104dd0143d1656046fdd90c1093c35c9c944612841a9671d09edb3c0c5d9a762

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 18:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d6807482f854c16202a474e712074c9_JaffaCakes118.exe
Size

253KB
MD5

2d6807482f854c16202a474e712074c9
SHA1

2c5840c6fd0ade6ae0f1a1b9d40b518c11196dfc
SHA256

104dd0143d1656046fdd90c1093c35c9c944612841a9671d09edb3c0c5d9a762
SHA512

4b38fd3d58f2c9ca8f146823af5aa9bc5d2fa85a9b5fb63bbc5c912b10d0ec64d7ccdcd4fb8e14aa830c612f3d32415daae529d00b62dc0915f32f40d3f62dde
SSDEEP

6144:GhRj8Eo5VT35p+NXNH5P7a+kwsDnl5xDZeNeOq0xGGujI:GhJUQV5Lk1l5xDZueOq0xGGj

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1920	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2328	izyv.exe

Loads dropped DLL 2 IoCs

pid	Process
3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe
3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\{09E0E5E8-6808-AD4F-43B0-714965AC5254} = "C:\\Users\\Admin\\AppData\\Roaming\\Zuiq\\izyv.exe"	izyv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3060 set thread context of 1920	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe
2328	izyv.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe
2328	izyv.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2328	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2328	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2328	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2328	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	30
PID 2328 wrote to memory of 1108	2328	izyv.exe	19
PID 2328 wrote to memory of 1108	2328	izyv.exe	19
PID 2328 wrote to memory of 1108	2328	izyv.exe	19
PID 2328 wrote to memory of 1108	2328	izyv.exe	19
PID 2328 wrote to memory of 1108	2328	izyv.exe	19
PID 2328 wrote to memory of 1160	2328	izyv.exe	20
PID 2328 wrote to memory of 1160	2328	izyv.exe	20
PID 2328 wrote to memory of 1160	2328	izyv.exe	20
PID 2328 wrote to memory of 1160	2328	izyv.exe	20
PID 2328 wrote to memory of 1160	2328	izyv.exe	20
PID 2328 wrote to memory of 1200	2328	izyv.exe	21
PID 2328 wrote to memory of 1200	2328	izyv.exe	21
PID 2328 wrote to memory of 1200	2328	izyv.exe	21
PID 2328 wrote to memory of 1200	2328	izyv.exe	21
PID 2328 wrote to memory of 1200	2328	izyv.exe	21
PID 2328 wrote to memory of 112	2328	izyv.exe	23
PID 2328 wrote to memory of 112	2328	izyv.exe	23
PID 2328 wrote to memory of 112	2328	izyv.exe	23
PID 2328 wrote to memory of 112	2328	izyv.exe	23
PID 2328 wrote to memory of 112	2328	izyv.exe	23
PID 2328 wrote to memory of 3060	2328	izyv.exe	29
PID 2328 wrote to memory of 3060	2328	izyv.exe	29
PID 2328 wrote to memory of 3060	2328	izyv.exe	29
PID 2328 wrote to memory of 3060	2328	izyv.exe	29
PID 2328 wrote to memory of 3060	2328	izyv.exe	29
PID 3060 wrote to memory of 1920	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	31
PID 3060 wrote to memory of 1920	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	31
PID 3060 wrote to memory of 1920	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	31
PID 3060 wrote to memory of 1920	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	31
PID 3060 wrote to memory of 1920	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	31
PID 3060 wrote to memory of 1920	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	31
PID 3060 wrote to memory of 1920	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	31
PID 3060 wrote to memory of 1920	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	31
PID 3060 wrote to memory of 1920	3060	2d6807482f854c16202a474e712074c9_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\2d6807482f854c16202a474e712074c9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2d6807482f854c16202a474e712074c9_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Roaming\Zuiq\izyv.exe
    "C:\Users\Admin\AppData\Roaming\Zuiq\izyv.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp64f5bcda.bat"
    3⤵
    - Deletes itself
    PID:1920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp64f5bcda.bat

Filesize
271B

MD5
9498d5c16263aefa56c6532ab3a5299e

SHA1
6e5acd0b8e13ffb0b857ffb50b82116a1e511cc1

SHA256
f9d9c2f9eddd8a7d7fd482cdf4bfcd8143d8e84e8481bc45e864c46cd0f1aa47

SHA512
37fad5f037166cae9e79f957b9a1df2a1506a3d3c27e3840b0ad7a81b056e82e21dd30048aa2e706c7d9d621570178856a1b9c343e8c50a782268094a0c414f8

Download Submit
C:\Users\Admin\AppData\Roaming\Zuiq\izyv.exe

Filesize
253KB

MD5
4c925fbd0b576df118892d7a3dc34126

SHA1
00716e7f67e005717d0c6c9fb99174f8c3231e98

SHA256
092cba5354ac4071f5410025215392f6e0758cd278096f1d9d1170b8df3a5640

SHA512
a33fe1582ae43631a200008941e8d8a6aa22f43c1aaac26044982da0e31605245a8eff2f725c72a4b0b9cf048505671d8b94021d06a5493914e9e6dc838570ea

Download Submit
memory/112-37-0x0000000001CF0000-0x0000000001D2F000-memory.dmp

Filesize
252KB

Download
memory/112-36-0x0000000001CF0000-0x0000000001D2F000-memory.dmp

Filesize
252KB

Download
memory/112-35-0x0000000001CF0000-0x0000000001D2F000-memory.dmp

Filesize
252KB

Download
memory/112-38-0x0000000001CF0000-0x0000000001D2F000-memory.dmp

Filesize
252KB

Download
memory/1108-21-0x0000000002260000-0x000000000229F000-memory.dmp

Filesize
252KB

Download
memory/1108-18-0x0000000002260000-0x000000000229F000-memory.dmp

Filesize
252KB

Download
memory/1108-20-0x0000000002260000-0x000000000229F000-memory.dmp

Filesize
252KB

Download
memory/1108-23-0x0000000002260000-0x000000000229F000-memory.dmp

Filesize
252KB

Download
memory/1108-22-0x0000000002260000-0x000000000229F000-memory.dmp

Filesize
252KB

Download
memory/1160-26-0x0000000000120000-0x000000000015F000-memory.dmp

Filesize
252KB

Download
memory/1160-25-0x0000000000120000-0x000000000015F000-memory.dmp

Filesize
252KB

Download
memory/1160-27-0x0000000000120000-0x000000000015F000-memory.dmp

Filesize
252KB

Download
memory/1160-28-0x0000000000120000-0x000000000015F000-memory.dmp

Filesize
252KB

Download
memory/1200-31-0x0000000002DA0000-0x0000000002DDF000-memory.dmp

Filesize
252KB

Download
memory/1200-30-0x0000000002DA0000-0x0000000002DDF000-memory.dmp

Filesize
252KB

Download
memory/1200-32-0x0000000002DA0000-0x0000000002DDF000-memory.dmp

Filesize
252KB

Download
memory/1200-33-0x0000000002DA0000-0x0000000002DDF000-memory.dmp

Filesize
252KB

Download
memory/2328-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2328-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2328-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2328-276-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-77-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-69-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-55-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-53-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-51-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-49-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-47-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-45-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-44-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/3060-42-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/3060-41-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/3060-40-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/3060-59-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-61-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-63-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-65-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-67-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-57-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-71-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-73-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-75-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-1-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/3060-43-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/3060-79-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-127-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/3060-130-0x0000000077A90000-0x0000000077A91000-memory.dmp

Filesize
4KB

Download
memory/3060-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-131-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3060-156-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/3060-155-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-154-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/3060-4-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-0-0x0000000000300000-0x000000000033F000-memory.dmp

Filesize
252KB

Download