bec2afb3070b94e6420c7f7ce11fd46a386d78a246e3bf921a8c7f46d28512b4

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 18:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe
Size

297KB
MD5

25cf7127991c2d6b249cfda5716c735b
SHA1

b92abb6c60a7ec2fbf8c19147f5a91cc73745f60
SHA256

bec2afb3070b94e6420c7f7ce11fd46a386d78a246e3bf921a8c7f46d28512b4
SHA512

a15e559c22b16ee444cd4fafab2bbc27ce258db4a384eec6c1f46a77e7c139812c56a9cc3550e31daa59be054f38499d1d2bb8a12073aa0a13a9c29dab9b24db
SSDEEP

6144:10DuLqyd3oxcdzBjcufgM7e3lSQtx0PoOKEtq70uHRinFBqLTabu0bok3K:ODou+BjcufWlvAoOKEtY/xUBqLSxbok6

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2492	reipdo.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe
2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E97AF648-8469-AD4E-B6B3-012D8E7B2230} = "C:\\Users\\Admin\\AppData\\Roaming\\Tutexi\\reipdo.exe"	reipdo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 2692	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe
2492	reipdo.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe
2492	reipdo.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2492	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2492	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2492	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2492	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	28
PID 2492 wrote to memory of 1044	2492	reipdo.exe	17
PID 2492 wrote to memory of 1044	2492	reipdo.exe	17
PID 2492 wrote to memory of 1044	2492	reipdo.exe	17
PID 2492 wrote to memory of 1044	2492	reipdo.exe	17
PID 2492 wrote to memory of 1044	2492	reipdo.exe	17
PID 2492 wrote to memory of 1060	2492	reipdo.exe	18
PID 2492 wrote to memory of 1060	2492	reipdo.exe	18
PID 2492 wrote to memory of 1060	2492	reipdo.exe	18
PID 2492 wrote to memory of 1060	2492	reipdo.exe	18
PID 2492 wrote to memory of 1060	2492	reipdo.exe	18
PID 2492 wrote to memory of 1112	2492	reipdo.exe	20
PID 2492 wrote to memory of 1112	2492	reipdo.exe	20
PID 2492 wrote to memory of 1112	2492	reipdo.exe	20
PID 2492 wrote to memory of 1112	2492	reipdo.exe	20
PID 2492 wrote to memory of 1112	2492	reipdo.exe	20
PID 2492 wrote to memory of 1316	2492	reipdo.exe	23
PID 2492 wrote to memory of 1316	2492	reipdo.exe	23
PID 2492 wrote to memory of 1316	2492	reipdo.exe	23
PID 2492 wrote to memory of 1316	2492	reipdo.exe	23
PID 2492 wrote to memory of 1316	2492	reipdo.exe	23
PID 2492 wrote to memory of 2156	2492	reipdo.exe	27
PID 2492 wrote to memory of 2156	2492	reipdo.exe	27
PID 2492 wrote to memory of 2156	2492	reipdo.exe	27
PID 2492 wrote to memory of 2156	2492	reipdo.exe	27
PID 2492 wrote to memory of 2156	2492	reipdo.exe	27
PID 2156 wrote to memory of 2692	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2692	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2692	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2692	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2692	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2692	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2692	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2692	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2692	2156	25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe	29

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1044

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1060

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\25cf7127991c2d6b249cfda5716c735b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Roaming\Tutexi\reipdo.exe
    "C:\Users\Admin\AppData\Roaming\Tutexi\reipdo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa764b79a.bat"
    3⤵
    - Deletes itself
    PID:2692

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa764b79a.bat

Filesize
271B

MD5
e22baec37bddb9f0faa647182a65861e

SHA1
7de823c03f9352db33c5f2f28249c9451d343484

SHA256
212d1bd25ac9bcd79008b7d6039004db808d003cebbaa4440e3d0bac2ef9adeb

SHA512
f7bcf76d60bff10dd53fb9c56ea538bdffb085b37b281ac9c81e21561d76e4cd687dfc5024cec6f3de188ca4319bf01c9d30c9d0e17ed2078d0a975c0b59ea2d

Download Submit
\Users\Admin\AppData\Roaming\Tutexi\reipdo.exe

Filesize
297KB

MD5
8eed1f31c3dad46f5fdac5dd13f50865

SHA1
37d67da7a13b3013718b53933fdf37871dee634f

SHA256
6f93a0d305960a05f27cb0018990dc1e9602587b803b2bc838718c9d1da95d92

SHA512
502ba833ae663c11e66a38c81d8af8aaf1eeea0de96665233c9b130eec3ac70505ea0ae08f5f7771cc102a804ac716c36b4ae847bd32010afd9c9688a2675eff

Download Submit
memory/1044-23-0x0000000001DB0000-0x0000000001DF2000-memory.dmp

Filesize
264KB

Download
memory/1044-19-0x0000000001DB0000-0x0000000001DF2000-memory.dmp

Filesize
264KB

Download
memory/1044-20-0x0000000001DB0000-0x0000000001DF2000-memory.dmp

Filesize
264KB

Download
memory/1044-21-0x0000000001DB0000-0x0000000001DF2000-memory.dmp

Filesize
264KB

Download
memory/1044-22-0x0000000001DB0000-0x0000000001DF2000-memory.dmp

Filesize
264KB

Download
memory/1060-28-0x0000000001FC0000-0x0000000002002000-memory.dmp

Filesize
264KB

Download
memory/1060-25-0x0000000001FC0000-0x0000000002002000-memory.dmp

Filesize
264KB

Download
memory/1060-26-0x0000000001FC0000-0x0000000002002000-memory.dmp

Filesize
264KB

Download
memory/1060-27-0x0000000001FC0000-0x0000000002002000-memory.dmp

Filesize
264KB

Download
memory/1112-30-0x0000000002CE0000-0x0000000002D22000-memory.dmp

Filesize
264KB

Download
memory/1112-31-0x0000000002CE0000-0x0000000002D22000-memory.dmp

Filesize
264KB

Download
memory/1112-32-0x0000000002CE0000-0x0000000002D22000-memory.dmp

Filesize
264KB

Download
memory/1112-33-0x0000000002CE0000-0x0000000002D22000-memory.dmp

Filesize
264KB

Download
memory/1316-38-0x0000000001C10000-0x0000000001C52000-memory.dmp

Filesize
264KB

Download
memory/1316-35-0x0000000001C10000-0x0000000001C52000-memory.dmp

Filesize
264KB

Download
memory/1316-36-0x0000000001C10000-0x0000000001C52000-memory.dmp

Filesize
264KB

Download
memory/1316-37-0x0000000001C10000-0x0000000001C52000-memory.dmp

Filesize
264KB

Download
memory/2156-77-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-73-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-63-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-61-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-59-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-57-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-55-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-53-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-51-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-49-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-47-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-45-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-44-0x0000000001E00000-0x0000000001E42000-memory.dmp

Filesize
264KB

Download
memory/2156-43-0x0000000001E00000-0x0000000001E42000-memory.dmp

Filesize
264KB

Download
memory/2156-41-0x0000000001E00000-0x0000000001E42000-memory.dmp

Filesize
264KB

Download
memory/2156-40-0x0000000001E00000-0x0000000001E42000-memory.dmp

Filesize
264KB

Download
memory/2156-67-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-69-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-71-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-65-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-75-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-0-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2156-131-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-129-0x0000000001E00000-0x0000000001E42000-memory.dmp

Filesize
264KB

Download
memory/2156-130-0x0000000077670000-0x0000000077671000-memory.dmp

Filesize
4KB

Download
memory/2156-79-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2156-42-0x0000000001E00000-0x0000000001E42000-memory.dmp

Filesize
264KB

Download
memory/2156-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2156-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2156-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2156-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2156-1-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/2156-155-0x0000000001E00000-0x0000000001E42000-memory.dmp

Filesize
264KB

Download
memory/2156-154-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2492-15-0x00000000006C0000-0x0000000000702000-memory.dmp

Filesize
264KB

Download
memory/2492-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2492-16-0x0000000000760000-0x00000000007B0000-memory.dmp

Filesize
320KB

Download
memory/2492-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download