cae096ca764be6ac33896daaac5d26eacb48332c145ef8f086c0a98b1b6774a7

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe
Size

368KB
MD5

1b249bde07c73f6df501d41c165fe43d
SHA1

21a53228f06138bc2e22d73c061f3db923db5532
SHA256

cae096ca764be6ac33896daaac5d26eacb48332c145ef8f086c0a98b1b6774a7
SHA512

6ef73f3968dcb108abf2593ee39c51cacf7d20680a32df94d58e09dfb7120cfb73a39787df1a9bd3427ab346307529f0d9ffb5169f8f2b1b65e5a96fde9245b0
SSDEEP

6144:svKTFDKKX3DvcXvRe0UUdtuNObc/6e1X2llEBsvtQ71BlJ:cqTsed1N3NX2Hvw

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1976	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2568	xaeda.exe

Loads dropped DLL 2 IoCs

pid	Process
2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe
2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9EC938C8-8543-AD4E-DD27-CD48CA2DEE55} = "C:\\Users\\Admin\\AppData\\Roaming\\Ingyoc\\xaeda.exe"	xaeda.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 1976	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Privacy	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe
2568	xaeda.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe
2568	xaeda.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2568	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2568	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2568	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2568	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	28
PID 2568 wrote to memory of 1072	2568	xaeda.exe	18
PID 2568 wrote to memory of 1072	2568	xaeda.exe	18
PID 2568 wrote to memory of 1072	2568	xaeda.exe	18
PID 2568 wrote to memory of 1072	2568	xaeda.exe	18
PID 2568 wrote to memory of 1072	2568	xaeda.exe	18
PID 2568 wrote to memory of 1128	2568	xaeda.exe	19
PID 2568 wrote to memory of 1128	2568	xaeda.exe	19
PID 2568 wrote to memory of 1128	2568	xaeda.exe	19
PID 2568 wrote to memory of 1128	2568	xaeda.exe	19
PID 2568 wrote to memory of 1128	2568	xaeda.exe	19
PID 2568 wrote to memory of 1152	2568	xaeda.exe	20
PID 2568 wrote to memory of 1152	2568	xaeda.exe	20
PID 2568 wrote to memory of 1152	2568	xaeda.exe	20
PID 2568 wrote to memory of 1152	2568	xaeda.exe	20
PID 2568 wrote to memory of 1152	2568	xaeda.exe	20
PID 2568 wrote to memory of 1712	2568	xaeda.exe	23
PID 2568 wrote to memory of 1712	2568	xaeda.exe	23
PID 2568 wrote to memory of 1712	2568	xaeda.exe	23
PID 2568 wrote to memory of 1712	2568	xaeda.exe	23
PID 2568 wrote to memory of 1712	2568	xaeda.exe	23
PID 2568 wrote to memory of 2908	2568	xaeda.exe	27
PID 2568 wrote to memory of 2908	2568	xaeda.exe	27
PID 2568 wrote to memory of 2908	2568	xaeda.exe	27
PID 2568 wrote to memory of 2908	2568	xaeda.exe	27
PID 2568 wrote to memory of 2908	2568	xaeda.exe	27
PID 2908 wrote to memory of 1976	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	29
PID 2908 wrote to memory of 1976	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	29
PID 2908 wrote to memory of 1976	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	29
PID 2908 wrote to memory of 1976	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	29
PID 2908 wrote to memory of 1976	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	29
PID 2908 wrote to memory of 1976	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	29
PID 2908 wrote to memory of 1976	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	29
PID 2908 wrote to memory of 1976	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	29
PID 2908 wrote to memory of 1976	2908	1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1072

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1b249bde07c73f6df501d41c165fe43d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Roaming\Ingyoc\xaeda.exe
    "C:\Users\Admin\AppData\Roaming\Ingyoc\xaeda.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8a15cb27.bat"
    3⤵
    - Deletes itself
    PID:1976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8a15cb27.bat

Filesize
271B

MD5
0ef164f7eb0c340f662abcb54ce7cd5c

SHA1
cdce4c95e6a96a3efd23f87eb458a13785686f48

SHA256
de947c0154fd4beac93f64ccf9c304c200ecc3cf4c401ad3d44a794b0b72b3cd

SHA512
b408c2fdd7ae45e691544fe76561ff5088ed791ca1012483c3d35f636c2a3ae2878fb2e35986acde78cf4dfce482e9f492795cf86124d9af1cb15544b2718836

Download Submit
\Users\Admin\AppData\Roaming\Ingyoc\xaeda.exe

Filesize
368KB

MD5
ddeb75470d6e7f3b696e82c71cb86003

SHA1
e4a414c7a4cea8221820451deffa4f720bba2bdf

SHA256
446327f1a6f5a486f07fd171c8477caed0ec44630df360b290071d36a7482ee6

SHA512
ba754a661421ebf4a65119e443e066a5a0b349ddd2e6abf841907867978f7c2a0503f64dfaa3d9d7597d636da5f9461f823c53b297e77d3e0597d5178dce06dc

Download Submit
memory/1072-25-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1072-21-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1072-23-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1072-27-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1072-19-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1128-31-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1128-30-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1128-32-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1128-33-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1152-40-0x00000000025F0000-0x0000000002634000-memory.dmp

Filesize
272KB

Download
memory/1152-42-0x00000000025F0000-0x0000000002634000-memory.dmp

Filesize
272KB

Download
memory/1152-36-0x00000000025F0000-0x0000000002634000-memory.dmp

Filesize
272KB

Download
memory/1152-38-0x00000000025F0000-0x0000000002634000-memory.dmp

Filesize
272KB

Download
memory/1712-48-0x0000000001D90000-0x0000000001DD4000-memory.dmp

Filesize
272KB

Download
memory/1712-45-0x0000000001D90000-0x0000000001DD4000-memory.dmp

Filesize
272KB

Download
memory/1712-46-0x0000000001D90000-0x0000000001DD4000-memory.dmp

Filesize
272KB

Download
memory/1712-47-0x0000000001D90000-0x0000000001DD4000-memory.dmp

Filesize
272KB

Download
memory/2568-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2568-289-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2568-17-0x0000000000390000-0x00000000003EF000-memory.dmp

Filesize
380KB

Download
memory/2568-16-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/2908-71-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-1-0x0000000000370000-0x00000000003CF000-memory.dmp

Filesize
380KB

Download
memory/2908-62-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-60-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-59-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/2908-57-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/2908-55-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/2908-53-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/2908-51-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/2908-66-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-69-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-73-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-75-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-64-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-77-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-79-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-81-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2908-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2908-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2908-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2908-142-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2908-166-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2908-165-0x0000000000370000-0x00000000003CF000-memory.dmp

Filesize
380KB

Download
memory/2908-0-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/2908-68-0x0000000077430000-0x0000000077431000-memory.dmp

Filesize
4KB

Download