c8a428dc1bf9b38d97953ae952e3a4f2b530c38efd9e0e3c571ad6bedc0a46d2

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe
Size

321KB
MD5

07a3315220771c299a430cb54daddb7a
SHA1

169f3ff05e83e662981a2013e00df0ee2cf8e295
SHA256

c8a428dc1bf9b38d97953ae952e3a4f2b530c38efd9e0e3c571ad6bedc0a46d2
SHA512

02e6fb1d4467b4f22458dee14a89a7919860824c78d935a592a56bb46897fc92368b71fc2d9ff017e5d7dc0a2c242a61d7369e32562e8a712268f5107c9fca0f
SSDEEP

6144:AT+FQo0d7h+swMHScIOq1G/PtRnC2CkErfof:zFh0DhycBqwtRC2gcf

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2452	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2296	ecozmu.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe
1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A8D7C348-7DCD-AD4F-393B-DBD01FB3F8CD} = "C:\\Users\\Admin\\AppData\\Roaming\\Avyxi\\ecozmu.exe"	ecozmu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 2452	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Privacy	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe
2296	ecozmu.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe
2296	ecozmu.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2296	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	28
PID 1688 wrote to memory of 2296	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	28
PID 1688 wrote to memory of 2296	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	28
PID 1688 wrote to memory of 2296	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	28
PID 2296 wrote to memory of 1120	2296	ecozmu.exe	19
PID 2296 wrote to memory of 1120	2296	ecozmu.exe	19
PID 2296 wrote to memory of 1120	2296	ecozmu.exe	19
PID 2296 wrote to memory of 1120	2296	ecozmu.exe	19
PID 2296 wrote to memory of 1120	2296	ecozmu.exe	19
PID 2296 wrote to memory of 1172	2296	ecozmu.exe	20
PID 2296 wrote to memory of 1172	2296	ecozmu.exe	20
PID 2296 wrote to memory of 1172	2296	ecozmu.exe	20
PID 2296 wrote to memory of 1172	2296	ecozmu.exe	20
PID 2296 wrote to memory of 1172	2296	ecozmu.exe	20
PID 2296 wrote to memory of 1212	2296	ecozmu.exe	21
PID 2296 wrote to memory of 1212	2296	ecozmu.exe	21
PID 2296 wrote to memory of 1212	2296	ecozmu.exe	21
PID 2296 wrote to memory of 1212	2296	ecozmu.exe	21
PID 2296 wrote to memory of 1212	2296	ecozmu.exe	21
PID 2296 wrote to memory of 1032	2296	ecozmu.exe	23
PID 2296 wrote to memory of 1032	2296	ecozmu.exe	23
PID 2296 wrote to memory of 1032	2296	ecozmu.exe	23
PID 2296 wrote to memory of 1032	2296	ecozmu.exe	23
PID 2296 wrote to memory of 1032	2296	ecozmu.exe	23
PID 2296 wrote to memory of 1688	2296	ecozmu.exe	27
PID 2296 wrote to memory of 1688	2296	ecozmu.exe	27
PID 2296 wrote to memory of 1688	2296	ecozmu.exe	27
PID 2296 wrote to memory of 1688	2296	ecozmu.exe	27
PID 2296 wrote to memory of 1688	2296	ecozmu.exe	27
PID 1688 wrote to memory of 2452	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	29
PID 1688 wrote to memory of 2452	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	29
PID 1688 wrote to memory of 2452	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	29
PID 1688 wrote to memory of 2452	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	29
PID 1688 wrote to memory of 2452	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	29
PID 1688 wrote to memory of 2452	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	29
PID 1688 wrote to memory of 2452	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	29
PID 1688 wrote to memory of 2452	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	29
PID 1688 wrote to memory of 2452	1688	07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe	29
PID 2296 wrote to memory of 456	2296	ecozmu.exe	33
PID 2296 wrote to memory of 456	2296	ecozmu.exe	33
PID 2296 wrote to memory of 456	2296	ecozmu.exe	33
PID 2296 wrote to memory of 456	2296	ecozmu.exe	33
PID 2296 wrote to memory of 456	2296	ecozmu.exe	33
PID 2296 wrote to memory of 2864	2296	ecozmu.exe	34
PID 2296 wrote to memory of 2864	2296	ecozmu.exe	34
PID 2296 wrote to memory of 2864	2296	ecozmu.exe	34
PID 2296 wrote to memory of 2864	2296	ecozmu.exe	34
PID 2296 wrote to memory of 2864	2296	ecozmu.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\07a3315220771c299a430cb54daddb7a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Roaming\Avyxi\ecozmu.exe
    "C:\Users\Admin\AppData\Roaming\Avyxi\ecozmu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb908f8f4.bat"
    3⤵
    - Deletes itself
    PID:2452

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:456

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb908f8f4.bat

Filesize
271B

MD5
af53d4f5d6a982bc7ceb7e080320a140

SHA1
abadd5210762275b9ae97a230eb281abe4deadd0

SHA256
d26c38a453f314fd97b5295d15f6b376242b134ecfea82e48a05c35c3f7dd16b

SHA512
69e2e80e4a3bd313721e324391a1a2b08054581b5d5185b4c33cccdedd18b3dd49ae9a90aaa9e233e6cf9e16bd678c284dce7def19cd791cfe05aff3472090d6

Download Submit
\Users\Admin\AppData\Roaming\Avyxi\ecozmu.exe

Filesize
321KB

MD5
644c3ea4f2b41a3afb597c61a61e3a46

SHA1
2373690e006fdcea39d2efefc407bf598aa98f43

SHA256
2ad7adf43e73d6389538aed1f0e23b416849a82f47fd89e713db7a093ff5b936

SHA512
69e18f626805c745bab1e4b5a1185df8a8737c56107d9166e99e7e056a9ffb304b76cfa8e4880226e5aab1e91ec900f7b19c9c89b917e06dcf93e18d7a4b7e2a

Download Submit
memory/1032-38-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1032-37-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1032-39-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1032-36-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1120-21-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download
memory/1120-19-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download
memory/1120-20-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download
memory/1120-22-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download
memory/1120-23-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download
memory/1172-28-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1172-27-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1172-29-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1172-26-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1212-32-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1212-33-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1212-34-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1212-31-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1688-43-0x00000000022E0000-0x0000000002324000-memory.dmp

Filesize
272KB

Download
memory/1688-81-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-73-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-71-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-69-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-65-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-63-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-62-0x0000000077E80000-0x0000000077E81000-memory.dmp

Filesize
4KB

Download
memory/1688-60-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-58-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-56-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-54-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-52-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-50-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-48-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-77-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-79-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-134-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-75-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1688-42-0x00000000022E0000-0x0000000002324000-memory.dmp

Filesize
272KB

Download
memory/1688-1-0x00000000004D0000-0x0000000000526000-memory.dmp

Filesize
344KB

Download
memory/1688-47-0x00000000022E0000-0x0000000002324000-memory.dmp

Filesize
272KB

Download
memory/1688-44-0x00000000022E0000-0x0000000002324000-memory.dmp

Filesize
272KB

Download
memory/1688-45-0x00000000022E0000-0x0000000002324000-memory.dmp

Filesize
272KB

Download
memory/1688-46-0x00000000022E0000-0x0000000002324000-memory.dmp

Filesize
272KB

Download
memory/1688-0-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1688-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1688-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1688-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1688-157-0x00000000004D0000-0x0000000000526000-memory.dmp

Filesize
344KB

Download
memory/1688-158-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1688-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1688-159-0x00000000022E0000-0x0000000002324000-memory.dmp

Filesize
272KB

Download
memory/2296-16-0x0000000000460000-0x00000000004A4000-memory.dmp

Filesize
272KB

Download
memory/2296-17-0x00000000004B0000-0x0000000000506000-memory.dmp

Filesize
344KB

Download
memory/2296-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2296-282-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download