ab5dfce4d14ddd7c4a93a9ba851f9fe6d5d47b1070eacadf69ad55170153b658

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a6aebf527d016997988421865d4f744_JaffaCakes118.exe
Size

360KB
MD5

2a6aebf527d016997988421865d4f744
SHA1

dc948d470755d23fd86ca29312df6655c424a831
SHA256

ab5dfce4d14ddd7c4a93a9ba851f9fe6d5d47b1070eacadf69ad55170153b658
SHA512

d99f0e684acad36b5b39f312875a71ca8fa09024fc8d5c2d9fcb03991091af6747026e6bd2ced454216b2b74d48631f407e92d6696a441dd16e91ff882eadb54
SSDEEP

6144:zsQzHOsbEnGSwyX3PnhLatx/sU01rkS6OG6KV:z/zu2EnG8X/nGG4AGdV

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1868	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2060	ymof.exe

Loads dropped DLL 2 IoCs

pid	Process
1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe
1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\{1B0C4E28-6E66-AD4F-AB1D-A71BBF328406} = "C:\\Users\\Admin\\AppData\\Roaming\\Laohi\\ymof.exe"	ymof.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1904 set thread context of 1868	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	32

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe
2060	ymof.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe
2060	ymof.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2060	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2060	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2060	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2060	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	31
PID 2060 wrote to memory of 1120	2060	ymof.exe	19
PID 2060 wrote to memory of 1120	2060	ymof.exe	19
PID 2060 wrote to memory of 1120	2060	ymof.exe	19
PID 2060 wrote to memory of 1120	2060	ymof.exe	19
PID 2060 wrote to memory of 1120	2060	ymof.exe	19
PID 2060 wrote to memory of 1204	2060	ymof.exe	20
PID 2060 wrote to memory of 1204	2060	ymof.exe	20
PID 2060 wrote to memory of 1204	2060	ymof.exe	20
PID 2060 wrote to memory of 1204	2060	ymof.exe	20
PID 2060 wrote to memory of 1204	2060	ymof.exe	20
PID 2060 wrote to memory of 1256	2060	ymof.exe	21
PID 2060 wrote to memory of 1256	2060	ymof.exe	21
PID 2060 wrote to memory of 1256	2060	ymof.exe	21
PID 2060 wrote to memory of 1256	2060	ymof.exe	21
PID 2060 wrote to memory of 1256	2060	ymof.exe	21
PID 2060 wrote to memory of 1372	2060	ymof.exe	23
PID 2060 wrote to memory of 1372	2060	ymof.exe	23
PID 2060 wrote to memory of 1372	2060	ymof.exe	23
PID 2060 wrote to memory of 1372	2060	ymof.exe	23
PID 2060 wrote to memory of 1372	2060	ymof.exe	23
PID 2060 wrote to memory of 1904	2060	ymof.exe	30
PID 2060 wrote to memory of 1904	2060	ymof.exe	30
PID 2060 wrote to memory of 1904	2060	ymof.exe	30
PID 2060 wrote to memory of 1904	2060	ymof.exe	30
PID 2060 wrote to memory of 1904	2060	ymof.exe	30
PID 1904 wrote to memory of 1868	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	32
PID 1904 wrote to memory of 1868	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	32
PID 1904 wrote to memory of 1868	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	32
PID 1904 wrote to memory of 1868	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	32
PID 1904 wrote to memory of 1868	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	32
PID 1904 wrote to memory of 1868	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	32
PID 1904 wrote to memory of 1868	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	32
PID 1904 wrote to memory of 1868	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	32
PID 1904 wrote to memory of 1868	1904	2a6aebf527d016997988421865d4f744_JaffaCakes118.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\2a6aebf527d016997988421865d4f744_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2a6aebf527d016997988421865d4f744_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Roaming\Laohi\ymof.exe
    "C:\Users\Admin\AppData\Roaming\Laohi\ymof.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe9a8ebb0.bat"
    3⤵
    - Deletes itself
    PID:1868

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe9a8ebb0.bat

Filesize
271B

MD5
093e94bc5eabab7930e1519eb55292a0

SHA1
865470e53ea2e4502fcf17198f79abd3304c2ab6

SHA256
1534d5c2630be2841e840752a8f8b350ac547cc91ed309e45037be8db2598af5

SHA512
fb2bfbf87d86a4db78aba2257c5a3ab6a7eaab27e2e688b4f8248f2e9497902b11ecaa52096ddbb02bb5860d361f392f23d6ed2900e77dadca8d9b83247084bc

Download Submit
C:\Users\Admin\AppData\Roaming\Laohi\ymof.exe

Filesize
360KB

MD5
adf86c8c20bda9d83625b116b6dbf598

SHA1
f62aecf60468740dce2f6982b675a650171ece5c

SHA256
4c9e65acffef66699f010435eddc7e236c5f6096bac64ca646a6a0fa6ae8f848

SHA512
20bb3ff25c8df5f8a7183e4d078dd92f78ad57134f37b84a3a82eaa96b9dac3e9f0176ca4268872434673ea8b5f2a39a9082c44b9aab3cc42096c0a224cd77d0

Download Submit
memory/1120-27-0x00000000020D0000-0x0000000002114000-memory.dmp

Filesize
272KB

Download
memory/1120-21-0x00000000020D0000-0x0000000002114000-memory.dmp

Filesize
272KB

Download
memory/1120-23-0x00000000020D0000-0x0000000002114000-memory.dmp

Filesize
272KB

Download
memory/1120-25-0x00000000020D0000-0x0000000002114000-memory.dmp

Filesize
272KB

Download
memory/1120-19-0x00000000020D0000-0x0000000002114000-memory.dmp

Filesize
272KB

Download
memory/1204-38-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1204-31-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1204-33-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1204-35-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1256-41-0x0000000002DD0000-0x0000000002E14000-memory.dmp

Filesize
272KB

Download
memory/1256-42-0x0000000002DD0000-0x0000000002E14000-memory.dmp

Filesize
272KB

Download
memory/1256-43-0x0000000002DD0000-0x0000000002E14000-memory.dmp

Filesize
272KB

Download
memory/1256-40-0x0000000002DD0000-0x0000000002E14000-memory.dmp

Filesize
272KB

Download
memory/1372-52-0x0000000002270000-0x00000000022B4000-memory.dmp

Filesize
272KB

Download
memory/1372-46-0x0000000002270000-0x00000000022B4000-memory.dmp

Filesize
272KB

Download
memory/1372-48-0x0000000002270000-0x00000000022B4000-memory.dmp

Filesize
272KB

Download
memory/1372-50-0x0000000002270000-0x00000000022B4000-memory.dmp

Filesize
272KB

Download
memory/1904-66-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1904-77-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1904-0-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/1904-64-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1904-143-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1904-62-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1904-61-0x00000000004B0000-0x00000000004F4000-memory.dmp

Filesize
272KB

Download
memory/1904-60-0x00000000004B0000-0x00000000004F4000-memory.dmp

Filesize
272KB

Download
memory/1904-59-0x00000000004B0000-0x00000000004F4000-memory.dmp

Filesize
272KB

Download
memory/1904-57-0x00000000004B0000-0x00000000004F4000-memory.dmp

Filesize
272KB

Download
memory/1904-55-0x00000000004B0000-0x00000000004F4000-memory.dmp

Filesize
272KB

Download
memory/1904-70-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1904-72-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1904-74-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1904-76-0x0000000077CE0000-0x0000000077CE1000-memory.dmp

Filesize
4KB

Download
memory/1904-68-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1904-79-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1904-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1904-166-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1904-167-0x00000000002D0000-0x000000000032F000-memory.dmp

Filesize
380KB

Download
memory/1904-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1904-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1904-81-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1904-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1904-1-0x00000000002D0000-0x000000000032F000-memory.dmp

Filesize
380KB

Download
memory/2060-17-0x0000000000350000-0x00000000003AF000-memory.dmp

Filesize
380KB

Download
memory/2060-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2060-16-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/2060-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download