d3740ea0d060c10dff5b665634ca128d52a61a0997f29fee787da222e1ae5321

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07575738863a89476eb06ec4b616a887_JaffaCakes118.exe
Size

292KB
MD5

07575738863a89476eb06ec4b616a887
SHA1

8680567da8236e455026a4d07d8f340c95fa356a
SHA256

d3740ea0d060c10dff5b665634ca128d52a61a0997f29fee787da222e1ae5321
SHA512

9fad467f3846e13e7416e3e3c0acef47aa2b55344f3b833c905954bda47f084e7433463d65465189bcf2c3f50ef9bd26391080deabde410fc1984b508a1b9501
SSDEEP

6144:vT+FQozXd7xswMHScIOq1G/PnRnC2CkErfov:CFhLeycBqwnRC2gcv

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2496	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2096	ebijvi.exe

Loads dropped DLL 2 IoCs

pid	Process
2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe
2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E97AF648-8469-AD4E-B6B3-012D8E7B2230} = "C:\\Users\\Admin\\AppData\\Roaming\\Edfaz\\ebijvi.exe"	ebijvi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 2496	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe
2096	ebijvi.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe
2096	ebijvi.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2096	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	28
PID 2940 wrote to memory of 2096	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	28
PID 2940 wrote to memory of 2096	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	28
PID 2940 wrote to memory of 2096	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	28
PID 2096 wrote to memory of 1104	2096	ebijvi.exe	19
PID 2096 wrote to memory of 1104	2096	ebijvi.exe	19
PID 2096 wrote to memory of 1104	2096	ebijvi.exe	19
PID 2096 wrote to memory of 1104	2096	ebijvi.exe	19
PID 2096 wrote to memory of 1104	2096	ebijvi.exe	19
PID 2096 wrote to memory of 1176	2096	ebijvi.exe	20
PID 2096 wrote to memory of 1176	2096	ebijvi.exe	20
PID 2096 wrote to memory of 1176	2096	ebijvi.exe	20
PID 2096 wrote to memory of 1176	2096	ebijvi.exe	20
PID 2096 wrote to memory of 1176	2096	ebijvi.exe	20
PID 2096 wrote to memory of 1204	2096	ebijvi.exe	21
PID 2096 wrote to memory of 1204	2096	ebijvi.exe	21
PID 2096 wrote to memory of 1204	2096	ebijvi.exe	21
PID 2096 wrote to memory of 1204	2096	ebijvi.exe	21
PID 2096 wrote to memory of 1204	2096	ebijvi.exe	21
PID 2096 wrote to memory of 1556	2096	ebijvi.exe	23
PID 2096 wrote to memory of 1556	2096	ebijvi.exe	23
PID 2096 wrote to memory of 1556	2096	ebijvi.exe	23
PID 2096 wrote to memory of 1556	2096	ebijvi.exe	23
PID 2096 wrote to memory of 1556	2096	ebijvi.exe	23
PID 2096 wrote to memory of 2940	2096	ebijvi.exe	27
PID 2096 wrote to memory of 2940	2096	ebijvi.exe	27
PID 2096 wrote to memory of 2940	2096	ebijvi.exe	27
PID 2096 wrote to memory of 2940	2096	ebijvi.exe	27
PID 2096 wrote to memory of 2940	2096	ebijvi.exe	27
PID 2940 wrote to memory of 2496	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	29
PID 2940 wrote to memory of 2496	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	29
PID 2940 wrote to memory of 2496	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	29
PID 2940 wrote to memory of 2496	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	29
PID 2940 wrote to memory of 2496	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	29
PID 2940 wrote to memory of 2496	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	29
PID 2940 wrote to memory of 2496	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	29
PID 2940 wrote to memory of 2496	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	29
PID 2940 wrote to memory of 2496	2940	07575738863a89476eb06ec4b616a887_JaffaCakes118.exe	29
PID 2096 wrote to memory of 2612	2096	ebijvi.exe	33
PID 2096 wrote to memory of 2612	2096	ebijvi.exe	33
PID 2096 wrote to memory of 2612	2096	ebijvi.exe	33
PID 2096 wrote to memory of 2612	2096	ebijvi.exe	33
PID 2096 wrote to memory of 2612	2096	ebijvi.exe	33
PID 2096 wrote to memory of 1432	2096	ebijvi.exe	34
PID 2096 wrote to memory of 1432	2096	ebijvi.exe	34
PID 2096 wrote to memory of 1432	2096	ebijvi.exe	34
PID 2096 wrote to memory of 1432	2096	ebijvi.exe	34
PID 2096 wrote to memory of 1432	2096	ebijvi.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\07575738863a89476eb06ec4b616a887_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\07575738863a89476eb06ec4b616a887_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Roaming\Edfaz\ebijvi.exe
    "C:\Users\Admin\AppData\Roaming\Edfaz\ebijvi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7d684850.bat"
    3⤵
    - Deletes itself
    PID:2496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7d684850.bat

Filesize
271B

MD5
c17cccaa5b745771b22dfc4dd69d7ff9

SHA1
4032069553f29fa7eba43b333cf14a4aee54b29f

SHA256
2b9ca1a98d9f3112db384d98eff62353fd56d3c6bbaf94456f863bbaae8e9360

SHA512
f847dc1455b3ac3886355bbff22a0eee0f6fe0a9d06e084b2397aa893ef12a3750784673582b0dda9e8099a01c29710c2ba8e1aabb04048ccf79149f5860f292

Download Submit
\Users\Admin\AppData\Roaming\Edfaz\ebijvi.exe

Filesize
292KB

MD5
d825f71486ef3602944e66576a60f9bc

SHA1
40c0401ea5cee402159e2068650911bdf82fc2d9

SHA256
dd28524ca3b257164cfc42ec47a7e5848572aa734b48d44f60c23ce975b25953

SHA512
3b89f5ba4201105e5d7c99f4ec754f7c9fce2b91f79f00fb8bdaeb2421584176b062493471b9057c52c89e067422a5696b7298171939b465ec1a725cedfd0279

Download Submit
memory/1104-25-0x0000000001F70000-0x0000000001FB4000-memory.dmp

Filesize
272KB

Download
memory/1104-21-0x0000000001F70000-0x0000000001FB4000-memory.dmp

Filesize
272KB

Download
memory/1104-27-0x0000000001F70000-0x0000000001FB4000-memory.dmp

Filesize
272KB

Download
memory/1104-19-0x0000000001F70000-0x0000000001FB4000-memory.dmp

Filesize
272KB

Download
memory/1104-23-0x0000000001F70000-0x0000000001FB4000-memory.dmp

Filesize
272KB

Download
memory/1176-34-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1176-33-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1176-32-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1176-31-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1204-37-0x0000000002EA0000-0x0000000002EE4000-memory.dmp

Filesize
272KB

Download
memory/1204-36-0x0000000002EA0000-0x0000000002EE4000-memory.dmp

Filesize
272KB

Download
memory/1204-38-0x0000000002EA0000-0x0000000002EE4000-memory.dmp

Filesize
272KB

Download
memory/1204-39-0x0000000002EA0000-0x0000000002EE4000-memory.dmp

Filesize
272KB

Download
memory/1556-43-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1556-41-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1556-42-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1556-44-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/2096-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2096-17-0x0000000001C20000-0x0000000001C6F000-memory.dmp

Filesize
316KB

Download
memory/2096-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2096-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2096-284-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2940-81-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-73-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-57-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-55-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-53-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-51-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-48-0x0000000002280000-0x00000000022C4000-memory.dmp

Filesize
272KB

Download
memory/2940-47-0x0000000002280000-0x00000000022C4000-memory.dmp

Filesize
272KB

Download
memory/2940-46-0x0000000002280000-0x00000000022C4000-memory.dmp

Filesize
272KB

Download
memory/2940-61-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-63-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-65-0x0000000002280000-0x00000000022C4000-memory.dmp

Filesize
272KB

Download
memory/2940-66-0x0000000077620000-0x0000000077621000-memory.dmp

Filesize
4KB

Download
memory/2940-69-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-71-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-59-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-75-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-77-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-79-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-0-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/2940-67-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-50-0x0000000002280000-0x00000000022C4000-memory.dmp

Filesize
272KB

Download
memory/2940-49-0x0000000002280000-0x00000000022C4000-memory.dmp

Filesize
272KB

Download
memory/2940-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-137-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2940-160-0x0000000001C20000-0x0000000001C6F000-memory.dmp

Filesize
316KB

Download
memory/2940-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-162-0x0000000002280000-0x00000000022C4000-memory.dmp

Filesize
272KB

Download
memory/2940-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-1-0x0000000001C20000-0x0000000001C6F000-memory.dmp

Filesize
316KB

Download