c1da547ce4b25ecc9477dee3f7b2713956ce6ae35bd0ea7228867aa06e8fd874

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 16:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16c21c7a18b2a97ed8a4632b1bb5688f_JaffaCakes118.exe
Size

157KB
MD5

16c21c7a18b2a97ed8a4632b1bb5688f
SHA1

9643e1b5950dfc26c34e59d69593d53dc9504d84
SHA256

c1da547ce4b25ecc9477dee3f7b2713956ce6ae35bd0ea7228867aa06e8fd874
SHA512

d52cd40459ef196c33b1a1a4bdc923e59aec8e46e7d1f87a81815d279c21119fa1ac0843223cc33d529f6daad9adf0d532e168c24c96f5c88747fe6d7339b39e
SSDEEP

3072:/YFZqfEQE9mM3EnsRWzUSJ/aQiTM80ItTJKOGn4PgirLMKdK:QCQ9mM3VR0tJCTMyJ4ggir4KdK

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2160	awse.exe

Loads dropped DLL 1 IoCs

pid	Process
1276	16c21c7a18b2a97ed8a4632b1bb5688f_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4576AEE9-5A62-3DD6-254F-F0EEE9A749BD} = "C:\\Users\\Admin\\AppData\\Roaming\\Sehuqe\\awse.exe"	awse.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
1276	16c21c7a18b2a97ed8a4632b1bb5688f_JaffaCakes118.exe
1276	16c21c7a18b2a97ed8a4632b1bb5688f_JaffaCakes118.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe
2160	awse.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1276	16c21c7a18b2a97ed8a4632b1bb5688f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 2160	1276	16c21c7a18b2a97ed8a4632b1bb5688f_JaffaCakes118.exe	28
PID 1276 wrote to memory of 2160	1276	16c21c7a18b2a97ed8a4632b1bb5688f_JaffaCakes118.exe	28
PID 1276 wrote to memory of 2160	1276	16c21c7a18b2a97ed8a4632b1bb5688f_JaffaCakes118.exe	28
PID 1276 wrote to memory of 2160	1276	16c21c7a18b2a97ed8a4632b1bb5688f_JaffaCakes118.exe	28
PID 2160 wrote to memory of 1100	2160	awse.exe	19
PID 2160 wrote to memory of 1100	2160	awse.exe	19
PID 2160 wrote to memory of 1100	2160	awse.exe	19
PID 2160 wrote to memory of 1100	2160	awse.exe	19
PID 2160 wrote to memory of 1100	2160	awse.exe	19
PID 2160 wrote to memory of 1160	2160	awse.exe	20
PID 2160 wrote to memory of 1160	2160	awse.exe	20
PID 2160 wrote to memory of 1160	2160	awse.exe	20
PID 2160 wrote to memory of 1160	2160	awse.exe	20
PID 2160 wrote to memory of 1160	2160	awse.exe	20
PID 2160 wrote to memory of 1184	2160	awse.exe	21
PID 2160 wrote to memory of 1184	2160	awse.exe	21
PID 2160 wrote to memory of 1184	2160	awse.exe	21
PID 2160 wrote to memory of 1184	2160	awse.exe	21
PID 2160 wrote to memory of 1184	2160	awse.exe	21
PID 2160 wrote to memory of 2376	2160	awse.exe	23
PID 2160 wrote to memory of 2376	2160	awse.exe	23
PID 2160 wrote to memory of 2376	2160	awse.exe	23
PID 2160 wrote to memory of 2376	2160	awse.exe	23
PID 2160 wrote to memory of 2376	2160	awse.exe	23
PID 2160 wrote to memory of 1276	2160	awse.exe	27
PID 2160 wrote to memory of 1276	2160	awse.exe	27
PID 2160 wrote to memory of 1276	2160	awse.exe	27
PID 2160 wrote to memory of 1276	2160	awse.exe	27
PID 2160 wrote to memory of 1276	2160	awse.exe	27
PID 2160 wrote to memory of 812	2160	awse.exe	29
PID 2160 wrote to memory of 812	2160	awse.exe	29
PID 2160 wrote to memory of 812	2160	awse.exe	29
PID 2160 wrote to memory of 812	2160	awse.exe	29
PID 2160 wrote to memory of 812	2160	awse.exe	29
PID 2160 wrote to memory of 2024	2160	awse.exe	30
PID 2160 wrote to memory of 2024	2160	awse.exe	30
PID 2160 wrote to memory of 2024	2160	awse.exe	30
PID 2160 wrote to memory of 2024	2160	awse.exe	30
PID 2160 wrote to memory of 2024	2160	awse.exe	30
PID 2160 wrote to memory of 1980	2160	awse.exe	31
PID 2160 wrote to memory of 1980	2160	awse.exe	31
PID 2160 wrote to memory of 1980	2160	awse.exe	31
PID 2160 wrote to memory of 1980	2160	awse.exe	31
PID 2160 wrote to memory of 1980	2160	awse.exe	31
PID 2160 wrote to memory of 1548	2160	awse.exe	32
PID 2160 wrote to memory of 1548	2160	awse.exe	32
PID 2160 wrote to memory of 1548	2160	awse.exe	32
PID 2160 wrote to memory of 1548	2160	awse.exe	32
PID 2160 wrote to memory of 1548	2160	awse.exe	32
PID 2160 wrote to memory of 2864	2160	awse.exe	33
PID 2160 wrote to memory of 2864	2160	awse.exe	33
PID 2160 wrote to memory of 2864	2160	awse.exe	33
PID 2160 wrote to memory of 2864	2160	awse.exe	33
PID 2160 wrote to memory of 2864	2160	awse.exe	33
PID 2160 wrote to memory of 344	2160	awse.exe	36
PID 2160 wrote to memory of 344	2160	awse.exe	36
PID 2160 wrote to memory of 344	2160	awse.exe	36
PID 2160 wrote to memory of 344	2160	awse.exe	36
PID 2160 wrote to memory of 344	2160	awse.exe	36
PID 2160 wrote to memory of 1336	2160	awse.exe	37
PID 2160 wrote to memory of 1336	2160	awse.exe	37
PID 2160 wrote to memory of 1336	2160	awse.exe	37
PID 2160 wrote to memory of 1336	2160	awse.exe	37
PID 2160 wrote to memory of 1336	2160	awse.exe	37

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\16c21c7a18b2a97ed8a4632b1bb5688f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\16c21c7a18b2a97ed8a4632b1bb5688f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Users\Admin\AppData\Roaming\Sehuqe\awse.exe
    "C:\Users\Admin\AppData\Roaming\Sehuqe\awse.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2160

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1076

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2460

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2756

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2144

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Sehuqe\awse.exe

Filesize
157KB

MD5
35393d45d2fecb979952cc1b1da2281c

SHA1
ff015561d4c637809e4fccb71374c44b48914363

SHA256
01d9f96edf9b394c5c2402d32e23b9038efdc80cf77478ea1d4f84b5be145f99

SHA512
0301587e82c54a7dadc83194f2936749f43d3c311c9826b0debc46060b57429307414c3ee3668a52202cf821ff4c3f4d9da2ec634efe80847791678730ba122b

Download Submit
memory/812-83-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/812-85-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/812-87-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/812-89-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/1100-15-0x0000000001F20000-0x0000000001F4C000-memory.dmp

Filesize
176KB

Download
memory/1100-17-0x0000000001F20000-0x0000000001F4C000-memory.dmp

Filesize
176KB

Download
memory/1100-13-0x0000000001F20000-0x0000000001F4C000-memory.dmp

Filesize
176KB

Download
memory/1100-19-0x0000000001F20000-0x0000000001F4C000-memory.dmp

Filesize
176KB

Download
memory/1100-21-0x0000000001F20000-0x0000000001F4C000-memory.dmp

Filesize
176KB

Download
memory/1160-25-0x0000000001F90000-0x0000000001FBC000-memory.dmp

Filesize
176KB

Download
memory/1160-27-0x0000000001F90000-0x0000000001FBC000-memory.dmp

Filesize
176KB

Download
memory/1160-29-0x0000000001F90000-0x0000000001FBC000-memory.dmp

Filesize
176KB

Download
memory/1160-31-0x0000000001F90000-0x0000000001FBC000-memory.dmp

Filesize
176KB

Download
memory/1184-37-0x00000000024B0000-0x00000000024DC000-memory.dmp

Filesize
176KB

Download
memory/1184-34-0x00000000024B0000-0x00000000024DC000-memory.dmp

Filesize
176KB

Download
memory/1184-35-0x00000000024B0000-0x00000000024DC000-memory.dmp

Filesize
176KB

Download
memory/1184-36-0x00000000024B0000-0x00000000024DC000-memory.dmp

Filesize
176KB

Download
memory/1276-54-0x00000000006E0000-0x000000000070C000-memory.dmp

Filesize
176KB

Download
memory/1276-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1276-56-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1276-3-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1276-2-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1276-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1276-46-0x00000000006E0000-0x000000000070C000-memory.dmp

Filesize
176KB

Download
memory/1276-48-0x00000000006E0000-0x000000000070C000-memory.dmp

Filesize
176KB

Download
memory/1276-50-0x00000000006E0000-0x000000000070C000-memory.dmp

Filesize
176KB

Download
memory/1276-0-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/1276-52-0x00000000006E0000-0x000000000070C000-memory.dmp

Filesize
176KB

Download
memory/2024-98-0x0000000000320000-0x000000000034C000-memory.dmp

Filesize
176KB

Download
memory/2024-100-0x0000000000320000-0x000000000034C000-memory.dmp

Filesize
176KB

Download
memory/2024-96-0x0000000000320000-0x000000000034C000-memory.dmp

Filesize
176KB

Download
memory/2024-94-0x0000000000320000-0x000000000034C000-memory.dmp

Filesize
176KB

Download
memory/2160-10-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2160-11-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2160-91-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2160-109-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2376-43-0x0000000000470000-0x000000000049C000-memory.dmp

Filesize
176KB

Download
memory/2376-42-0x0000000000470000-0x000000000049C000-memory.dmp

Filesize
176KB

Download
memory/2376-41-0x0000000000470000-0x000000000049C000-memory.dmp

Filesize
176KB

Download
memory/2376-40-0x0000000000470000-0x000000000049C000-memory.dmp

Filesize
176KB

Download