bfbb3ae8ccb79cd140f4fb02aa0f1c44337af673100d71ebdeff79e3df0a8440

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe
Size

303KB
MD5

1683825345721f193d32ed79f078b3a9
SHA1

3c353248df9b18f6fbf2f41c61474a5e7d2fdd2a
SHA256

bfbb3ae8ccb79cd140f4fb02aa0f1c44337af673100d71ebdeff79e3df0a8440
SHA512

0f63ea2d9b2a29bcc5a0ed1e250de9d9c7fc8867978c37baa68d92e3ed984e501e9abfc611c97a50bceb56bcbf09a007729d60689049d506446cf6781a845f93
SSDEEP

6144:VWFbxMlwB442mNFzpKbkYAsdinem80uZS:VU/lpzKMB8RS

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2340	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2892	qejyj.exe

Loads dropped DLL 1 IoCs

pid	Process
1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F08D48C8-DA76-AD4E-F540-ECC2E1DBCFDF} = "C:\\Users\\Admin\\AppData\\Roaming\\Ivobv\\qejyj.exe"	qejyj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 2340	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe
2892	qejyj.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe
2892	qejyj.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2892	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	28
PID 1720 wrote to memory of 2892	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	28
PID 1720 wrote to memory of 2892	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	28
PID 1720 wrote to memory of 2892	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	28
PID 2892 wrote to memory of 1288	2892	qejyj.exe	19
PID 2892 wrote to memory of 1288	2892	qejyj.exe	19
PID 2892 wrote to memory of 1288	2892	qejyj.exe	19
PID 2892 wrote to memory of 1288	2892	qejyj.exe	19
PID 2892 wrote to memory of 1288	2892	qejyj.exe	19
PID 2892 wrote to memory of 1348	2892	qejyj.exe	20
PID 2892 wrote to memory of 1348	2892	qejyj.exe	20
PID 2892 wrote to memory of 1348	2892	qejyj.exe	20
PID 2892 wrote to memory of 1348	2892	qejyj.exe	20
PID 2892 wrote to memory of 1348	2892	qejyj.exe	20
PID 2892 wrote to memory of 1376	2892	qejyj.exe	21
PID 2892 wrote to memory of 1376	2892	qejyj.exe	21
PID 2892 wrote to memory of 1376	2892	qejyj.exe	21
PID 2892 wrote to memory of 1376	2892	qejyj.exe	21
PID 2892 wrote to memory of 1376	2892	qejyj.exe	21
PID 2892 wrote to memory of 772	2892	qejyj.exe	23
PID 2892 wrote to memory of 772	2892	qejyj.exe	23
PID 2892 wrote to memory of 772	2892	qejyj.exe	23
PID 2892 wrote to memory of 772	2892	qejyj.exe	23
PID 2892 wrote to memory of 772	2892	qejyj.exe	23
PID 2892 wrote to memory of 1720	2892	qejyj.exe	27
PID 2892 wrote to memory of 1720	2892	qejyj.exe	27
PID 2892 wrote to memory of 1720	2892	qejyj.exe	27
PID 2892 wrote to memory of 1720	2892	qejyj.exe	27
PID 2892 wrote to memory of 1720	2892	qejyj.exe	27
PID 1720 wrote to memory of 2340	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2340	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2340	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2340	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2340	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2340	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2340	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2340	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	29
PID 1720 wrote to memory of 2340	1720	1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1288

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1348

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1376
- C:\Users\Admin\AppData\Local\Temp\1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1683825345721f193d32ed79f078b3a9_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Roaming\Ivobv\qejyj.exe
    "C:\Users\Admin\AppData\Roaming\Ivobv\qejyj.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8ba24855.bat"
    3⤵
    - Deletes itself
    PID:2340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8ba24855.bat

Filesize
271B

MD5
c89e6be0aa4fefb3fbbe6e621463c090

SHA1
d2973bbd6f507f4c9c1dc8649f2065ed41fda0fc

SHA256
a4b35b4a737dff4c9d11091ff040d404c3c1e043879b3b968c8023942a4693af

SHA512
b4aed9143093a5e0d1a114157b077111d97316f4d225a85aee4acc45d498d4ac7dcb1c23d0b524f6e5a3b503dbbf4cf6fc4b0c25e95574216bdc500b7b972da7

Download Submit
\Users\Admin\AppData\Roaming\Ivobv\qejyj.exe

Filesize
303KB

MD5
cf471e35de894093870291b67c102180

SHA1
8ce29c8e90fc9a1f86f5d95d2547bd98f916e484

SHA256
52696393c401f2ca4d0b216301c2062fd9fa72513dbe11c720704b9e67baba4a

SHA512
f9d932619c6141e2c02a8849ee0b77d69c4f6dfca052952814a6fd91fd2dccdc6f705fd7465497b7c468146c7b67cac5eab17a0eb8ee4c77a0866eeb5f7a71f7

Download Submit
memory/772-43-0x0000000001D70000-0x0000000001DB3000-memory.dmp

Filesize
268KB

Download
memory/772-42-0x0000000001D70000-0x0000000001DB3000-memory.dmp

Filesize
268KB

Download
memory/772-41-0x0000000001D70000-0x0000000001DB3000-memory.dmp

Filesize
268KB

Download
memory/772-40-0x0000000001D70000-0x0000000001DB3000-memory.dmp

Filesize
268KB

Download
memory/1288-16-0x0000000002170000-0x00000000021B3000-memory.dmp

Filesize
268KB

Download
memory/1288-14-0x0000000002170000-0x00000000021B3000-memory.dmp

Filesize
268KB

Download
memory/1288-20-0x0000000002170000-0x00000000021B3000-memory.dmp

Filesize
268KB

Download
memory/1288-22-0x0000000002170000-0x00000000021B3000-memory.dmp

Filesize
268KB

Download
memory/1288-19-0x0000000002170000-0x00000000021B3000-memory.dmp

Filesize
268KB

Download
memory/1348-26-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/1348-28-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/1348-30-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/1348-32-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/1376-35-0x0000000002A80000-0x0000000002AC3000-memory.dmp

Filesize
268KB

Download
memory/1376-36-0x0000000002A80000-0x0000000002AC3000-memory.dmp

Filesize
268KB

Download
memory/1376-37-0x0000000002A80000-0x0000000002AC3000-memory.dmp

Filesize
268KB

Download
memory/1376-38-0x0000000002A80000-0x0000000002AC3000-memory.dmp

Filesize
268KB

Download
memory/1720-136-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-75-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-59-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-57-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-55-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-52-0x0000000000530000-0x0000000000573000-memory.dmp

Filesize
268KB

Download
memory/1720-50-0x0000000000530000-0x0000000000573000-memory.dmp

Filesize
268KB

Download
memory/1720-48-0x0000000000530000-0x0000000000573000-memory.dmp

Filesize
268KB

Download
memory/1720-46-0x0000000000530000-0x0000000000573000-memory.dmp

Filesize
268KB

Download
memory/1720-63-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-65-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-69-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-71-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-73-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-61-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-1-0x0000000000390000-0x00000000003DE000-memory.dmp

Filesize
312KB

Download
memory/1720-0-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1720-135-0x0000000077B70000-0x0000000077B71000-memory.dmp

Filesize
4KB

Download
memory/1720-54-0x0000000000530000-0x0000000000573000-memory.dmp

Filesize
268KB

Download
memory/1720-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1720-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1720-4-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1720-3-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1720-159-0x0000000000390000-0x00000000003DE000-memory.dmp

Filesize
312KB

Download
memory/2892-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2892-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2892-279-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2892-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download