8411e37ef9e2091054a8c34245fad081d4dab07c608606720f3d4c00430dfeef

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe
Size

255KB
MD5

1521a92d59d71d7112cef3a0a0e727af
SHA1

8cb135cef2c081ffaad6c0cef85289b31679ee20
SHA256

8411e37ef9e2091054a8c34245fad081d4dab07c608606720f3d4c00430dfeef
SHA512

be66a9b4d3a890ea95d9f225028d70e5135e15ed78e6302acd4c1493fcb166da4344dd0a1ca59174d9c5f09b7511c5cfd1a829036cb1c59f456a069c1d53aa40
SSDEEP

6144:e4Tm1mRi76BeR7XM7WTXJqBD192bz3xCBv5+ALH:e4i1b76BehXM7WAJ2bz3QP+C

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2876	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1516	joyb.exe

Loads dropped DLL 2 IoCs

pid	Process
2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe
2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A8D7C348-7DCD-AD4F-393B-DBD01FB3F8CD} = "C:\\Users\\Admin\\AppData\\Roaming\\Ipgy\\joyb.exe"	joyb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 2876	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Privacy	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe
1516	joyb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe
1516	joyb.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1516	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	28
PID 2576 wrote to memory of 1516	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	28
PID 2576 wrote to memory of 1516	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	28
PID 2576 wrote to memory of 1516	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	28
PID 1516 wrote to memory of 1120	1516	joyb.exe	19
PID 1516 wrote to memory of 1120	1516	joyb.exe	19
PID 1516 wrote to memory of 1120	1516	joyb.exe	19
PID 1516 wrote to memory of 1120	1516	joyb.exe	19
PID 1516 wrote to memory of 1120	1516	joyb.exe	19
PID 1516 wrote to memory of 1204	1516	joyb.exe	20
PID 1516 wrote to memory of 1204	1516	joyb.exe	20
PID 1516 wrote to memory of 1204	1516	joyb.exe	20
PID 1516 wrote to memory of 1204	1516	joyb.exe	20
PID 1516 wrote to memory of 1204	1516	joyb.exe	20
PID 1516 wrote to memory of 1252	1516	joyb.exe	21
PID 1516 wrote to memory of 1252	1516	joyb.exe	21
PID 1516 wrote to memory of 1252	1516	joyb.exe	21
PID 1516 wrote to memory of 1252	1516	joyb.exe	21
PID 1516 wrote to memory of 1252	1516	joyb.exe	21
PID 1516 wrote to memory of 2004	1516	joyb.exe	23
PID 1516 wrote to memory of 2004	1516	joyb.exe	23
PID 1516 wrote to memory of 2004	1516	joyb.exe	23
PID 1516 wrote to memory of 2004	1516	joyb.exe	23
PID 1516 wrote to memory of 2004	1516	joyb.exe	23
PID 1516 wrote to memory of 2576	1516	joyb.exe	27
PID 1516 wrote to memory of 2576	1516	joyb.exe	27
PID 1516 wrote to memory of 2576	1516	joyb.exe	27
PID 1516 wrote to memory of 2576	1516	joyb.exe	27
PID 1516 wrote to memory of 2576	1516	joyb.exe	27
PID 2576 wrote to memory of 2876	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2876	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2876	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2876	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2876	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2876	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2876	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2876	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	29
PID 2576 wrote to memory of 2876	2576	1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1521a92d59d71d7112cef3a0a0e727af_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Roaming\Ipgy\joyb.exe
    "C:\Users\Admin\AppData\Roaming\Ipgy\joyb.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbcb446c9.bat"
    3⤵
    - Deletes itself
    PID:2876

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbcb446c9.bat

Filesize
271B

MD5
7e8ee14ec0cb24c03d622566543c1f07

SHA1
f58e585de2640ebeaa3e82bfed7192ec0be406bb

SHA256
f1281136d5698f7086fec5463f15202f3e49e997e81dc5211da780c568c61f7c

SHA512
488845217ecd01b454700d837c4b5abb008ab7e2cd92697f629fdc693025f058e878b25c6e6435e4d22ec98d080e8a3c23ae8b767dd59269a3047aeddf69cb45

Download Submit
\Users\Admin\AppData\Roaming\Ipgy\joyb.exe

Filesize
255KB

MD5
d63f2905409a689a3256cf56d4886977

SHA1
bc2aa5c0fca8a1d4551e35a31fe25125aad9eaa6

SHA256
8ad40ca0b0feee29a2c7a3f18541829248bb1721aab6227a3c742cc0943da730

SHA512
c9e97d12f2b0f85d0326bcd5d36d88cad27554d6c2f236332edff08b821cc08da2cf334d2bfa9e265877c1323da347ccdfec23ccb544e2bacb20787e60467d74

Download Submit
memory/1120-25-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/1120-23-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/1120-21-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/1120-19-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/1120-18-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/1204-30-0x0000000000140000-0x000000000017F000-memory.dmp

Filesize
252KB

Download
memory/1204-28-0x0000000000140000-0x000000000017F000-memory.dmp

Filesize
252KB

Download
memory/1204-31-0x0000000000140000-0x000000000017F000-memory.dmp

Filesize
252KB

Download
memory/1204-29-0x0000000000140000-0x000000000017F000-memory.dmp

Filesize
252KB

Download
memory/1252-35-0x00000000029C0000-0x00000000029FF000-memory.dmp

Filesize
252KB

Download
memory/1252-33-0x00000000029C0000-0x00000000029FF000-memory.dmp

Filesize
252KB

Download
memory/1252-34-0x00000000029C0000-0x00000000029FF000-memory.dmp

Filesize
252KB

Download
memory/1252-36-0x00000000029C0000-0x00000000029FF000-memory.dmp

Filesize
252KB

Download
memory/1516-276-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1516-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2004-41-0x0000000001CE0000-0x0000000001D1F000-memory.dmp

Filesize
252KB

Download
memory/2004-38-0x0000000001CE0000-0x0000000001D1F000-memory.dmp

Filesize
252KB

Download
memory/2004-39-0x0000000001CE0000-0x0000000001D1F000-memory.dmp

Filesize
252KB

Download
memory/2004-40-0x0000000001CE0000-0x0000000001D1F000-memory.dmp

Filesize
252KB

Download
memory/2576-78-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-76-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-54-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-52-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-50-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-48-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-46-0x0000000001F00000-0x0000000001F3F000-memory.dmp

Filesize
252KB

Download
memory/2576-45-0x0000000001F00000-0x0000000001F3F000-memory.dmp

Filesize
252KB

Download
memory/2576-44-0x0000000001F00000-0x0000000001F3F000-memory.dmp

Filesize
252KB

Download
memory/2576-58-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-60-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-62-0x0000000001F00000-0x0000000001F3F000-memory.dmp

Filesize
252KB

Download
memory/2576-63-0x0000000077BD0000-0x0000000077BD1000-memory.dmp

Filesize
4KB

Download
memory/2576-66-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-70-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-72-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-74-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-56-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-0-0x0000000000450000-0x000000000048F000-memory.dmp

Filesize
252KB

Download
memory/2576-80-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-68-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-64-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-47-0x0000000001F00000-0x0000000001F3F000-memory.dmp

Filesize
252KB

Download
memory/2576-43-0x0000000001F00000-0x0000000001F3F000-memory.dmp

Filesize
252KB

Download
memory/2576-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2576-4-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2576-133-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2576-158-0x0000000001F00000-0x0000000001F3F000-memory.dmp

Filesize
252KB

Download
memory/2576-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2576-156-0x0000000000490000-0x00000000004D5000-memory.dmp

Filesize
276KB

Download
memory/2576-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2576-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2576-1-0x0000000000490000-0x00000000004D5000-memory.dmp

Filesize
276KB

Download