292b5f1de718219387a1f0f5903486c8fe8567cf81e691d51aed80a76a9a3984

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 06:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe
Size

298KB
MD5

24e60349407e21abe6bbabb38da6ec01
SHA1

6d21d0ca9fc734b8149b27c4f679a5e37c544cb1
SHA256

292b5f1de718219387a1f0f5903486c8fe8567cf81e691d51aed80a76a9a3984
SHA512

b4c6db4d1b078608a3435c737db10cf108be6edc89ec0089bb35ca2a96e6e37a3fe5c8080f8497ebd74fac27b9d6584d9322891ff3201584c914c06bcc16a568
SSDEEP

6144:dawjHWSIg118HWULKjC7Fif1mO45x/VN0cp0cyI0:dXjIaC7Fy45x/ko0cyI0

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1340	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2212	wyfu.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe
2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A0DC58C8-ABEB-AD4E-8758-AF4599EB8C58} = "C:\\Users\\Admin\\AppData\\Roaming\\Feebv\\wyfu.exe"	wyfu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 1340	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Privacy	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe
2212	wyfu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe
Token: SeSecurityPrivilege	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe
Token: SeSecurityPrivilege	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe
2212	wyfu.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2212	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	28
PID 2208 wrote to memory of 2212	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	28
PID 2208 wrote to memory of 2212	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	28
PID 2208 wrote to memory of 2212	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	28
PID 2212 wrote to memory of 1112	2212	wyfu.exe	19
PID 2212 wrote to memory of 1112	2212	wyfu.exe	19
PID 2212 wrote to memory of 1112	2212	wyfu.exe	19
PID 2212 wrote to memory of 1112	2212	wyfu.exe	19
PID 2212 wrote to memory of 1112	2212	wyfu.exe	19
PID 2212 wrote to memory of 1176	2212	wyfu.exe	20
PID 2212 wrote to memory of 1176	2212	wyfu.exe	20
PID 2212 wrote to memory of 1176	2212	wyfu.exe	20
PID 2212 wrote to memory of 1176	2212	wyfu.exe	20
PID 2212 wrote to memory of 1176	2212	wyfu.exe	20
PID 2212 wrote to memory of 1204	2212	wyfu.exe	21
PID 2212 wrote to memory of 1204	2212	wyfu.exe	21
PID 2212 wrote to memory of 1204	2212	wyfu.exe	21
PID 2212 wrote to memory of 1204	2212	wyfu.exe	21
PID 2212 wrote to memory of 1204	2212	wyfu.exe	21
PID 2212 wrote to memory of 1996	2212	wyfu.exe	23
PID 2212 wrote to memory of 1996	2212	wyfu.exe	23
PID 2212 wrote to memory of 1996	2212	wyfu.exe	23
PID 2212 wrote to memory of 1996	2212	wyfu.exe	23
PID 2212 wrote to memory of 1996	2212	wyfu.exe	23
PID 2212 wrote to memory of 2208	2212	wyfu.exe	27
PID 2212 wrote to memory of 2208	2212	wyfu.exe	27
PID 2212 wrote to memory of 2208	2212	wyfu.exe	27
PID 2212 wrote to memory of 2208	2212	wyfu.exe	27
PID 2212 wrote to memory of 2208	2212	wyfu.exe	27
PID 2208 wrote to memory of 1340	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	29
PID 2208 wrote to memory of 1340	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	29
PID 2208 wrote to memory of 1340	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	29
PID 2208 wrote to memory of 1340	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	29
PID 2208 wrote to memory of 1340	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	29
PID 2208 wrote to memory of 1340	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	29
PID 2208 wrote to memory of 1340	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	29
PID 2208 wrote to memory of 1340	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	29
PID 2208 wrote to memory of 1340	2208	24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\24e60349407e21abe6bbabb38da6ec01_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Roaming\Feebv\wyfu.exe
    "C:\Users\Admin\AppData\Roaming\Feebv\wyfu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9c5585c7.bat"
    3⤵
    - Deletes itself
    PID:1340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9c5585c7.bat

Filesize
271B

MD5
56fcff9a108401bd6675f7fcd020fa64

SHA1
1329974fb367d3be4fb196917446f1b7bf881a8a

SHA256
43e9f04c7912c5963904c99f450b43cb2ee8417b6fe23ad4e81eec883d8a8db2

SHA512
ef8bd03118db7fc87ad6dd8a24e9510e50301e441e214819f60b652147300ca89f38697e8def62b5620daf1fbca49e381344dd11ac26bcfbc7086f3aff0cad77

Download Submit
C:\Users\Admin\AppData\Roaming\Ramed\kiycf.zyg

Filesize
380B

MD5
01c61ecb0d6a9be0b7fd0ba0708de78d

SHA1
8dbbd30a868a03c909f3ae6ade7b5ddf453a6641

SHA256
d57b14d7ab3501b8a3cc1322c276009e9b3feef7bf40c24dbe4d635e77b5219c

SHA512
7f9960cef506d4fa2fa9851c52e570510d4632aa241fd64099e2457eaea1f45bbca2f1a66ebe73dfddd1c2eb020fdc29e391850f22f3300adf435ead78004415

Download Submit
\Users\Admin\AppData\Roaming\Feebv\wyfu.exe

Filesize
298KB

MD5
f2e77f2b7336fc28830fbddf57be899e

SHA1
562b2f3e354429aa091762ecafd5680cf32d0176

SHA256
c66e1338bfcc2aa2eeda9bab025c4732a26e12f063fb2c1a93ab98fdc6de7fcb

SHA512
7c073e9c31875391632347ac4f2d023c105b5ef0b59fb0f574e7b247db1f03112e0f7e39670948e1e5139efb5ecdf7c46dc038d0dcd48dae93b65bdbfd9e1cc8

Download Submit
memory/1112-21-0x00000000020F0000-0x0000000002131000-memory.dmp

Filesize
260KB

Download
memory/1112-27-0x00000000020F0000-0x0000000002131000-memory.dmp

Filesize
260KB

Download
memory/1112-23-0x00000000020F0000-0x0000000002131000-memory.dmp

Filesize
260KB

Download
memory/1112-19-0x00000000020F0000-0x0000000002131000-memory.dmp

Filesize
260KB

Download
memory/1112-25-0x00000000020F0000-0x0000000002131000-memory.dmp

Filesize
260KB

Download
memory/1176-35-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/1176-33-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/1176-31-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/1176-37-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/1204-42-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1204-40-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1204-41-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1204-43-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1996-48-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/1996-45-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/1996-46-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/1996-47-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/2208-137-0x0000000077C20000-0x0000000077C21000-memory.dmp

Filesize
4KB

Download
memory/2208-79-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-65-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-63-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-61-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-59-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-57-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-55-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-52-0x0000000000500000-0x0000000000541000-memory.dmp

Filesize
260KB

Download
memory/2208-53-0x0000000000500000-0x0000000000541000-memory.dmp

Filesize
260KB

Download
memory/2208-51-0x0000000000500000-0x0000000000541000-memory.dmp

Filesize
260KB

Download
memory/2208-50-0x0000000000500000-0x0000000000541000-memory.dmp

Filesize
260KB

Download
memory/2208-69-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-71-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-73-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-75-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-77-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-67-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-136-0x0000000000500000-0x0000000000541000-memory.dmp

Filesize
260KB

Download
memory/2208-1-0x0000000000360000-0x00000000003B8000-memory.dmp

Filesize
352KB

Download
memory/2208-54-0x0000000000500000-0x0000000000541000-memory.dmp

Filesize
260KB

Download
memory/2208-0-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2208-162-0x0000000000360000-0x00000000003B8000-memory.dmp

Filesize
352KB

Download
memory/2208-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-138-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2208-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-164-0x0000000000500000-0x0000000000541000-memory.dmp

Filesize
260KB

Download
memory/2212-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2212-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2212-16-0x0000000000370000-0x00000000003C8000-memory.dmp

Filesize
352KB

Download
memory/2212-282-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2212-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download