6e0a506508a76afa2e312c188fdd7c7b53d1f0e60e950be6394aa5dd3cd94118

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe
Size

324KB
MD5

1b809145405f7d103ebfe176ef50838d
SHA1

0bf2722e8099b1cbbed95261e58dd12709a53303
SHA256

6e0a506508a76afa2e312c188fdd7c7b53d1f0e60e950be6394aa5dd3cd94118
SHA512

d9dfff62eecc2e28dbdaef56dff13e7d496fd76e4684149a6dbc2dd08f6f99537617628241f0a28f41fc1a6caa48b217a94f9acaf1361f5ac22099940259b72d
SSDEEP

6144:guTvtvjzxpOd90IzWCRow1W0y1KX6FiqL17J8:Lvtv3xpOd/KCRoP06KX6/17i

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3044	avki.exe
1096	avki.exe

Loads dropped DLL 3 IoCs

pid	Process
2860	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe
2860	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe
3044	avki.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A8D7C348-7DCD-AD4F-393B-DBD01FB3F8CD} = "C:\\Users\\Admin\\AppData\\Roaming\\Itab\\avki.exe"	avki.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2248 set thread context of 2860	2248	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	28
PID 3044 set thread context of 1096	3044	avki.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Privacy	avki.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	avki.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe
1096	avki.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2860	2248	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2860	2248	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2860	2248	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2860	2248	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2860	2248	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2860	2248	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2860	2248	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2860	2248	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2860	2248	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	28
PID 2860 wrote to memory of 3044	2860	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	29
PID 2860 wrote to memory of 3044	2860	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	29
PID 2860 wrote to memory of 3044	2860	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	29
PID 2860 wrote to memory of 3044	2860	1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe	29
PID 3044 wrote to memory of 1096	3044	avki.exe	30
PID 3044 wrote to memory of 1096	3044	avki.exe	30
PID 3044 wrote to memory of 1096	3044	avki.exe	30
PID 3044 wrote to memory of 1096	3044	avki.exe	30
PID 3044 wrote to memory of 1096	3044	avki.exe	30
PID 3044 wrote to memory of 1096	3044	avki.exe	30
PID 3044 wrote to memory of 1096	3044	avki.exe	30
PID 3044 wrote to memory of 1096	3044	avki.exe	30
PID 3044 wrote to memory of 1096	3044	avki.exe	30
PID 1096 wrote to memory of 1108	1096	avki.exe	19
PID 1096 wrote to memory of 1108	1096	avki.exe	19
PID 1096 wrote to memory of 1108	1096	avki.exe	19
PID 1096 wrote to memory of 1108	1096	avki.exe	19
PID 1096 wrote to memory of 1108	1096	avki.exe	19
PID 1096 wrote to memory of 1176	1096	avki.exe	20
PID 1096 wrote to memory of 1176	1096	avki.exe	20
PID 1096 wrote to memory of 1176	1096	avki.exe	20
PID 1096 wrote to memory of 1176	1096	avki.exe	20
PID 1096 wrote to memory of 1176	1096	avki.exe	20
PID 1096 wrote to memory of 1204	1096	avki.exe	21
PID 1096 wrote to memory of 1204	1096	avki.exe	21
PID 1096 wrote to memory of 1204	1096	avki.exe	21
PID 1096 wrote to memory of 1204	1096	avki.exe	21
PID 1096 wrote to memory of 1204	1096	avki.exe	21
PID 1096 wrote to memory of 1864	1096	avki.exe	23
PID 1096 wrote to memory of 1864	1096	avki.exe	23
PID 1096 wrote to memory of 1864	1096	avki.exe	23
PID 1096 wrote to memory of 1864	1096	avki.exe	23
PID 1096 wrote to memory of 1864	1096	avki.exe	23
PID 1096 wrote to memory of 2860	1096	avki.exe	28
PID 1096 wrote to memory of 2860	1096	avki.exe	28
PID 1096 wrote to memory of 2860	1096	avki.exe	28
PID 1096 wrote to memory of 2860	1096	avki.exe	28
PID 1096 wrote to memory of 2860	1096	avki.exe	28
PID 1096 wrote to memory of 3044	1096	avki.exe	29
PID 1096 wrote to memory of 3044	1096	avki.exe	29
PID 1096 wrote to memory of 3044	1096	avki.exe	29
PID 1096 wrote to memory of 3044	1096	avki.exe	29
PID 1096 wrote to memory of 3044	1096	avki.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1b809145405f7d103ebfe176ef50838d_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Users\Admin\AppData\Roaming\Itab\avki.exe
      "C:\Users\Admin\AppData\Roaming\Itab\avki.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Users\Admin\AppData\Roaming\Itab\avki.exe
        
        "C:\Users\Admin\AppData\Roaming\Itab\avki.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1096

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Itab\avki.exe

Filesize
324KB

MD5
42f7f8f592cac459572374c02947ebad

SHA1
4e9e9c81c20ae5e160920de5d2a88184127610d2

SHA256
7a5f55be2e5bce7946b663542b12d07dc5694b1bf3ba6b32e6e6d3a72816a9b8

SHA512
6a91d780fe45fe530efdac633fdc1ef0fd03dab6897685fb2fe24591b066ae6446d1db33e6d1208f9876a00e1e0e78d24c16665a28ace568603ba0233fd20afe

Download Submit
memory/1096-189-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1096-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1108-51-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1108-50-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1108-52-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1108-53-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1176-55-0x0000000001AF0000-0x0000000001B34000-memory.dmp

Filesize
272KB

Download
memory/1176-56-0x0000000001AF0000-0x0000000001B34000-memory.dmp

Filesize
272KB

Download
memory/1176-57-0x0000000001AF0000-0x0000000001B34000-memory.dmp

Filesize
272KB

Download
memory/1176-58-0x0000000001AF0000-0x0000000001B34000-memory.dmp

Filesize
272KB

Download
memory/1204-61-0x0000000002980000-0x00000000029C4000-memory.dmp

Filesize
272KB

Download
memory/1204-60-0x0000000002980000-0x00000000029C4000-memory.dmp

Filesize
272KB

Download
memory/1204-62-0x0000000002980000-0x00000000029C4000-memory.dmp

Filesize
272KB

Download
memory/1204-63-0x0000000002980000-0x00000000029C4000-memory.dmp

Filesize
272KB

Download
memory/1864-68-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/1864-66-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/1864-67-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/1864-65-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/2248-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2248-30-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2248-12-0x0000000000320000-0x0000000000376000-memory.dmp

Filesize
344KB

Download
memory/2860-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2860-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2860-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2860-73-0x0000000000380000-0x00000000003C4000-memory.dmp

Filesize
272KB

Download
memory/2860-75-0x0000000000380000-0x00000000003C4000-memory.dmp

Filesize
272KB

Download
memory/2860-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2860-77-0x0000000000380000-0x00000000003C4000-memory.dmp

Filesize
272KB

Download
memory/2860-79-0x0000000000380000-0x00000000003C4000-memory.dmp

Filesize
272KB

Download
memory/2860-27-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2860-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2860-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2860-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2860-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2860-71-0x0000000000380000-0x00000000003C4000-memory.dmp

Filesize
272KB

Download
memory/2860-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2860-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2860-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2860-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3044-176-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download