	2960	07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe	31
PID 2596 wrote to memory of 1216	2596	cotit.exe	31
PID 2596 wrote to memory of 1216	2596	cotit.exe	31
PID 2596 wrote to memory of 1216	2596	cotit.exe	31
PID 2596 wrote to memory of 1216	2596	cotit.exe	31
PID 2596 wrote to memory of 1216	2596	cotit.exe	31
PID 2596 wrote to memory of 652	2596	cotit.exe	32
PID 2596 wrote to memory of 652	2596	cotit.exe	32
PID 2596 wrote to memory of 652	2596	cotit.exe	32
PID 2596 wrote to memory of 652	2596	cotit.exe	32
PID 2596 wrote to memory of 652	2596	cotit.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1064

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1144

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1168
- C:\Users\Admin\AppData\Local\Temp\07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\07662e26777c9b88ecd97697c529a4e6_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\AppData\Roaming\Edism\cotit.exe
      "C:\Users\Admin\AppData\Roaming\Edism\cotit.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Users\Admin\AppData\Roaming\Edism\cotit.exe
        
        C:\Users\Admin\AppData\Roaming\Edism\cotit.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp646b4915.bat"
      4⤵
      Deletes itself
      PID:1216

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1867322644-74035487-1858854350-1360986152-1222266006-20698753942671188881462243079"
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp646b4915.bat

Filesize
271B

MD5
330793b84fd38ed83f156ae838e302c9

SHA1
715f29c8dd913286df4e04b67a824c8ba74d01d1

SHA256
ff446bc4ec4bd3744e22e4bfb4d14b5561134056ccc4388c16fe87e2fd89c2cd

SHA512
7b9be905c71d80a3e380a9fa8a0cc88acce608a36d133f29e461718cfe369c5bec8f08f04cbc6bcfd82f39379d64dbfad9befbf55da92290db7fbbeca229f424

Download Submit
C:\Users\Admin\AppData\Roaming\Edism\cotit.exe

Filesize
311KB

MD5
0035b2f2f49ec311dd3fb49b7728e626

SHA1
7395d78c47f2021bca9f7a829604e32b50fe69fc

SHA256
394b42524840c226a4ec0a941bab8ad72e9eb32a9884d64b8479f2a7f7837943

SHA512
50686711d3c8c76538ec9dac2951babd2043decc1c4aee73af249dbe1a879205b5d4da0d53cb6b633fb8576eeae273adfbb7066953cedf4c7099b637be2def1d

Download Submit
memory/1064-60-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1064-62-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1064-64-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1064-66-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1144-69-0x0000000001DD0000-0x0000000001E14000-memory.dmp

Filesize
272KB

Download
memory/1144-70-0x0000000001DD0000-0x0000000001E14000-memory.dmp

Filesize
272KB

Download
memory/1144-71-0x0000000001DD0000-0x0000000001E14000-memory.dmp

Filesize
272KB

Download
memory/1144-72-0x0000000001DD0000-0x0000000001E14000-memory.dmp

Filesize
272KB

Download
memory/1168-75-0x00000000025D0000-0x0000000002614000-memory.dmp

Filesize
272KB

Download
memory/1168-74-0x00000000025D0000-0x0000000002614000-memory.dmp

Filesize
272KB

Download
memory/1168-77-0x00000000025D0000-0x0000000002614000-memory.dmp

Filesize
272KB

Download
memory/1168-76-0x00000000025D0000-0x0000000002614000-memory.dmp

Filesize
272KB

Download
memory/2284-17-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2284-15-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/2284-1-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2284-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2356-81-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2356-79-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2356-80-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2356-82-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2596-59-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2596-140-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2668-54-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2668-34-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2960-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2960-33-0x0000000000450000-0x00000000004D9000-memory.dmp

Filesize
548KB

Download
memory/2960-86-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2960-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-32-0x0000000000450000-0x00000000004D9000-memory.dmp

Filesize
548KB

Download
memory/2960-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-85-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2960-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-114-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2960-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download