08261fdb75a1b978a91f727c876b231bd73387a7be6be9daf801db5680a62db2

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe
Size

193KB
MD5

2228651ceacc8308e64f5d90acd9a866
SHA1

36124eff02904d16a5bc870d7fae8e67cc87732d
SHA256

08261fdb75a1b978a91f727c876b231bd73387a7be6be9daf801db5680a62db2
SHA512

08ba6f62f726a877e4aacb62f82ced726db11dcc7b630b28b6161a923799b5430277b799a3e6d3029892ead9ec9df0abae2b2a8ebc74257009716273560e0e76
SSDEEP

6144:2OLIjNW1BsAxUOi3xcA/MgWVoP4bQxwVQ46:aNiBxUz3iAEgqjuX

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2856	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	zegy.exe

Loads dropped DLL 2 IoCs

pid	Process
840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe
840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\{388D705F-5D32-F843-0C2D-1C568AD805A3} = "C:\\Users\\Admin\\AppData\\Roaming\\Pove\\zegy.exe"	zegy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 840 set thread context of 2856	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Privacy	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe
3040	zegy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 3040	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	28
PID 840 wrote to memory of 3040	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	28
PID 840 wrote to memory of 3040	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	28
PID 840 wrote to memory of 3040	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	28
PID 3040 wrote to memory of 1096	3040	zegy.exe	19
PID 3040 wrote to memory of 1096	3040	zegy.exe	19
PID 3040 wrote to memory of 1096	3040	zegy.exe	19
PID 3040 wrote to memory of 1096	3040	zegy.exe	19
PID 3040 wrote to memory of 1096	3040	zegy.exe	19
PID 3040 wrote to memory of 1152	3040	zegy.exe	20
PID 3040 wrote to memory of 1152	3040	zegy.exe	20
PID 3040 wrote to memory of 1152	3040	zegy.exe	20
PID 3040 wrote to memory of 1152	3040	zegy.exe	20
PID 3040 wrote to memory of 1152	3040	zegy.exe	20
PID 3040 wrote to memory of 1192	3040	zegy.exe	21
PID 3040 wrote to memory of 1192	3040	zegy.exe	21
PID 3040 wrote to memory of 1192	3040	zegy.exe	21
PID 3040 wrote to memory of 1192	3040	zegy.exe	21
PID 3040 wrote to memory of 1192	3040	zegy.exe	21
PID 3040 wrote to memory of 804	3040	zegy.exe	23
PID 3040 wrote to memory of 804	3040	zegy.exe	23
PID 3040 wrote to memory of 804	3040	zegy.exe	23
PID 3040 wrote to memory of 804	3040	zegy.exe	23
PID 3040 wrote to memory of 804	3040	zegy.exe	23
PID 3040 wrote to memory of 840	3040	zegy.exe	27
PID 3040 wrote to memory of 840	3040	zegy.exe	27
PID 3040 wrote to memory of 840	3040	zegy.exe	27
PID 3040 wrote to memory of 840	3040	zegy.exe	27
PID 3040 wrote to memory of 840	3040	zegy.exe	27
PID 840 wrote to memory of 2856	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	29
PID 840 wrote to memory of 2856	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	29
PID 840 wrote to memory of 2856	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	29
PID 840 wrote to memory of 2856	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	29
PID 840 wrote to memory of 2856	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	29
PID 840 wrote to memory of 2856	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	29
PID 840 wrote to memory of 2856	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	29
PID 840 wrote to memory of 2856	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	29
PID 840 wrote to memory of 2856	840	2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1096

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2228651ceacc8308e64f5d90acd9a866_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Users\Admin\AppData\Roaming\Pove\zegy.exe
    "C:\Users\Admin\AppData\Roaming\Pove\zegy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe7b6f374.bat"
    3⤵
    - Deletes itself
    PID:2856

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe7b6f374.bat

Filesize
271B

MD5
417c4907f8b8a5ad9b8e45fe86124dac

SHA1
872c310fef70d2f406f9a64ff2f167efba49fc94

SHA256
f8f1c1ab6c19df1cc5cce2baf46adbcaa32d8d5607eab4ef3375552c37726690

SHA512
46a498067bf378ed9a2d795241716f5d2b203bc8167508cbc19c2ab889bfb1e0998c6223e2000d50e27e03d622fcfc1665ff901c5f4de47a2ecca84fd00a04dd

Download Submit
\Users\Admin\AppData\Roaming\Pove\zegy.exe

Filesize
193KB

MD5
24e8d6d4091ce4e4ae0665a9a6b1a99d

SHA1
df46c873d73e0d49c9bfe677abc295c55d923775

SHA256
c61ffdd9738efdd3292cd623c069e40dbb425e0723423db223dfff41cdf4d113

SHA512
fe52e57f8efead5432ffaa063a0eaf1dee4d66cd255b253d0f254503829edf2ac7fa66217ad1bc667597a64faaff34d47bfae5726b27d62e1e84c99d3c1010eb

Download Submit
memory/804-41-0x0000000000150000-0x0000000000178000-memory.dmp

Filesize
160KB

Download
memory/804-38-0x0000000000150000-0x0000000000178000-memory.dmp

Filesize
160KB

Download
memory/804-39-0x0000000000150000-0x0000000000178000-memory.dmp

Filesize
160KB

Download
memory/804-40-0x0000000000150000-0x0000000000178000-memory.dmp

Filesize
160KB

Download
memory/840-50-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-74-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-0-0x000000000042A000-0x000000000042D000-memory.dmp

Filesize
12KB

Download
memory/840-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/840-60-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-47-0x0000000000310000-0x0000000000338000-memory.dmp

Filesize
160KB

Download
memory/840-46-0x0000000000310000-0x0000000000338000-memory.dmp

Filesize
160KB

Download
memory/840-45-0x0000000000310000-0x0000000000338000-memory.dmp

Filesize
160KB

Download
memory/840-44-0x0000000000310000-0x0000000000338000-memory.dmp

Filesize
160KB

Download
memory/840-43-0x0000000000310000-0x0000000000338000-memory.dmp

Filesize
160KB

Download
memory/840-62-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-64-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-3-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/840-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/840-66-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-68-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-48-0x0000000000310000-0x0000000000338000-memory.dmp

Filesize
160KB

Download
memory/840-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/840-70-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-72-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-76-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-78-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-80-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-1-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/840-52-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-54-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-58-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/840-56-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/1096-18-0x0000000001BC0000-0x0000000001BE8000-memory.dmp

Filesize
160KB

Download
memory/1096-19-0x0000000001BC0000-0x0000000001BE8000-memory.dmp

Filesize
160KB

Download
memory/1096-20-0x0000000001BC0000-0x0000000001BE8000-memory.dmp

Filesize
160KB

Download
memory/1096-21-0x0000000001BC0000-0x0000000001BE8000-memory.dmp

Filesize
160KB

Download
memory/1096-17-0x0000000001BC0000-0x0000000001BE8000-memory.dmp

Filesize
160KB

Download
memory/1152-26-0x0000000001C70000-0x0000000001C98000-memory.dmp

Filesize
160KB

Download
memory/1152-24-0x0000000001C70000-0x0000000001C98000-memory.dmp

Filesize
160KB

Download
memory/1152-25-0x0000000001C70000-0x0000000001C98000-memory.dmp

Filesize
160KB

Download
memory/1152-23-0x0000000001C70000-0x0000000001C98000-memory.dmp

Filesize
160KB

Download
memory/1192-33-0x0000000002200000-0x0000000002228000-memory.dmp

Filesize
160KB

Download
memory/1192-35-0x0000000002200000-0x0000000002228000-memory.dmp

Filesize
160KB

Download
memory/1192-31-0x0000000002200000-0x0000000002228000-memory.dmp

Filesize
160KB

Download
memory/1192-29-0x0000000002200000-0x0000000002228000-memory.dmp

Filesize
160KB

Download
memory/3040-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3040-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3040-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3040-253-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download