05189b6b9b7467fdf9a1f5386216d1952c2c6b9bd0b108418362bbdaeb09f885

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
Size

278KB
MD5

25c91dcae4731a5c4a08d9246b836add
SHA1

2264683af0d4938bbbc9098a24d915aa56e1d849
SHA256

05189b6b9b7467fdf9a1f5386216d1952c2c6b9bd0b108418362bbdaeb09f885
SHA512

608549b840bad775760837cd72e40554951b6d2e4f491dde0fdce836058f0fd0b9b8cbe86268ab0ca25db9a26ae4ddff2890e243ba480cf699b6b7d04c6b29f8
SSDEEP

6144:ow/S1DB/lBBcuI5h29W5jvKfRo67/mEH6FjR:owqlAuIrQaR6CeK

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2612	24FC2AE3D38.exe
2492	24FC2AE3D38.exe
1356	54F2646.exe

Loads dropped DLL 5 IoCs

pid	Process
1856	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
1856	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
2612	24FC2AE3D38.exe
2492	24FC2AE3D38.exe
2492	24FC2AE3D38.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\YI9B2F0FYEXG0B9HJ = "C:\\systemhost\\24FC2AE3D38.exe"	54F2646.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	24FC2AE3D38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	24FC2AE3D38.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1848 set thread context of 1856	1848	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	28
PID 2612 set thread context of 2492	2612	24FC2AE3D38.exe	30

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PhishingFilter	54F2646.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	54F2646.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0"	54F2646.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery	54F2646.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0"	54F2646.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
1856	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
2492	24FC2AE3D38.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe
1356	54F2646.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
Token: SeDebugPrivilege	1856	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
Token: SeDebugPrivilege	1856	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
Token: SeDebugPrivilege	1856	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
Token: SeDebugPrivilege	2492	24FC2AE3D38.exe
Token: SeDebugPrivilege	2492	24FC2AE3D38.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe
Token: SeDebugPrivilege	1356	54F2646.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1856	1848	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	28
PID 1848 wrote to memory of 1856	1848	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	28
PID 1848 wrote to memory of 1856	1848	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	28
PID 1848 wrote to memory of 1856	1848	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	28
PID 1848 wrote to memory of 1856	1848	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	28
PID 1848 wrote to memory of 1856	1848	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	28
PID 1848 wrote to memory of 1856	1848	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	28
PID 1848 wrote to memory of 1856	1848	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	28
PID 1848 wrote to memory of 1856	1848	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	28
PID 1848 wrote to memory of 1856	1848	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	28
PID 1856 wrote to memory of 2612	1856	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	29
PID 1856 wrote to memory of 2612	1856	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	29
PID 1856 wrote to memory of 2612	1856	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	29
PID 1856 wrote to memory of 2612	1856	25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe	29
PID 2612 wrote to memory of 2492	2612	24FC2AE3D38.exe	30
PID 2612 wrote to memory of 2492	2612	24FC2AE3D38.exe	30
PID 2612 wrote to memory of 2492	2612	24FC2AE3D38.exe	30
PID 2612 wrote to memory of 2492	2612	24FC2AE3D38.exe	30
PID 2612 wrote to memory of 2492	2612	24FC2AE3D38.exe	30
PID 2612 wrote to memory of 2492	2612	24FC2AE3D38.exe	30
PID 2612 wrote to memory of 2492	2612	24FC2AE3D38.exe	30
PID 2612 wrote to memory of 2492	2612	24FC2AE3D38.exe	30
PID 2612 wrote to memory of 2492	2612	24FC2AE3D38.exe	30
PID 2612 wrote to memory of 2492	2612	24FC2AE3D38.exe	30
PID 2492 wrote to memory of 1356	2492	24FC2AE3D38.exe	31
PID 2492 wrote to memory of 1356	2492	24FC2AE3D38.exe	31
PID 2492 wrote to memory of 1356	2492	24FC2AE3D38.exe	31
PID 2492 wrote to memory of 1356	2492	24FC2AE3D38.exe	31
PID 2492 wrote to memory of 1356	2492	24FC2AE3D38.exe	31
PID 2492 wrote to memory of 1356	2492	24FC2AE3D38.exe	31
PID 1356 wrote to memory of 1856	1356	54F2646.exe	28
PID 1356 wrote to memory of 1856	1356	54F2646.exe	28
PID 1356 wrote to memory of 1856	1356	54F2646.exe	28
PID 1356 wrote to memory of 1856	1356	54F2646.exe	28

C:\Users\Admin\AppData\Local\Temp\25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\25c91dcae4731a5c4a08d9246b836add_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\systemhost\24FC2AE3D38.exe
    "C:\systemhost\24FC2AE3D38.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\systemhost\24FC2AE3D38.exe
      C:\systemhost\24FC2AE3D38.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Users\Admin\AppData\Local\Temp\54F2646.exe
        
        "C:\Users\Admin\AppData\Local\Temp\54F2646.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies Internet Explorer Phishing Filter
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\systemhost\42B458B46A26000

Filesize
63KB

MD5
10130174b40b3c3ee4df4e2c64de94bb

SHA1
8612706d40e604e6ca680a82f0877273c776e89d

SHA256
8a820ad489431a114b981d42251fea3abefbe943dafc623ea75e75fe8cc5b858

SHA512
a3cc58a8c0f3e33fa70243acdd3a5f0f675bb4234d7ebf759f6210c4123fe2149c850e5166f802f47c10c3be0acfc9e47fda345e0f7187eca3a3170137dffc6b

Download Submit
\Users\Admin\AppData\Local\Temp\54F2646.exe

Filesize
3KB

MD5
29090b6b4d6605a97ac760d06436ac2d

SHA1
d929d3389642e52bae5ad8512293c9c4d3e4fab5

SHA256
98a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272

SHA512
9121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be

Download Submit
\systemhost\24FC2AE3D38.exe

Filesize
278KB

MD5
25c91dcae4731a5c4a08d9246b836add

SHA1
2264683af0d4938bbbc9098a24d915aa56e1d849

SHA256
05189b6b9b7467fdf9a1f5386216d1952c2c6b9bd0b108418362bbdaeb09f885

SHA512
608549b840bad775760837cd72e40554951b6d2e4f491dde0fdce836058f0fd0b9b8cbe86268ab0ca25db9a26ae4ddff2890e243ba480cf699b6b7d04c6b29f8

Download Submit
memory/1356-78-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/1356-87-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1356-67-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/1356-76-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/1356-77-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/1356-57-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/1356-86-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/1356-68-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/1356-88-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/1356-90-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/1356-91-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

Filesize
312KB

Download
memory/1356-66-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/1356-70-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/1356-164-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/1856-4-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1856-12-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1856-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1856-17-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1856-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1856-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1856-6-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1856-8-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1856-9-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1856-24-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1856-10-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1856-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1856-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1856-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1856-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2492-65-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/2492-64-0x0000000000401000-0x0000000000406000-memory.dmp

Filesize
20KB

Download
memory/2492-63-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2492-47-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download