f791c03fe24be77ad327076d7d6902bd198c7bcd655f928424e0d12b5b41ecf0

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 15:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe
Size

278KB
MD5

2cd4c583d20f2ae241ce662b27134724
SHA1

3bfa52178c361972df12b000c834ae2e35305658
SHA256

f791c03fe24be77ad327076d7d6902bd198c7bcd655f928424e0d12b5b41ecf0
SHA512

6cbe9c25880c5ae7da0527a6c8af1096d3c52418487bdcfef69b2af5308d6858069a706c19cb7f34632f156f63584932d0c87a47da57b5390e3fba69bad7fd1f
SSDEEP

6144:P1Yk7RsxF3BEuTP0PvdA8r1ezABpxEJPlLsiJEwpCPkSm4krOa6DW:tYee0uT8Hq6ezABvuPl5IRk9n

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1976	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2164	ocxis.exe

Loads dropped DLL 2 IoCs

pid	Process
2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe
2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\{36F482E8-6FE9-AD4F-5F98-37194FCB1404} = "C:\\Users\\Admin\\AppData\\Roaming\\Ymwi\\ocxis.exe"	ocxis.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2468 set thread context of 1976	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	32

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe
2164	ocxis.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe
Token: SeSecurityPrivilege	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe
Token: SeSecurityPrivilege	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe
2164	ocxis.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2164	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2164	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2164	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2164	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	31
PID 2164 wrote to memory of 1116	2164	ocxis.exe	19
PID 2164 wrote to memory of 1116	2164	ocxis.exe	19
PID 2164 wrote to memory of 1116	2164	ocxis.exe	19
PID 2164 wrote to memory of 1116	2164	ocxis.exe	19
PID 2164 wrote to memory of 1116	2164	ocxis.exe	19
PID 2164 wrote to memory of 1168	2164	ocxis.exe	20
PID 2164 wrote to memory of 1168	2164	ocxis.exe	20
PID 2164 wrote to memory of 1168	2164	ocxis.exe	20
PID 2164 wrote to memory of 1168	2164	ocxis.exe	20
PID 2164 wrote to memory of 1168	2164	ocxis.exe	20
PID 2164 wrote to memory of 1196	2164	ocxis.exe	21
PID 2164 wrote to memory of 1196	2164	ocxis.exe	21
PID 2164 wrote to memory of 1196	2164	ocxis.exe	21
PID 2164 wrote to memory of 1196	2164	ocxis.exe	21
PID 2164 wrote to memory of 1196	2164	ocxis.exe	21
PID 2164 wrote to memory of 2044	2164	ocxis.exe	23
PID 2164 wrote to memory of 2044	2164	ocxis.exe	23
PID 2164 wrote to memory of 2044	2164	ocxis.exe	23
PID 2164 wrote to memory of 2044	2164	ocxis.exe	23
PID 2164 wrote to memory of 2044	2164	ocxis.exe	23
PID 2164 wrote to memory of 2468	2164	ocxis.exe	30
PID 2164 wrote to memory of 2468	2164	ocxis.exe	30
PID 2164 wrote to memory of 2468	2164	ocxis.exe	30
PID 2164 wrote to memory of 2468	2164	ocxis.exe	30
PID 2164 wrote to memory of 2468	2164	ocxis.exe	30
PID 2468 wrote to memory of 1976	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	32
PID 2468 wrote to memory of 1976	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	32
PID 2468 wrote to memory of 1976	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	32
PID 2468 wrote to memory of 1976	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	32
PID 2468 wrote to memory of 1976	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	32
PID 2468 wrote to memory of 1976	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	32
PID 2468 wrote to memory of 1976	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	32
PID 2468 wrote to memory of 1976	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	32
PID 2468 wrote to memory of 1976	2468	2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2cd4c583d20f2ae241ce662b27134724_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Roaming\Ymwi\ocxis.exe
    "C:\Users\Admin\AppData\Roaming\Ymwi\ocxis.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp797bd5b9.bat"
    3⤵
    - Deletes itself
    PID:1976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp797bd5b9.bat

Filesize
271B

MD5
2289ef5fe697246a84ca8dae1dd3139b

SHA1
9b2be3527115b6ef6dcd9c26249486474358acb8

SHA256
fb4390186cf4a7e2cc675904b5fddfe682ae5b6895ff814ba96938dd7870450c

SHA512
6ee9225ec3be33dc1cc127ee308391f1900d730d00a46dbaa93c0d1eada0b9d1fb34e2a1099b64cd58a80563296a85b5ac12c87896dc245c6da0fbf513ca1642

Download Submit
C:\Users\Admin\AppData\Roaming\Abgir\pihe.rul

Filesize
380B

MD5
e7a926baf829c89502539f16e16e4f4d

SHA1
9ec29ac9acd2f155a67d1f2fcfe88e2b645f1c4f

SHA256
4ca881b4d3316f0a29ad8e0c1078490d3c929295e128ca104d3f8330cb1d04b1

SHA512
51b76628132f6d1cec3596ffb8fbbe345c8a7ff24394e27485beedf2f57826d4d38450faf5b61f3028836140d3349f00b683811eb7b157467925f8a554568be9

Download Submit
\Users\Admin\AppData\Roaming\Ymwi\ocxis.exe

Filesize
278KB

MD5
ac65de04b493a1ca888cbc7006e0e065

SHA1
437aa8d45a1b51d70c90abdc8a56c8da8c130b81

SHA256
7ea4f3984c1e2740393bc18d53e8afb3521596cedd02a2bb9d382b085d455cab

SHA512
93b60d7451b6640beb11fee0b9402aad112f37263475909445b098bce57b36d45e21b2ba29838b3644d7f15cc95c2be573a26b4bc3070b52cd2c3fe88175782c

Download Submit
memory/1116-26-0x0000000002060000-0x00000000020A1000-memory.dmp

Filesize
260KB

Download
memory/1116-18-0x0000000002060000-0x00000000020A1000-memory.dmp

Filesize
260KB

Download
memory/1116-24-0x0000000002060000-0x00000000020A1000-memory.dmp

Filesize
260KB

Download
memory/1116-22-0x0000000002060000-0x00000000020A1000-memory.dmp

Filesize
260KB

Download
memory/1116-20-0x0000000002060000-0x00000000020A1000-memory.dmp

Filesize
260KB

Download
memory/1168-31-0x0000000000120000-0x0000000000161000-memory.dmp

Filesize
260KB

Download
memory/1168-30-0x0000000000120000-0x0000000000161000-memory.dmp

Filesize
260KB

Download
memory/1168-29-0x0000000000120000-0x0000000000161000-memory.dmp

Filesize
260KB

Download
memory/1168-32-0x0000000000120000-0x0000000000161000-memory.dmp

Filesize
260KB

Download
memory/1196-34-0x0000000002D20000-0x0000000002D61000-memory.dmp

Filesize
260KB

Download
memory/1196-37-0x0000000002D20000-0x0000000002D61000-memory.dmp

Filesize
260KB

Download
memory/1196-36-0x0000000002D20000-0x0000000002D61000-memory.dmp

Filesize
260KB

Download
memory/1196-35-0x0000000002D20000-0x0000000002D61000-memory.dmp

Filesize
260KB

Download
memory/2044-45-0x0000000001DC0000-0x0000000001E01000-memory.dmp

Filesize
260KB

Download
memory/2044-39-0x0000000001DC0000-0x0000000001E01000-memory.dmp

Filesize
260KB

Download
memory/2044-41-0x0000000001DC0000-0x0000000001E01000-memory.dmp

Filesize
260KB

Download
memory/2044-43-0x0000000001DC0000-0x0000000001E01000-memory.dmp

Filesize
260KB

Download
memory/2164-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-14-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2164-15-0x0000000000350000-0x000000000039B000-memory.dmp

Filesize
300KB

Download
memory/2164-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-52-0x0000000001D10000-0x0000000001D51000-memory.dmp

Filesize
260KB

Download
memory/2468-138-0x0000000077D10000-0x0000000077D11000-memory.dmp

Filesize
4KB

Download
memory/2468-71-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-69-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-65-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-63-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-61-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-59-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-57-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-55-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-53-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-50-0x0000000001D10000-0x0000000001D51000-memory.dmp

Filesize
260KB

Download
memory/2468-49-0x0000000001D10000-0x0000000001D51000-memory.dmp

Filesize
260KB

Download
memory/2468-48-0x0000000001D10000-0x0000000001D51000-memory.dmp

Filesize
260KB

Download
memory/2468-137-0x0000000001D10000-0x0000000001D51000-memory.dmp

Filesize
260KB

Download
memory/2468-73-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-160-0x00000000002F0000-0x000000000033B000-memory.dmp

Filesize
300KB

Download
memory/2468-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-139-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-75-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-77-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-79-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-67-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2468-0-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2468-51-0x0000000001D10000-0x0000000001D51000-memory.dmp

Filesize
260KB

Download
memory/2468-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-1-0x00000000002F0000-0x000000000033B000-memory.dmp

Filesize
300KB

Download