c5095774e6fc9813fe00408f84791557ff9e28ba1269745fb298c8a6b89a834b

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe
Size

353KB
MD5

191a6b87a4cfde43c418f8d3f8125dd4
SHA1

11caaae4b81e32475880bbb6162f36395ae3fd47
SHA256

c5095774e6fc9813fe00408f84791557ff9e28ba1269745fb298c8a6b89a834b
SHA512

16d781edab16408f5b45aa72f80e6cb03f4da22e4efb5ca3a1cc4114c2ddba7e03bc926696ade04a0e03b310f7a1fbb3b519a36a2fdcce64af71c21015dcfbb4
SSDEEP

6144:e36wMPKotBFuFq/4b0OQ6iQHWSRpjvpyoWlRlDqDjl4AFyO7Qk79VulTweZ5q:SEPBF5/4c6ifSRPFWlRl2t4AyiQGA8eq

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	ledoli.exe
2656	ledoli.exe

Loads dropped DLL 2 IoCs

pid	Process
2260	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe
2260	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E8BE2F68-5812-AD4F-F172-4D96D7386E8B} = "C:\\Users\\Admin\\AppData\\Roaming\\Ujwe\\ledoli.exe"	ledoli.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 2260	1740	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	28
PID 2720 set thread context of 2656	2720	ledoli.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Privacy	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe
2656	ledoli.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2260	1740	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2260	1740	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2260	1740	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2260	1740	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2260	1740	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2260	1740	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2260	1740	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2260	1740	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	28
PID 1740 wrote to memory of 2260	1740	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	28
PID 2260 wrote to memory of 2720	2260	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	29
PID 2260 wrote to memory of 2720	2260	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	29
PID 2260 wrote to memory of 2720	2260	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	29
PID 2260 wrote to memory of 2720	2260	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	29
PID 2720 wrote to memory of 2656	2720	ledoli.exe	30
PID 2720 wrote to memory of 2656	2720	ledoli.exe	30
PID 2720 wrote to memory of 2656	2720	ledoli.exe	30
PID 2720 wrote to memory of 2656	2720	ledoli.exe	30
PID 2720 wrote to memory of 2656	2720	ledoli.exe	30
PID 2720 wrote to memory of 2656	2720	ledoli.exe	30
PID 2720 wrote to memory of 2656	2720	ledoli.exe	30
PID 2720 wrote to memory of 2656	2720	ledoli.exe	30
PID 2720 wrote to memory of 2656	2720	ledoli.exe	30
PID 2656 wrote to memory of 1112	2656	ledoli.exe	19
PID 2656 wrote to memory of 1112	2656	ledoli.exe	19
PID 2656 wrote to memory of 1112	2656	ledoli.exe	19
PID 2656 wrote to memory of 1112	2656	ledoli.exe	19
PID 2656 wrote to memory of 1112	2656	ledoli.exe	19
PID 2656 wrote to memory of 1160	2656	ledoli.exe	20
PID 2656 wrote to memory of 1160	2656	ledoli.exe	20
PID 2656 wrote to memory of 1160	2656	ledoli.exe	20
PID 2656 wrote to memory of 1160	2656	ledoli.exe	20
PID 2656 wrote to memory of 1160	2656	ledoli.exe	20
PID 2656 wrote to memory of 1196	2656	ledoli.exe	21
PID 2656 wrote to memory of 1196	2656	ledoli.exe	21
PID 2656 wrote to memory of 1196	2656	ledoli.exe	21
PID 2656 wrote to memory of 1196	2656	ledoli.exe	21
PID 2656 wrote to memory of 1196	2656	ledoli.exe	21
PID 2656 wrote to memory of 544	2656	ledoli.exe	23
PID 2656 wrote to memory of 544	2656	ledoli.exe	23
PID 2656 wrote to memory of 544	2656	ledoli.exe	23
PID 2656 wrote to memory of 544	2656	ledoli.exe	23
PID 2656 wrote to memory of 544	2656	ledoli.exe	23
PID 2656 wrote to memory of 2260	2656	ledoli.exe	28
PID 2656 wrote to memory of 2260	2656	ledoli.exe	28
PID 2656 wrote to memory of 2260	2656	ledoli.exe	28
PID 2656 wrote to memory of 2260	2656	ledoli.exe	28
PID 2656 wrote to memory of 2260	2656	ledoli.exe	28
PID 2260 wrote to memory of 2716	2260	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	31
PID 2260 wrote to memory of 2716	2260	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	31
PID 2260 wrote to memory of 2716	2260	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	31
PID 2260 wrote to memory of 2716	2260	191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe	31
PID 2656 wrote to memory of 2716	2656	ledoli.exe	31
PID 2656 wrote to memory of 2716	2656	ledoli.exe	31
PID 2656 wrote to memory of 2716	2656	ledoli.exe	31
PID 2656 wrote to memory of 2716	2656	ledoli.exe	31
PID 2656 wrote to memory of 2716	2656	ledoli.exe	31
PID 2656 wrote to memory of 2316	2656	ledoli.exe	35
PID 2656 wrote to memory of 2316	2656	ledoli.exe	35
PID 2656 wrote to memory of 2316	2656	ledoli.exe	35
PID 2656 wrote to memory of 2316	2656	ledoli.exe	35
PID 2656 wrote to memory of 2316	2656	ledoli.exe	35
PID 2656 wrote to memory of 1528	2656	ledoli.exe	36
PID 2656 wrote to memory of 1528	2656	ledoli.exe	36
PID 2656 wrote to memory of 1528	2656	ledoli.exe	36

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\191a6b87a4cfde43c418f8d3f8125dd4_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Users\Admin\AppData\Roaming\Ujwe\ledoli.exe
      "C:\Users\Admin\AppData\Roaming\Ujwe\ledoli.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Roaming\Ujwe\ledoli.exe
        
        "C:\Users\Admin\AppData\Roaming\Ujwe\ledoli.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7f7dec95.bat"
      4⤵
      Deletes itself
      PID:2716

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2316

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7f7dec95.bat

Filesize
271B

MD5
dd9ba752449c8aa6c5f45a64efb10a61

SHA1
648d4d56a489179e83da3907e0ed87d94e9d51cb

SHA256
d87f09504238c91468f98b2b3b71332122d029a0637fc102a08036db97c89344

SHA512
a702e94bcacadc91ea65dffc6ab72ece47aa7505993cb7dca60f73b8b0d0e6bb0113cae1cba0d690cf4bf8af26fe39363fa01ca6c5570fed413c4a1c31e4e58e

Download Submit
C:\Users\Admin\AppData\Roaming\Ujwe\ledoli.exe

Filesize
353KB

MD5
22d3e8b064251fa7071f7dd4ac898965

SHA1
aad01c974b0c50662f5c5bc2523fbb2f19587615

SHA256
3dea635019021cdf91406dac0152f526c03043bc737c115c068512ca32e578bc

SHA512
ad4b90cdec0648316604d2947cbf95dd594983cceaf461f94ae273afa4a01ef0c11da72ec646d4b643bf6185ae5e06b9f771410abd0fcdf9271e6243a2996afd

Download Submit
memory/544-75-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/544-74-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/544-73-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/544-72-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1112-54-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1112-53-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1112-52-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1112-55-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1160-62-0x00000000003E0000-0x0000000000424000-memory.dmp

Filesize
272KB

Download
memory/1160-60-0x00000000003E0000-0x0000000000424000-memory.dmp

Filesize
272KB

Download
memory/1160-64-0x00000000003E0000-0x0000000000424000-memory.dmp

Filesize
272KB

Download
memory/1160-58-0x00000000003E0000-0x0000000000424000-memory.dmp

Filesize
272KB

Download
memory/1196-68-0x0000000002550000-0x0000000002594000-memory.dmp

Filesize
272KB

Download
memory/1196-70-0x0000000002550000-0x0000000002594000-memory.dmp

Filesize
272KB

Download
memory/1196-69-0x0000000002550000-0x0000000002594000-memory.dmp

Filesize
272KB

Download
memory/1196-67-0x0000000002550000-0x0000000002594000-memory.dmp

Filesize
272KB

Download
memory/1740-15-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1740-1-0x0000000000590000-0x00000000005EE000-memory.dmp

Filesize
376KB

Download
memory/1740-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2260-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-30-0x0000000000550000-0x00000000005AE000-memory.dmp

Filesize
376KB

Download
memory/2260-166-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-84-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2260-82-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2260-81-0x0000000000550000-0x0000000000594000-memory.dmp

Filesize
272KB

Download
memory/2260-80-0x0000000000550000-0x0000000000594000-memory.dmp

Filesize
272KB

Download
memory/2260-79-0x0000000000550000-0x0000000000594000-memory.dmp

Filesize
272KB

Download
memory/2260-78-0x0000000000550000-0x0000000000594000-memory.dmp

Filesize
272KB

Download
memory/2260-77-0x0000000000550000-0x0000000000594000-memory.dmp

Filesize
272KB

Download
memory/2260-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-29-0x0000000000550000-0x00000000005AE000-memory.dmp

Filesize
376KB

Download
memory/2260-182-0x0000000000550000-0x0000000000594000-memory.dmp

Filesize
272KB

Download
memory/2260-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2656-50-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-312-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-31-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2720-47-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download