6313b9f11a0d7a063bc6b0d6c1f5f3f4df5b40ce43285cb907db6bbce1b60fa2

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe
Size

277KB
MD5

2172cf72543d40ba4277f287e832bdcd
SHA1

8527428125ff11dda2dc7935edeb6b2fb108d85f
SHA256

6313b9f11a0d7a063bc6b0d6c1f5f3f4df5b40ce43285cb907db6bbce1b60fa2
SHA512

2861aaa7d37e14d296776b1da8c5d05b45fca23a8e8d262b6b57d320c18eee644c17b68d77952d3a6c8ed0434e30eca7caab6ace4e829845c658b1b7174a5abf
SSDEEP

6144:M94bSG6rzysDrwsSSYEkrD77q3UwQi7oQCAEzo:M9oFTkrwsSSYfn77OUZi7JCTo

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1280	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1264	teyh.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe
2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E8BE2F68-5812-AD4F-F172-4D96D7386E8B} = "C:\\Users\\Admin\\AppData\\Roaming\\Wiitob\\teyh.exe"	teyh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2548 set thread context of 1280	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Privacy	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe
1264	teyh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe
Token: SeSecurityPrivilege	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe
Token: SeSecurityPrivilege	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe
1264	teyh.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1264	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	28
PID 2548 wrote to memory of 1264	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	28
PID 2548 wrote to memory of 1264	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	28
PID 2548 wrote to memory of 1264	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	28
PID 1264 wrote to memory of 1108	1264	teyh.exe	19
PID 1264 wrote to memory of 1108	1264	teyh.exe	19
PID 1264 wrote to memory of 1108	1264	teyh.exe	19
PID 1264 wrote to memory of 1108	1264	teyh.exe	19
PID 1264 wrote to memory of 1108	1264	teyh.exe	19
PID 1264 wrote to memory of 1156	1264	teyh.exe	20
PID 1264 wrote to memory of 1156	1264	teyh.exe	20
PID 1264 wrote to memory of 1156	1264	teyh.exe	20
PID 1264 wrote to memory of 1156	1264	teyh.exe	20
PID 1264 wrote to memory of 1156	1264	teyh.exe	20
PID 1264 wrote to memory of 1184	1264	teyh.exe	21
PID 1264 wrote to memory of 1184	1264	teyh.exe	21
PID 1264 wrote to memory of 1184	1264	teyh.exe	21
PID 1264 wrote to memory of 1184	1264	teyh.exe	21
PID 1264 wrote to memory of 1184	1264	teyh.exe	21
PID 1264 wrote to memory of 2044	1264	teyh.exe	23
PID 1264 wrote to memory of 2044	1264	teyh.exe	23
PID 1264 wrote to memory of 2044	1264	teyh.exe	23
PID 1264 wrote to memory of 2044	1264	teyh.exe	23
PID 1264 wrote to memory of 2044	1264	teyh.exe	23
PID 1264 wrote to memory of 2548	1264	teyh.exe	27
PID 1264 wrote to memory of 2548	1264	teyh.exe	27
PID 1264 wrote to memory of 2548	1264	teyh.exe	27
PID 1264 wrote to memory of 2548	1264	teyh.exe	27
PID 1264 wrote to memory of 2548	1264	teyh.exe	27
PID 2548 wrote to memory of 1280	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	29
PID 2548 wrote to memory of 1280	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	29
PID 2548 wrote to memory of 1280	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	29
PID 2548 wrote to memory of 1280	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	29
PID 2548 wrote to memory of 1280	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	29
PID 2548 wrote to memory of 1280	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	29
PID 2548 wrote to memory of 1280	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	29
PID 2548 wrote to memory of 1280	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	29
PID 2548 wrote to memory of 1280	2548	2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2172cf72543d40ba4277f287e832bdcd_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Roaming\Wiitob\teyh.exe
    "C:\Users\Admin\AppData\Roaming\Wiitob\teyh.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc05b7e90.bat"
    3⤵
    - Deletes itself
    PID:1280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc05b7e90.bat

Filesize
271B

MD5
662ae9481663b2219e7c9e0aee1152f7

SHA1
0e3a48e07ca0b0ded84bccb02633679a73d1d81e

SHA256
d00474b1a6ce5bb0ead6100c0c7d2afc482957e11586dd302104e9a7e9cca188

SHA512
77b406f575550c08c05a5c5c1b7c7820d46b05469647a95639a22babe080497cc3d0086be1013c36955d767f41a02d209fba00720b43a1edafb331c9796761ce

Download Submit
C:\Users\Admin\AppData\Roaming\Awdyv\kacyw.uzh

Filesize
380B

MD5
3e5d36256f00eb2ddde5c141816f8b7d

SHA1
a3997091cd6b5bef70bbab6f4817f93eecd7dc31

SHA256
1c6c2bac110586cb2d6456121620dffcfef060a51a5510954dea1a72cc704d52

SHA512
7f8fe464d37beeb63a21ac52ea70505298592c356f2ba003b815725c9bc6ab7688371f92badfa49c714099ad06bd14333b16570c1fc334eb2b56af7b763ecb29

Download Submit
C:\Users\Admin\AppData\Roaming\Wiitob\teyh.exe

Filesize
277KB

MD5
076522b6105c64bf4168674c627f76ef

SHA1
c9fcc972fd5ef151823c5841d73bd23c066223ff

SHA256
151d33f27bdf16ae1001463430eb1852561f5c698d5102fcabbd5dbe10eefd67

SHA512
c9429d610724e7a0b4d079294d67fffba5e51e75630eaaa1c8540d515aa6e2ae5bb9f5c0c45c34b8a918b54e5c6862c6336805442f77da8397bc66162de06303

Download Submit
memory/1108-20-0x0000000001F30000-0x0000000001F71000-memory.dmp

Filesize
260KB

Download
memory/1108-23-0x0000000001F30000-0x0000000001F71000-memory.dmp

Filesize
260KB

Download
memory/1108-22-0x0000000001F30000-0x0000000001F71000-memory.dmp

Filesize
260KB

Download
memory/1108-19-0x0000000001F30000-0x0000000001F71000-memory.dmp

Filesize
260KB

Download
memory/1108-21-0x0000000001F30000-0x0000000001F71000-memory.dmp

Filesize
260KB

Download
memory/1156-26-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/1156-25-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/1156-27-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/1184-30-0x0000000002D20000-0x0000000002D61000-memory.dmp

Filesize
260KB

Download
memory/1184-31-0x0000000002D20000-0x0000000002D61000-memory.dmp

Filesize
260KB

Download
memory/1184-32-0x0000000002D20000-0x0000000002D61000-memory.dmp

Filesize
260KB

Download
memory/1184-33-0x0000000002D20000-0x0000000002D61000-memory.dmp

Filesize
260KB

Download
memory/1264-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1264-16-0x0000000000310000-0x0000000000358000-memory.dmp

Filesize
288KB

Download
memory/1264-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1264-15-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2044-40-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2044-36-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2044-42-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2044-38-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2548-132-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/2548-70-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-60-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-58-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-56-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-54-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-52-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-50-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-49-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/2548-48-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/2548-47-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/2548-45-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/2548-62-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-64-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-68-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-156-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-72-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-74-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-76-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-78-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-80-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-133-0x0000000077330000-0x0000000077331000-memory.dmp

Filesize
4KB

Download
memory/2548-66-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2548-0-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2548-46-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/2548-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-159-0x00000000004F0000-0x0000000000531000-memory.dmp

Filesize
260KB

Download
memory/2548-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-1-0x0000000000370000-0x00000000003B8000-memory.dmp

Filesize
288KB

Download