adca7d97a41a06dc64c5c52dc17c426cbef5831b71ed2224a3305ec29fbc38b7

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe
Size

322KB
MD5

2386b3e0f5838ed703f47609640f0b88
SHA1

ddf357c937df06db04a9ff305fa193de7a4583dd
SHA256

adca7d97a41a06dc64c5c52dc17c426cbef5831b71ed2224a3305ec29fbc38b7
SHA512

d33f4b316a51bce0b3c0bf38e94080f98ea95d66928084f48b98bbf7578fe032f15902ee82e611afb0b1df632182bd99eced147e703e0424a99eb72a204da1b9
SSDEEP

6144:BJiCtKk4IwCpkoD1ijqNZKRCWMq+OodNkmCihmve:XwzGpkw1ijCZKRCWMq+NPRJMG

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
748	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2616	abejve.exe
2540	abejve.exe

Loads dropped DLL 3 IoCs

pid	Process
2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe
2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe
2616	abejve.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E97AF648-8469-AD4E-B6B3-012D8E7B2230} = "C:\\Users\\Admin\\AppData\\Roaming\\Byop\\abejve.exe"	abejve.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 2112	2092	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	28
PID 2616 set thread context of 2540	2616	abejve.exe	30
PID 2112 set thread context of 748	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\06365AF2-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe
2540	abejve.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1532	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1532	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2112	2092	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2112	2092	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2112	2092	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2112	2092	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2112	2092	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2112	2092	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2112	2092	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2112	2092	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2112	2092	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	28
PID 2112 wrote to memory of 2616	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	29
PID 2112 wrote to memory of 2616	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	29
PID 2112 wrote to memory of 2616	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	29
PID 2112 wrote to memory of 2616	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	29
PID 2616 wrote to memory of 2540	2616	abejve.exe	30
PID 2616 wrote to memory of 2540	2616	abejve.exe	30
PID 2616 wrote to memory of 2540	2616	abejve.exe	30
PID 2616 wrote to memory of 2540	2616	abejve.exe	30
PID 2616 wrote to memory of 2540	2616	abejve.exe	30
PID 2616 wrote to memory of 2540	2616	abejve.exe	30
PID 2616 wrote to memory of 2540	2616	abejve.exe	30
PID 2616 wrote to memory of 2540	2616	abejve.exe	30
PID 2616 wrote to memory of 2540	2616	abejve.exe	30
PID 2540 wrote to memory of 1072	2540	abejve.exe	18
PID 2540 wrote to memory of 1072	2540	abejve.exe	18
PID 2540 wrote to memory of 1072	2540	abejve.exe	18
PID 2540 wrote to memory of 1072	2540	abejve.exe	18
PID 2540 wrote to memory of 1072	2540	abejve.exe	18
PID 2540 wrote to memory of 1152	2540	abejve.exe	20
PID 2540 wrote to memory of 1152	2540	abejve.exe	20
PID 2540 wrote to memory of 1152	2540	abejve.exe	20
PID 2540 wrote to memory of 1152	2540	abejve.exe	20
PID 2540 wrote to memory of 1152	2540	abejve.exe	20
PID 2540 wrote to memory of 1176	2540	abejve.exe	21
PID 2540 wrote to memory of 1176	2540	abejve.exe	21
PID 2540 wrote to memory of 1176	2540	abejve.exe	21
PID 2540 wrote to memory of 1176	2540	abejve.exe	21
PID 2540 wrote to memory of 1176	2540	abejve.exe	21
PID 2540 wrote to memory of 1580	2540	abejve.exe	23
PID 2540 wrote to memory of 1580	2540	abejve.exe	23
PID 2540 wrote to memory of 1580	2540	abejve.exe	23
PID 2540 wrote to memory of 1580	2540	abejve.exe	23
PID 2540 wrote to memory of 1580	2540	abejve.exe	23
PID 2540 wrote to memory of 2092	2540	abejve.exe	27
PID 2540 wrote to memory of 2092	2540	abejve.exe	27
PID 2540 wrote to memory of 2092	2540	abejve.exe	27
PID 2540 wrote to memory of 2092	2540	abejve.exe	27
PID 2540 wrote to memory of 2092	2540	abejve.exe	27
PID 2540 wrote to memory of 2112	2540	abejve.exe	28
PID 2540 wrote to memory of 2112	2540	abejve.exe	28
PID 2540 wrote to memory of 2112	2540	abejve.exe	28
PID 2540 wrote to memory of 2112	2540	abejve.exe	28
PID 2540 wrote to memory of 2112	2540	abejve.exe	28
PID 2112 wrote to memory of 748	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	31
PID 2112 wrote to memory of 748	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	31
PID 2112 wrote to memory of 748	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	31
PID 2112 wrote to memory of 748	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	31
PID 2112 wrote to memory of 748	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	31
PID 2112 wrote to memory of 748	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	31
PID 2112 wrote to memory of 748	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	31
PID 2112 wrote to memory of 748	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	31
PID 2112 wrote to memory of 748	2112	2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe	31
PID 2540 wrote to memory of 2132	2540	abejve.exe	32
PID 2540 wrote to memory of 2132	2540	abejve.exe	32
PID 2540 wrote to memory of 2132	2540	abejve.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1072

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2386b3e0f5838ed703f47609640f0b88_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Users\Admin\AppData\Roaming\Byop\abejve.exe
      "C:\Users\Admin\AppData\Roaming\Byop\abejve.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Roaming\Byop\abejve.exe
        
        "C:\Users\Admin\AppData\Roaming\Byop\abejve.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4a44b938.bat"
      4⤵
      Deletes itself
      PID:748

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20279972921947364100-140778231971331092-63222629-1533379637-1230300532-40870472"
1⤵
PID:2132

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
b540dedf40f817ccb06fc40ba16d8402

SHA1
3f57748be505ce298467a267da80c8a71e1b936d

SHA256
12573d5334bcbba00cd107d3829a8907fe379b5547522c6d788bd6efe72e9c99

SHA512
09c973b6c7afa465f61b73944da0cb7343a30be76db78ad4f1a4c6b2f4170be7f12b9547267464ca17f837f2392964c297c72656ae06c0317bbe97128d4fac27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4a44b938.bat

Filesize
271B

MD5
2fa21b774759b3fa41fed7848b7ebeac

SHA1
e8c610910cac4cd75e3f8fbd5500dcb99e313c0c

SHA256
ff803426b2e6ad53568d75201c69084f886de609ca53d570cc3095393b3f417a

SHA512
9dda5a4a65d08663d0dd368ebe32ff8476265c5ea3d0767ff234d03804e43c4383357041ed7f2526951046888b29b54006d3ee2a8e5f214f175c610eecb708b7

Download Submit
\Users\Admin\AppData\Roaming\Byop\abejve.exe

Filesize
322KB

MD5
99cb337ebd6da0a8df257287b95e1358

SHA1
b101fe7a4c89353ce647977d0f3570af0e973e3a

SHA256
1e14ae3bd2c09d3742396f0fe3113f352a3bdc5932a4ce0f0bcd41c761bad1ac

SHA512
bead4454e5ff7761e8de1f6371cc7b860ed009abbb88a6b5bab34f129219bd2fb7abfc341ba1cdb90f7e1189e1d8be19689822b4726be4b365fdea44ae598f9d

Download Submit
memory/1072-50-0x0000000001F10000-0x0000000001F54000-memory.dmp

Filesize
272KB

Download
memory/1072-49-0x0000000001F10000-0x0000000001F54000-memory.dmp

Filesize
272KB

Download
memory/1072-51-0x0000000001F10000-0x0000000001F54000-memory.dmp

Filesize
272KB

Download
memory/1072-52-0x0000000001F10000-0x0000000001F54000-memory.dmp

Filesize
272KB

Download
memory/1152-56-0x0000000001F80000-0x0000000001FC4000-memory.dmp

Filesize
272KB

Download
memory/1152-54-0x0000000001F80000-0x0000000001FC4000-memory.dmp

Filesize
272KB

Download
memory/1152-55-0x0000000001F80000-0x0000000001FC4000-memory.dmp

Filesize
272KB

Download
memory/1152-57-0x0000000001F80000-0x0000000001FC4000-memory.dmp

Filesize
272KB

Download
memory/1176-59-0x00000000042A0000-0x00000000042E4000-memory.dmp

Filesize
272KB

Download
memory/1176-60-0x00000000042A0000-0x00000000042E4000-memory.dmp

Filesize
272KB

Download
memory/1176-61-0x00000000042A0000-0x00000000042E4000-memory.dmp

Filesize
272KB

Download
memory/1176-62-0x00000000042A0000-0x00000000042E4000-memory.dmp

Filesize
272KB

Download
memory/1580-67-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1580-64-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1580-65-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1580-66-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/2092-74-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2092-160-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2092-80-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2092-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2092-76-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2092-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2092-72-0x0000000000350000-0x0000000000394000-memory.dmp

Filesize
272KB

Download
memory/2092-71-0x0000000000350000-0x0000000000394000-memory.dmp

Filesize
272KB

Download
memory/2092-70-0x0000000000350000-0x0000000000394000-memory.dmp

Filesize
272KB

Download
memory/2092-69-0x0000000000350000-0x0000000000394000-memory.dmp

Filesize
272KB

Download
memory/2092-82-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2092-73-0x0000000000350000-0x0000000000394000-memory.dmp

Filesize
272KB

Download
memory/2092-1-0x0000000000320000-0x0000000000376000-memory.dmp

Filesize
344KB

Download
memory/2112-23-0x0000000001FD0000-0x0000000002026000-memory.dmp

Filesize
344KB

Download
memory/2112-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2112-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-29-0x0000000001FD0000-0x0000000002026000-memory.dmp

Filesize
344KB

Download
memory/2540-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-542-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2616-32-0x00000000005A0000-0x00000000005F6000-memory.dmp

Filesize
344KB

Download
memory/2616-293-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download