98b28a89d9c8f014948a0d6927c4cd97369087644a63f45284daa2cb20b87f01

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 10:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe
Size

262KB
MD5

2837a1d5691feaa0d7a11a3296f528cd
SHA1

4d3462d711a7d69731cb5148e53a2eb69da0eeec
SHA256

98b28a89d9c8f014948a0d6927c4cd97369087644a63f45284daa2cb20b87f01
SHA512

975f97dd43b65466445bee5216c7d61c2944bb16927b4e284b4246443b0a97cc5fa3beefdb6d88574d8d360d9e8bbb1db806242ea7fb2fc0ed62495a1492bc02
SSDEEP

6144:VZJ8Gp+df0afmVTRMdgdpn94sLrNXel9uIb98+MAka:3J8YkfXf4TRME94svNuz9b9Zz

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
580	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1988	ucco.exe

Loads dropped DLL 1 IoCs

pid	Process
3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\{76E05B48-6E67-AD4F-AEBE-B031A9A3932C} = "C:\\Users\\Admin\\AppData\\Roaming\\Impewe\\ucco.exe"	ucco.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 580	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Privacy	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe
1988	ucco.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe
Token: SeSecurityPrivilege	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe
Token: SeSecurityPrivilege	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe
1988	ucco.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1988	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	29
PID 3044 wrote to memory of 1988	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	29
PID 3044 wrote to memory of 1988	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	29
PID 3044 wrote to memory of 1988	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	29
PID 1988 wrote to memory of 1120	1988	ucco.exe	18
PID 1988 wrote to memory of 1120	1988	ucco.exe	18
PID 1988 wrote to memory of 1120	1988	ucco.exe	18
PID 1988 wrote to memory of 1120	1988	ucco.exe	18
PID 1988 wrote to memory of 1120	1988	ucco.exe	18
PID 1988 wrote to memory of 1220	1988	ucco.exe	19
PID 1988 wrote to memory of 1220	1988	ucco.exe	19
PID 1988 wrote to memory of 1220	1988	ucco.exe	19
PID 1988 wrote to memory of 1220	1988	ucco.exe	19
PID 1988 wrote to memory of 1220	1988	ucco.exe	19
PID 1988 wrote to memory of 1256	1988	ucco.exe	20
PID 1988 wrote to memory of 1256	1988	ucco.exe	20
PID 1988 wrote to memory of 1256	1988	ucco.exe	20
PID 1988 wrote to memory of 1256	1988	ucco.exe	20
PID 1988 wrote to memory of 1256	1988	ucco.exe	20
PID 1988 wrote to memory of 1512	1988	ucco.exe	24
PID 1988 wrote to memory of 1512	1988	ucco.exe	24
PID 1988 wrote to memory of 1512	1988	ucco.exe	24
PID 1988 wrote to memory of 1512	1988	ucco.exe	24
PID 1988 wrote to memory of 1512	1988	ucco.exe	24
PID 1988 wrote to memory of 3044	1988	ucco.exe	28
PID 1988 wrote to memory of 3044	1988	ucco.exe	28
PID 1988 wrote to memory of 3044	1988	ucco.exe	28
PID 1988 wrote to memory of 3044	1988	ucco.exe	28
PID 1988 wrote to memory of 3044	1988	ucco.exe	28
PID 3044 wrote to memory of 580	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	30
PID 3044 wrote to memory of 580	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	30
PID 3044 wrote to memory of 580	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	30
PID 3044 wrote to memory of 580	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	30
PID 3044 wrote to memory of 580	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	30
PID 3044 wrote to memory of 580	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	30
PID 3044 wrote to memory of 580	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	30
PID 3044 wrote to memory of 580	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	30
PID 3044 wrote to memory of 580	3044	2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2837a1d5691feaa0d7a11a3296f528cd_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Roaming\Impewe\ucco.exe
    "C:\Users\Admin\AppData\Roaming\Impewe\ucco.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9ba50c41.bat"
    3⤵
    - Deletes itself
    PID:580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9ba50c41.bat

Filesize
271B

MD5
7b68cf48256f33637d3b56b8023e09b2

SHA1
6d430324ff3ba44d1f69c998c20337be31438719

SHA256
a5dc76188fe282f83635814a942f4e391a586094403e07889b5bb20e46ebd3b6

SHA512
58aaaf98866e889dddd2615b359c63c194704d922ee206e11928bc1caad3cc4521a296490d43b2ade88623885a808a58718fd065ed7d725096d169398afa4317

Download Submit
C:\Users\Admin\AppData\Roaming\Yzfy\cieh.bof

Filesize
380B

MD5
cb01c7cb04abedca2b830e14c072e786

SHA1
310c43f1926a263662b3a7031cbf38c67a829028

SHA256
7ded72a82f8d872891ab4a8bce8e6498b815c3656fd2341a5aeb00d3ee886519

SHA512
4c5b80096408fa29a872ec989d29c07706074b9e344dabd10041b5812ed3feaf7e747635d57945eb2ca093198569e727a74a66a4aefaac53abbfd6221a417a76

Download Submit
\Users\Admin\AppData\Roaming\Impewe\ucco.exe

Filesize
262KB

MD5
1420cf83863d0a0c501bb2a46c24af19

SHA1
a08d15ee58590924b5522fc7bf4377d7a9c6d6e5

SHA256
63e69d76e585e687a7332b02842e34227365a7856eeb6ff6c44bcc69d855d3b2

SHA512
af1521d11f7497f5501694ea8692c9fceb9383d2252eda6ed8d9246e8f26c04d83b91fc6fe337e5ee260e85ca67d9cbe3db5fb62ad35dca88d361df6ea1f7921

Download Submit
memory/1120-17-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/1120-16-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/1120-19-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/1120-18-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/1120-15-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/1220-23-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1220-22-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1220-21-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1220-24-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1256-26-0x0000000002510000-0x0000000002551000-memory.dmp

Filesize
260KB

Download
memory/1256-28-0x0000000002510000-0x0000000002551000-memory.dmp

Filesize
260KB

Download
memory/1256-27-0x0000000002510000-0x0000000002551000-memory.dmp

Filesize
260KB

Download
memory/1256-29-0x0000000002510000-0x0000000002551000-memory.dmp

Filesize
260KB

Download
memory/1512-32-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1512-34-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1512-31-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1512-33-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1988-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-13-0x0000000000390000-0x00000000003D5000-memory.dmp

Filesize
276KB

Download
memory/1988-12-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/1988-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3044-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3044-67-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-57-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-55-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-53-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-51-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-47-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-45-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-43-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-41-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-40-0x0000000001D10000-0x0000000001D51000-memory.dmp

Filesize
260KB

Download
memory/3044-38-0x0000000001D10000-0x0000000001D51000-memory.dmp

Filesize
260KB

Download
memory/3044-37-0x0000000001D10000-0x0000000001D51000-memory.dmp

Filesize
260KB

Download
memory/3044-36-0x0000000001D10000-0x0000000001D51000-memory.dmp

Filesize
260KB

Download
memory/3044-61-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-63-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-65-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-59-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-69-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-71-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-73-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-127-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-151-0x00000000002E0000-0x0000000000325000-memory.dmp

Filesize
276KB

Download
memory/3044-1-0x00000000002E0000-0x0000000000325000-memory.dmp

Filesize
276KB

Download
memory/3044-153-0x0000000001D10000-0x0000000001D51000-memory.dmp

Filesize
260KB

Download
memory/3044-75-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-125-0x0000000001D10000-0x0000000001D51000-memory.dmp

Filesize
260KB

Download
memory/3044-126-0x0000000077DF0000-0x0000000077DF1000-memory.dmp

Filesize
4KB

Download
memory/3044-77-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-49-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3044-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3044-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3044-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3044-0-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download