d241c243cbba6992c8ed6c58d0af757a8c2cce005a4c8f21e1ad452292102750

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe
Size

193KB
MD5

14cb882ab844faccde7d8445ad2c525a
SHA1

663bd683b7d4c05c2bf392efb950434820366ffd
SHA256

d241c243cbba6992c8ed6c58d0af757a8c2cce005a4c8f21e1ad452292102750
SHA512

6cd6011986c27fb2813392712336eb35c24679f87f31e4d2f743eab58e199ad1e5e70ebe43a2a3b796470cf3945f983772c27d44dc029da7e488bfcd7f276741
SSDEEP

3072:9mBMIQ735chXJIQa6aV/M5qniVPTYHR74XdUSBBJ0mWS/3/uRcYM5CVoKCHMMGs:9mBMncXyea25iUPQ7q5tX/vh+oK6t

Score

8^/10

evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2532	netsh.exe

Deletes itself 1 IoCs

pid	Process
1536	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1032	apozikt.exe

Loads dropped DLL 2 IoCs

pid	Process
2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe
2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2944-0-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/files/0x002d0000000144e9-8.dat	upx
behavioral1/memory/1032-15-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2944-13-0x00000000002D0000-0x0000000000317000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D24525C6-4960-CF71-4E39-E6B02BE7BBE9} = "C:\\Users\\Admin\\AppData\\Roaming\\Qiukam\\apozikt.exe"	apozikt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2944 set thread context of 1536	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	33

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\1B6F503B-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe
1032	apozikt.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe
Token: SeSecurityPrivilege	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe
Token: SeSecurityPrivilege	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3028	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3028	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3028	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3028	WinMail.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 3064	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	28
PID 2944 wrote to memory of 3064	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	28
PID 2944 wrote to memory of 3064	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	28
PID 2944 wrote to memory of 3064	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	28
PID 2944 wrote to memory of 1032	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	30
PID 2944 wrote to memory of 1032	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	30
PID 2944 wrote to memory of 1032	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	30
PID 2944 wrote to memory of 1032	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2532	3064	cmd.exe	31
PID 3064 wrote to memory of 2532	3064	cmd.exe	31
PID 3064 wrote to memory of 2532	3064	cmd.exe	31
PID 3064 wrote to memory of 2532	3064	cmd.exe	31
PID 1032 wrote to memory of 1104	1032	apozikt.exe	19
PID 1032 wrote to memory of 1104	1032	apozikt.exe	19
PID 1032 wrote to memory of 1104	1032	apozikt.exe	19
PID 1032 wrote to memory of 1104	1032	apozikt.exe	19
PID 1032 wrote to memory of 1104	1032	apozikt.exe	19
PID 1032 wrote to memory of 1176	1032	apozikt.exe	20
PID 1032 wrote to memory of 1176	1032	apozikt.exe	20
PID 1032 wrote to memory of 1176	1032	apozikt.exe	20
PID 1032 wrote to memory of 1176	1032	apozikt.exe	20
PID 1032 wrote to memory of 1176	1032	apozikt.exe	20
PID 1032 wrote to memory of 1204	1032	apozikt.exe	21
PID 1032 wrote to memory of 1204	1032	apozikt.exe	21
PID 1032 wrote to memory of 1204	1032	apozikt.exe	21
PID 1032 wrote to memory of 1204	1032	apozikt.exe	21
PID 1032 wrote to memory of 1204	1032	apozikt.exe	21
PID 1032 wrote to memory of 1556	1032	apozikt.exe	23
PID 1032 wrote to memory of 1556	1032	apozikt.exe	23
PID 1032 wrote to memory of 1556	1032	apozikt.exe	23
PID 1032 wrote to memory of 1556	1032	apozikt.exe	23
PID 1032 wrote to memory of 1556	1032	apozikt.exe	23
PID 1032 wrote to memory of 2944	1032	apozikt.exe	27
PID 1032 wrote to memory of 2944	1032	apozikt.exe	27
PID 1032 wrote to memory of 2944	1032	apozikt.exe	27
PID 1032 wrote to memory of 2944	1032	apozikt.exe	27
PID 1032 wrote to memory of 2944	1032	apozikt.exe	27
PID 2944 wrote to memory of 1536	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	33
PID 2944 wrote to memory of 1536	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	33
PID 2944 wrote to memory of 1536	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	33
PID 2944 wrote to memory of 1536	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	33
PID 2944 wrote to memory of 1536	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	33
PID 2944 wrote to memory of 1536	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	33
PID 2944 wrote to memory of 1536	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	33
PID 2944 wrote to memory of 1536	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	33
PID 2944 wrote to memory of 1536	2944	14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe	33
PID 1032 wrote to memory of 2044	1032	apozikt.exe	35
PID 1032 wrote to memory of 2044	1032	apozikt.exe	35
PID 1032 wrote to memory of 2044	1032	apozikt.exe	35
PID 1032 wrote to memory of 2044	1032	apozikt.exe	35
PID 1032 wrote to memory of 2044	1032	apozikt.exe	35
PID 1032 wrote to memory of 284	1032	apozikt.exe	36
PID 1032 wrote to memory of 284	1032	apozikt.exe	36
PID 1032 wrote to memory of 284	1032	apozikt.exe	36
PID 1032 wrote to memory of 284	1032	apozikt.exe	36
PID 1032 wrote to memory of 284	1032	apozikt.exe	36
PID 1032 wrote to memory of 2608	1032	apozikt.exe	37
PID 1032 wrote to memory of 2608	1032	apozikt.exe	37
PID 1032 wrote to memory of 2608	1032	apozikt.exe	37
PID 1032 wrote to memory of 2608	1032	apozikt.exe	37
PID 1032 wrote to memory of 2608	1032	apozikt.exe	37

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\14cb882ab844faccde7d8445ad2c525a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp274e7e2a.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Qiukam\apozikt.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2532
- - C:\Users\Admin\AppData\Roaming\Qiukam\apozikt.exe
    "C:\Users\Admin\AppData\Roaming\Qiukam\apozikt.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp25ae3774.bat"
    3⤵
    - Deletes itself
    PID:1536

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1556

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2044

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:284

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
b69ffae8cec82f817a786027f5e5658e

SHA1
0ae01ca33cff15660e847abdc49b855935583f4a

SHA256
a94c813737478c6e7537f1cd677dd66b2fdac38cdc69b5279d57adfc6f7d0cfd

SHA512
352ef032576e7887f8213d9f90c8faa4ba3b6a086a352a796623da183c69bd2f6b5ed85bab5f5d8b1d17b23bf0098b7c1315d7ef90ef1442a31b9c606afea749

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp25ae3774.bat

Filesize
271B

MD5
8a878cb992f96d1b6be54a000d05d73b

SHA1
5db61b00d8cef0395e96df9f6ab9aeeeb3d97075

SHA256
a90b0f71ef219751e361d520997a866ab8395ba6da6cfe153be18add212f726b

SHA512
c5e7dc7ba58c8fcad67f32de1edf42157a432075430b14aff3f54cb79edf80d9ad0bbebc184b45b494371a4b2b17d479809db0a6cedc729062e7e973a2d3496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp274e7e2a.bat

Filesize
203B

MD5
7273f9b3ee21ffa04771058ae5086411

SHA1
733715ed0baf0c3d80f63a185782944703b34833

SHA256
ca3d0ad49e25deb6cc4a67ef086f53415ec1ad9960f176072b71bf5a43d201a5

SHA512
2e2ece3d02d54dfb498d50735528d5facb72e1c10dc675739fb216923910a5ff2af62f5493344be817a28a92a34cf9827cd470f8143f6b2d6fdcb454ae3162b7

Download Submit
C:\Users\Admin\AppData\Roaming\Edu\rometuu.yfo

Filesize
380B

MD5
f463b6252824c79de5cf27ed54a82227

SHA1
987e1f662696971aa289a36d59235e457276f5a3

SHA256
8ff3c61de7818d4f7cb4d0335cd769849e8b961defddbfa13bcf2117cdf093b3

SHA512
11a979bd735bc83b50880a8ceed61db35b27b601c61f28a887b0f5830d68843a06a31634474ddeff4ed566a4c4131a9153daf7a5d698c3a35d413452b3929c2f

Download Submit
\Users\Admin\AppData\Roaming\Qiukam\apozikt.exe

Filesize
193KB

MD5
50532ec4b2b41ae7f663b17d72f44875

SHA1
489a1a49582eb4582607568c0a03028ab1c33aaf

SHA256
77e2bd30ffce50327b3f879b40b52acc166c46c4db44c873aa6b4da4623f213b

SHA512
35d65ccf337dd4081e4e35b80aaa1fa94f02be54f7974875512e3e0ad3f696566336018b741d20904d4121400e3a4796e677531f3799619a23f19c5f10ab960f

Download Submit
memory/1032-349-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1032-15-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1104-20-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1104-22-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1104-26-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1104-19-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1104-24-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1176-36-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1176-30-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1176-32-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1176-34-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1204-42-0x0000000002EA0000-0x0000000002EC7000-memory.dmp

Filesize
156KB

Download
memory/1204-39-0x0000000002EA0000-0x0000000002EC7000-memory.dmp

Filesize
156KB

Download
memory/1204-40-0x0000000002EA0000-0x0000000002EC7000-memory.dmp

Filesize
156KB

Download
memory/1204-41-0x0000000002EA0000-0x0000000002EC7000-memory.dmp

Filesize
156KB

Download
memory/1556-45-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1556-47-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1556-46-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1556-44-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/2944-52-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2944-134-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-71-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-69-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-67-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-65-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-63-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-61-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-59-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-57-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-55-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-77-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-79-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-81-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-133-0x0000000077620000-0x0000000077621000-memory.dmp

Filesize
4KB

Download
memory/2944-75-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-73-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2944-54-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2944-49-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2944-51-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2944-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2944-53-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2944-50-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2944-13-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/2944-221-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2944-222-0x00000000002D0000-0x00000000002F7000-memory.dmp

Filesize
156KB

Download
memory/2944-14-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/2944-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2944-1-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download