Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27/06/2024, 15:25
Static task
static1
Behavioral task
behavioral1
Sample
168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe
-
Size
329KB
-
MD5
168359cb107f0a683cc3b6cc9ad3bd33
-
SHA1
dfa76d77846020954a103cdd464035cd352c6b3e
-
SHA256
c2825227ad839c4b4a5b881cb27c9fcae1cd321d07401b4bd067fe8e3d84b6da
-
SHA512
01fbc932cb0113e56a0932f0f4311a7396b920bb757b7e0e214b81831233a086656bb6aec72639793f9af15509d9a105835667753344fb9edc836207b1ce3f0c
-
SSDEEP
6144:qtEq7FUg/iyUXe2ZsD9eBVtQRlc12iVkIFzt9TLSDoC3FHvKHM6nfT:qaQFRiym920jcc1f9x9XS335vH0
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2820 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 3044 dybos.exe -
Loads dropped DLL 2 IoCs
pid Process 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A8D7C348-7DCD-AD4F-393B-DBD01FB3F8CD} = "C:\\Users\\Admin\\AppData\\Roaming\\Iquri\\dybos.exe" dybos.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1704 set thread context of 2820 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 29 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Privacy 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe 3044 dybos.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 3044 dybos.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1704 wrote to memory of 3044 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 28 PID 1704 wrote to memory of 3044 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 28 PID 1704 wrote to memory of 3044 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 28 PID 1704 wrote to memory of 3044 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 28 PID 3044 wrote to memory of 1188 3044 dybos.exe 19 PID 3044 wrote to memory of 1188 3044 dybos.exe 19 PID 3044 wrote to memory of 1188 3044 dybos.exe 19 PID 3044 wrote to memory of 1188 3044 dybos.exe 19 PID 3044 wrote to memory of 1188 3044 dybos.exe 19 PID 3044 wrote to memory of 1276 3044 dybos.exe 20 PID 3044 wrote to memory of 1276 3044 dybos.exe 20 PID 3044 wrote to memory of 1276 3044 dybos.exe 20 PID 3044 wrote to memory of 1276 3044 dybos.exe 20 PID 3044 wrote to memory of 1276 3044 dybos.exe 20 PID 3044 wrote to memory of 1336 3044 dybos.exe 21 PID 3044 wrote to memory of 1336 3044 dybos.exe 21 PID 3044 wrote to memory of 1336 3044 dybos.exe 21 PID 3044 wrote to memory of 1336 3044 dybos.exe 21 PID 3044 wrote to memory of 1336 3044 dybos.exe 21 PID 3044 wrote to memory of 1872 3044 dybos.exe 23 PID 3044 wrote to memory of 1872 3044 dybos.exe 23 PID 3044 wrote to memory of 1872 3044 dybos.exe 23 PID 3044 wrote to memory of 1872 3044 dybos.exe 23 PID 3044 wrote to memory of 1872 3044 dybos.exe 23 PID 3044 wrote to memory of 1704 3044 dybos.exe 27 PID 3044 wrote to memory of 1704 3044 dybos.exe 27 PID 3044 wrote to memory of 1704 3044 dybos.exe 27 PID 3044 wrote to memory of 1704 3044 dybos.exe 27 PID 3044 wrote to memory of 1704 3044 dybos.exe 27 PID 1704 wrote to memory of 2820 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 29 PID 1704 wrote to memory of 2820 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 29 PID 1704 wrote to memory of 2820 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 29 PID 1704 wrote to memory of 2820 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 29 PID 1704 wrote to memory of 2820 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 29 PID 1704 wrote to memory of 2820 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 29 PID 1704 wrote to memory of 2820 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 29 PID 1704 wrote to memory of 2820 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 29 PID 1704 wrote to memory of 2820 1704 168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe 29 PID 3044 wrote to memory of 2316 3044 dybos.exe 33 PID 3044 wrote to memory of 2316 3044 dybos.exe 33 PID 3044 wrote to memory of 2316 3044 dybos.exe 33 PID 3044 wrote to memory of 2316 3044 dybos.exe 33 PID 3044 wrote to memory of 2316 3044 dybos.exe 33 PID 3044 wrote to memory of 2496 3044 dybos.exe 34 PID 3044 wrote to memory of 2496 3044 dybos.exe 34 PID 3044 wrote to memory of 2496 3044 dybos.exe 34 PID 3044 wrote to memory of 2496 3044 dybos.exe 34 PID 3044 wrote to memory of 2496 3044 dybos.exe 34
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1188
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1276
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\168359cb107f0a683cc3b6cc9ad3bd33_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Roaming\Iquri\dybos.exe"C:\Users\Admin\AppData\Roaming\Iquri\dybos.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3044
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe33937c6.bat"3⤵
- Deletes itself
PID:2820
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1872
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2316
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD51fb599988ddabfb65bb925472bc0dcc2
SHA1f94fbc94fdb15af2ba0c6c85fc5e1b2dcd729b35
SHA256415d011bd8bc59da061245f039e76fba154cb724d51f3092517a3c8e216397bf
SHA51262fe11f867f98b117d9e81249d2c0c6bd2803c2251da042884cfd5745baf62c960a6013d9bc2a0f564bb6adcc4efca92c37cb360c1b0865ce765d04a24d9585a
-
Filesize
329KB
MD50ed059b76309b57271367e1b28464147
SHA1083c994cbae62d32a7d3c1343ddb464383e1ef71
SHA256fe7695d72f5b34c649de720fee7ff3b57855a01770b09b3823f1d2566418d78e
SHA512b3e9b4041588dbbe9f91634ee0a3d901b6a79827900f1f23272cd348842f11cd6259a2896f5f9a590fcf21bd82d27e1394c824ba717a2769571c811373aa9a9b