8ebe03547f8b79c62ea127820926f88c51d0b155679af0c8dc18b5e606fd78a1

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe
Size

312KB
MD5

2adf340f8eb4e0b7f88e81fd3e0a8f77
SHA1

00164ce5256308a5b20996c88a76ca264f304fa9
SHA256

8ebe03547f8b79c62ea127820926f88c51d0b155679af0c8dc18b5e606fd78a1
SHA512

c5a25a125d339b87dcce65c2973c0db3949b24a946830ce40882c3471996125e7c27c5c8f6864fd6329fa54162d4b8f9da8772a7db768542bbb515dc2318cd80
SSDEEP

6144:xWI+jNXUeQPFTdCRTy7wzFzRODpyUOr2//X2TnLo0D/I:EIQUrdCvxzKy1rc/XsC

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2260	haviz.exe

Loads dropped DLL 1 IoCs

pid	Process
1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\{1B0C4E28-6E66-AD4F-AB1D-A71BBF328406} = "C:\\Users\\Admin\\AppData\\Roaming\\Urofn\\haviz.exe"	haviz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 2700	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	32

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe
2260	haviz.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2260	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2260	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2260	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2260	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	31
PID 2260 wrote to memory of 1116	2260	haviz.exe	19
PID 2260 wrote to memory of 1116	2260	haviz.exe	19
PID 2260 wrote to memory of 1116	2260	haviz.exe	19
PID 2260 wrote to memory of 1116	2260	haviz.exe	19
PID 2260 wrote to memory of 1116	2260	haviz.exe	19
PID 2260 wrote to memory of 1176	2260	haviz.exe	20
PID 2260 wrote to memory of 1176	2260	haviz.exe	20
PID 2260 wrote to memory of 1176	2260	haviz.exe	20
PID 2260 wrote to memory of 1176	2260	haviz.exe	20
PID 2260 wrote to memory of 1176	2260	haviz.exe	20
PID 2260 wrote to memory of 1252	2260	haviz.exe	21
PID 2260 wrote to memory of 1252	2260	haviz.exe	21
PID 2260 wrote to memory of 1252	2260	haviz.exe	21
PID 2260 wrote to memory of 1252	2260	haviz.exe	21
PID 2260 wrote to memory of 1252	2260	haviz.exe	21
PID 2260 wrote to memory of 1208	2260	haviz.exe	23
PID 2260 wrote to memory of 1208	2260	haviz.exe	23
PID 2260 wrote to memory of 1208	2260	haviz.exe	23
PID 2260 wrote to memory of 1208	2260	haviz.exe	23
PID 2260 wrote to memory of 1208	2260	haviz.exe	23
PID 2260 wrote to memory of 1964	2260	haviz.exe	30
PID 2260 wrote to memory of 1964	2260	haviz.exe	30
PID 2260 wrote to memory of 1964	2260	haviz.exe	30
PID 2260 wrote to memory of 1964	2260	haviz.exe	30
PID 2260 wrote to memory of 1964	2260	haviz.exe	30
PID 1964 wrote to memory of 2700	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2700	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2700	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2700	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2700	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2700	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2700	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2700	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2700	1964	2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2adf340f8eb4e0b7f88e81fd3e0a8f77_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Roaming\Urofn\haviz.exe
    "C:\Users\Admin\AppData\Roaming\Urofn\haviz.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp72012bf2.bat"
    3⤵
    - Deletes itself
    PID:2700

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp72012bf2.bat

Filesize
271B

MD5
c1edbe54f45df913f6aafececdb97191

SHA1
f6c1f24f941a8be1285f7010fd9d887a30961da6

SHA256
db42a7f883c407f25283d1fe84775b680276ab24af9bebd041c327c9a3619849

SHA512
3c53ec3b73b91098b8528feb1ba791580046e4d3d7ebe11e72a003343feb7e07713494c983d98cf73bfa9cc6c899d24a7d084c1c961f0a25c11f0955938eb020

Download Submit
\Users\Admin\AppData\Roaming\Urofn\haviz.exe

Filesize
312KB

MD5
8ddbb33b1ad6f36b9ea9656ce62614ee

SHA1
33e1c4dfb451a3211c5aa0016eae783a5ee931a1

SHA256
7e570b46079e98deaed726817dcb5b0a4d2e11dc6a8782120b21f52d627d9fc4

SHA512
3d8269ec4f5c039109a5c1a0b62a096709530cc4e7220741d38b5852d80bec09f043a98689d5f9d54c24198066f4d5154e01e7a8c4d6c4e474da6238201b440a

Download Submit
memory/1116-15-0x0000000002260000-0x00000000022A4000-memory.dmp

Filesize
272KB

Download
memory/1116-16-0x0000000002260000-0x00000000022A4000-memory.dmp

Filesize
272KB

Download
memory/1116-17-0x0000000002260000-0x00000000022A4000-memory.dmp

Filesize
272KB

Download
memory/1116-18-0x0000000002260000-0x00000000022A4000-memory.dmp

Filesize
272KB

Download
memory/1116-19-0x0000000002260000-0x00000000022A4000-memory.dmp

Filesize
272KB

Download
memory/1176-23-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1176-21-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1176-24-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1176-22-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1208-34-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1208-31-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1208-32-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1208-33-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1252-26-0x0000000002AE0000-0x0000000002B24000-memory.dmp

Filesize
272KB

Download
memory/1252-27-0x0000000002AE0000-0x0000000002B24000-memory.dmp

Filesize
272KB

Download
memory/1252-28-0x0000000002AE0000-0x0000000002B24000-memory.dmp

Filesize
272KB

Download
memory/1252-29-0x0000000002AE0000-0x0000000002B24000-memory.dmp

Filesize
272KB

Download
memory/1964-77-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-38-0x0000000000800000-0x0000000000844000-memory.dmp

Filesize
272KB

Download
memory/1964-71-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-69-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-67-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-65-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-63-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-62-0x00000000770F0000-0x00000000770F1000-memory.dmp

Filesize
4KB

Download
memory/1964-61-0x0000000000800000-0x0000000000844000-memory.dmp

Filesize
272KB

Download
memory/1964-59-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-57-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-55-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-51-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-49-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-47-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-45-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-43-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-41-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-39-0x0000000000800000-0x0000000000844000-memory.dmp

Filesize
272KB

Download
memory/1964-73-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-37-0x0000000000800000-0x0000000000844000-memory.dmp

Filesize
272KB

Download
memory/1964-36-0x0000000000800000-0x0000000000844000-memory.dmp

Filesize
272KB

Download
memory/1964-150-0x0000000000930000-0x0000000000981000-memory.dmp

Filesize
324KB

Download
memory/1964-151-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1964-152-0x0000000000800000-0x0000000000844000-memory.dmp

Filesize
272KB

Download
memory/1964-75-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-0-0x0000000000930000-0x0000000000981000-memory.dmp

Filesize
324KB

Download
memory/1964-132-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-79-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-53-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1964-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1964-4-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1964-9-0x0000000000800000-0x0000000000851000-memory.dmp

Filesize
324KB

Download
memory/1964-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1964-3-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2260-12-0x00000000011D0000-0x0000000001221000-memory.dmp

Filesize
324KB

Download
memory/2260-14-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2260-282-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download