911179c9302e87c8d7404fc2fe717449c92762c35e2eb5ee54ebd8299fddfea1

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe
Size

325KB
MD5

29a05599c10c6a21d7f695c9fd3e9795
SHA1

90bf732e8b91e5ea8c7d93f4a3a952027591f405
SHA256

911179c9302e87c8d7404fc2fe717449c92762c35e2eb5ee54ebd8299fddfea1
SHA512

5ad1e541609fd97c422f2cac355790bfb81c1cb7f27ac5a0f96e5f25db3fcbd058b5cdea67d90f84ae861b9bcbf8d67a83fa64c1843b5f23d5401c416b37217d
SSDEEP

6144:p9dgAwyPmJiMIUul8RhLvEu3lrNXQqlkuQfeqnW:BDqowdvhLQAqW

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2724	tyaxte.exe
2904	tyaxte.exe

Loads dropped DLL 3 IoCs

pid	Process
2688	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe
2688	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe
2724	tyaxte.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\{76E05B48-6E67-AD4F-AEBE-B031A9A3932C} = "C:\\Users\\Admin\\AppData\\Roaming\\Yciv\\tyaxte.exe"	tyaxte.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 2688	2156	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	30
PID 2724 set thread context of 2904	2724	tyaxte.exe	32

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe
2904	tyaxte.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2688	2156	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2688	2156	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2688	2156	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2688	2156	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2688	2156	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2688	2156	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2688	2156	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2688	2156	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2688	2156	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2724	2688	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2724	2688	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2724	2688	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2724	2688	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2904	2724	tyaxte.exe	32
PID 2724 wrote to memory of 2904	2724	tyaxte.exe	32
PID 2724 wrote to memory of 2904	2724	tyaxte.exe	32
PID 2724 wrote to memory of 2904	2724	tyaxte.exe	32
PID 2724 wrote to memory of 2904	2724	tyaxte.exe	32
PID 2724 wrote to memory of 2904	2724	tyaxte.exe	32
PID 2724 wrote to memory of 2904	2724	tyaxte.exe	32
PID 2724 wrote to memory of 2904	2724	tyaxte.exe	32
PID 2724 wrote to memory of 2904	2724	tyaxte.exe	32
PID 2688 wrote to memory of 2624	2688	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	33
PID 2688 wrote to memory of 2624	2688	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	33
PID 2688 wrote to memory of 2624	2688	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	33
PID 2688 wrote to memory of 2624	2688	29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe	33
PID 2904 wrote to memory of 1120	2904	tyaxte.exe	19
PID 2904 wrote to memory of 1120	2904	tyaxte.exe	19
PID 2904 wrote to memory of 1120	2904	tyaxte.exe	19
PID 2904 wrote to memory of 1120	2904	tyaxte.exe	19
PID 2904 wrote to memory of 1120	2904	tyaxte.exe	19
PID 2904 wrote to memory of 1188	2904	tyaxte.exe	20
PID 2904 wrote to memory of 1188	2904	tyaxte.exe	20
PID 2904 wrote to memory of 1188	2904	tyaxte.exe	20
PID 2904 wrote to memory of 1188	2904	tyaxte.exe	20
PID 2904 wrote to memory of 1188	2904	tyaxte.exe	20
PID 2904 wrote to memory of 1240	2904	tyaxte.exe	21
PID 2904 wrote to memory of 1240	2904	tyaxte.exe	21
PID 2904 wrote to memory of 1240	2904	tyaxte.exe	21
PID 2904 wrote to memory of 1240	2904	tyaxte.exe	21
PID 2904 wrote to memory of 1240	2904	tyaxte.exe	21
PID 2904 wrote to memory of 1704	2904	tyaxte.exe	25
PID 2904 wrote to memory of 1704	2904	tyaxte.exe	25
PID 2904 wrote to memory of 1704	2904	tyaxte.exe	25
PID 2904 wrote to memory of 1704	2904	tyaxte.exe	25
PID 2904 wrote to memory of 1704	2904	tyaxte.exe	25

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\29a05599c10c6a21d7f695c9fd3e9795_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Roaming\Yciv\tyaxte.exe
      "C:\Users\Admin\AppData\Roaming\Yciv\tyaxte.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Users\Admin\AppData\Roaming\Yciv\tyaxte.exe
        
        "C:\Users\Admin\AppData\Roaming\Yciv\tyaxte.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd68c673b.bat"
      4⤵
      Deletes itself
      PID:2624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd68c673b.bat

Filesize
271B

MD5
04dc8203c24345c6fcda96247d258cd1

SHA1
272c739b5f7f7c512fa020e98eb0538fe062f42e

SHA256
191d38eb9636e0b17e24ce9c2faf1ea8d2b19a79117b16b6ccfa7b1b6ce4de79

SHA512
4d1850836676071c786053f76d0e34a9227fd66a13a85f23f5a3c498317173e8254d6f741f2a76910ed956865cb13a458589f461a871c76a9ad0dd700ab34d33

Download Submit
\Users\Admin\AppData\Roaming\Yciv\tyaxte.exe

Filesize
325KB

MD5
82699e2e8a5717015135ada1aba69018

SHA1
0006a1a7154cfab73e9c009151b378bddf111524

SHA256
3077ee856907b8fa7e9ef160797743e54d3cfd1c7254b4f23adfa40f18a75878

SHA512
c87248d963a14c35ce771b66f55f7a64301191f4cefa582a911e9911a7c0f3615f05dba3f5378480870c4e3051fcda00e689ba27666388907e513fcf9b176f99

Download Submit
memory/1120-61-0x00000000021E0000-0x0000000002224000-memory.dmp

Filesize
272KB

Download
memory/1120-63-0x00000000021E0000-0x0000000002224000-memory.dmp

Filesize
272KB

Download
memory/1120-59-0x00000000021E0000-0x0000000002224000-memory.dmp

Filesize
272KB

Download
memory/1120-65-0x00000000021E0000-0x0000000002224000-memory.dmp

Filesize
272KB

Download
memory/1188-69-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1188-70-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1188-71-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1188-68-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1240-73-0x0000000002FA0000-0x0000000002FE4000-memory.dmp

Filesize
272KB

Download
memory/1240-74-0x0000000002FA0000-0x0000000002FE4000-memory.dmp

Filesize
272KB

Download
memory/1240-75-0x0000000002FA0000-0x0000000002FE4000-memory.dmp

Filesize
272KB

Download
memory/1240-76-0x0000000002FA0000-0x0000000002FE4000-memory.dmp

Filesize
272KB

Download
memory/1704-79-0x0000000001DB0000-0x0000000001DF4000-memory.dmp

Filesize
272KB

Download
memory/1704-78-0x0000000001DB0000-0x0000000001DF4000-memory.dmp

Filesize
272KB

Download
memory/1704-80-0x0000000001DB0000-0x0000000001DF4000-memory.dmp

Filesize
272KB

Download
memory/1704-81-0x0000000001DB0000-0x0000000001DF4000-memory.dmp

Filesize
272KB

Download
memory/2156-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2156-13-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2688-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-29-0x0000000001E10000-0x0000000001E66000-memory.dmp

Filesize
344KB

Download
memory/2688-28-0x0000000001E10000-0x0000000001E66000-memory.dmp

Filesize
344KB

Download
memory/2688-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2724-48-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2724-31-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2724-49-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2904-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2904-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2904-91-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download