2773442208b53ea378e258981ce4c93b4d6238b7d9efc738bdfdba1825c2cebc

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe
Size

315KB
MD5

0eccbe71a31b72805f24ed248213b15d
SHA1

ab35ca6c32d4f32e32a23821d3da9ddaed733b32
SHA256

2773442208b53ea378e258981ce4c93b4d6238b7d9efc738bdfdba1825c2cebc
SHA512

f4f6c2ba92597cfb855deabecbf827e9ea396f55845e2001d341bb85a951d04ece08a6d79fc5140e05538176702b30406087bc2e53073f369edc082d22c1c6fe
SSDEEP

6144:Hq3gCcHoqWYHtSqYnI+tnYDcMbY4FmNzNwm+MhUa1xO1BcC1cV:Hq3Az1N0nI+1Kb5KzNVNSPcnV

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1996	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
896	loew.exe

Loads dropped DLL 1 IoCs

pid	Process
2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7770FDC8-846D-AD4E-26F1-2C003EAC0F1D} = "C:\\Users\\Admin\\AppData\\Roaming\\Dinyel\\loew.exe"	loew.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 1996	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Privacy	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe
896	loew.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 896	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	28
PID 2176 wrote to memory of 896	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	28
PID 2176 wrote to memory of 896	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	28
PID 2176 wrote to memory of 896	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	28
PID 896 wrote to memory of 1108	896	loew.exe	19
PID 896 wrote to memory of 1108	896	loew.exe	19
PID 896 wrote to memory of 1108	896	loew.exe	19
PID 896 wrote to memory of 1108	896	loew.exe	19
PID 896 wrote to memory of 1108	896	loew.exe	19
PID 896 wrote to memory of 1160	896	loew.exe	20
PID 896 wrote to memory of 1160	896	loew.exe	20
PID 896 wrote to memory of 1160	896	loew.exe	20
PID 896 wrote to memory of 1160	896	loew.exe	20
PID 896 wrote to memory of 1160	896	loew.exe	20
PID 896 wrote to memory of 1192	896	loew.exe	21
PID 896 wrote to memory of 1192	896	loew.exe	21
PID 896 wrote to memory of 1192	896	loew.exe	21
PID 896 wrote to memory of 1192	896	loew.exe	21
PID 896 wrote to memory of 1192	896	loew.exe	21
PID 896 wrote to memory of 2176	896	loew.exe	27
PID 896 wrote to memory of 2176	896	loew.exe	27
PID 896 wrote to memory of 2176	896	loew.exe	27
PID 896 wrote to memory of 2176	896	loew.exe	27
PID 896 wrote to memory of 2176	896	loew.exe	27
PID 2176 wrote to memory of 1996	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	29
PID 2176 wrote to memory of 1996	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	29
PID 2176 wrote to memory of 1996	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	29
PID 2176 wrote to memory of 1996	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	29
PID 2176 wrote to memory of 1996	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	29
PID 2176 wrote to memory of 1996	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	29
PID 2176 wrote to memory of 1996	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	29
PID 2176 wrote to memory of 1996	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	29
PID 2176 wrote to memory of 1996	2176	0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe	29
PID 896 wrote to memory of 300	896	loew.exe	33
PID 896 wrote to memory of 300	896	loew.exe	33
PID 896 wrote to memory of 300	896	loew.exe	33
PID 896 wrote to memory of 300	896	loew.exe	33
PID 896 wrote to memory of 300	896	loew.exe	33
PID 896 wrote to memory of 2780	896	loew.exe	34
PID 896 wrote to memory of 2780	896	loew.exe	34
PID 896 wrote to memory of 2780	896	loew.exe	34
PID 896 wrote to memory of 2780	896	loew.exe	34
PID 896 wrote to memory of 2780	896	loew.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0eccbe71a31b72805f24ed248213b15d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Roaming\Dinyel\loew.exe
    "C:\Users\Admin\AppData\Roaming\Dinyel\loew.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp27b14fdc.bat"
    3⤵
    - Deletes itself
    PID:1996

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:300

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp27b14fdc.bat

Filesize
271B

MD5
2b9afd7d23ae31939c70b2ccb0508e81

SHA1
8a9930a6eaec06c0c7c38d67518d475c8ec5f728

SHA256
57ecc7450db7fd8497840be189b492105e9f9852fced2773bf957881caf07a74

SHA512
6f09e8af02ac796512ae344a4dc9bd6490527e17ace0cf8e7f8716076602cd59f54010b18cf97246c148fc9edf35b729e50025cc5e210143e31bde008ede8ac8

Download Submit
\Users\Admin\AppData\Roaming\Dinyel\loew.exe

Filesize
315KB

MD5
79c51a59ff68209ae09d3730c97b3ca8

SHA1
472c94700017f57d356402b084cf6bdf8942f042

SHA256
7255ea2e878b1c2ad11f9fe512da3e1554b448c4271fe702e50444c50959ed7b

SHA512
612145e41ecbed9f989dd798d0a4ad02fbd65a0864fe3544fd7dcb50af203b2e790fabd4aad56e35cee8291553f76d6bea0a92a71dbd0b82fdf1ed3891a5f3fe

Download Submit
memory/896-11-0x0000000000F00000-0x0000000000F5B000-memory.dmp

Filesize
364KB

Download
memory/896-280-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/896-13-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1108-18-0x0000000002090000-0x00000000020D4000-memory.dmp

Filesize
272KB

Download
memory/1108-15-0x0000000002090000-0x00000000020D4000-memory.dmp

Filesize
272KB

Download
memory/1108-14-0x0000000002090000-0x00000000020D4000-memory.dmp

Filesize
272KB

Download
memory/1108-16-0x0000000002090000-0x00000000020D4000-memory.dmp

Filesize
272KB

Download
memory/1108-17-0x0000000002090000-0x00000000020D4000-memory.dmp

Filesize
272KB

Download
memory/1160-27-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1160-21-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1160-23-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1160-25-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1192-31-0x0000000002500000-0x0000000002544000-memory.dmp

Filesize
272KB

Download
memory/1192-33-0x0000000002500000-0x0000000002544000-memory.dmp

Filesize
272KB

Download
memory/1192-30-0x0000000002500000-0x0000000002544000-memory.dmp

Filesize
272KB

Download
memory/1192-32-0x0000000002500000-0x0000000002544000-memory.dmp

Filesize
272KB

Download
memory/2176-72-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-35-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2176-58-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-57-0x0000000077EA0000-0x0000000077EA1000-memory.dmp

Filesize
4KB

Download
memory/2176-56-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2176-52-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-50-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-48-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-46-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-44-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-42-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-40-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-130-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-39-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2176-38-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2176-37-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2176-36-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2176-60-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-62-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-64-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-66-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-68-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-70-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-0-0x0000000000F90000-0x0000000000FEB000-memory.dmp

Filesize
364KB

Download
memory/2176-74-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-76-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-54-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2176-3-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2176-155-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2176-154-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2176-153-0x0000000000F90000-0x0000000000FEB000-memory.dmp

Filesize
364KB

Download
memory/2176-8-0x0000000000F00000-0x0000000000F5B000-memory.dmp

Filesize
364KB

Download
memory/2176-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download