58bb782e0b4222b68641abad8f779125d73fc7d411b837d5a011a7feafd08141

Analysis

max time kernel
78s
max time network
52s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
Size

501KB
MD5

2d8f429c96d92430c8c66679936bbc1f
SHA1

a753880cfe0cb7051a0b9cf07531d04c13f7d032
SHA256

58bb782e0b4222b68641abad8f779125d73fc7d411b837d5a011a7feafd08141
SHA512

fcf28248d78a68a03dd707d7b88dfe7e020916726c9d6bb24c4dc0d932e6cdbca3dd90bff0984b46ce63ac4f367b80f1ff707b3065fa2deb57b1ca29ba04524f
SSDEEP

6144:y8lLSeKLxjiZjdhTv2tIyzJM/FAvzBF/nM+BNlocz4xWadXmRd7gJQa3:ymFT1yNM/Wvz/Z4WaSdUJP

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1180	Yjowua.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1068-1-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/files/0x0007000000018703-11.dat	upx
behavioral1/memory/1180-13-0x0000000000400000-0x000000000047F000-memory.dmp	upx
behavioral1/memory/1068-12-0x0000000000370000-0x00000000003EF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\DFGQBFFUUO = "C:\\Windows\\Yjowua.exe"	Yjowua.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
File created	C:\Windows\Yjowua.exe	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
File opened for modification	C:\Windows\Yjowua.exe	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	Yjowua.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe
1180	Yjowua.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1068	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
1180	Yjowua.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1180	1068	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe	29
PID 1068 wrote to memory of 1180	1068	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe	29
PID 1068 wrote to memory of 1180	1068	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe	29
PID 1068 wrote to memory of 1180	1068	2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d8f429c96d92430c8c66679936bbc1f_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\Yjowua.exe
  C:\Windows\Yjowua.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
372B

MD5
b4f6d1d2f88f7694aa4f1bb1f5d88540

SHA1
cff4da335b60a561ae6ad0789a94c0a4cfa9600a

SHA256
58f222c33301742cb36df7b0380b649d47665cf20efa8da087a44bcabb2d9e89

SHA512
36131a98d57fae581c8ab02041d1d8d85fdc59204012e507edfe25686addece87854cb1c2916bc158bdc01541076ce101c909240977d2e778c6792da4fcda953

Download Submit
C:\Windows\Yjowua.exe

Filesize
501KB

MD5
2d8f429c96d92430c8c66679936bbc1f

SHA1
a753880cfe0cb7051a0b9cf07531d04c13f7d032

SHA256
58bb782e0b4222b68641abad8f779125d73fc7d411b837d5a011a7feafd08141

SHA512
fcf28248d78a68a03dd707d7b88dfe7e020916726c9d6bb24c4dc0d932e6cdbca3dd90bff0984b46ce63ac4f367b80f1ff707b3065fa2deb57b1ca29ba04524f

Download Submit
memory/1068-47230-0x0000000000370000-0x00000000003EF000-memory.dmp

Filesize
508KB

Download
memory/1068-2-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1068-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1068-3-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1068-1-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1068-12-0x0000000000370000-0x00000000003EF000-memory.dmp

Filesize
508KB

Download
memory/1068-94702-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1068-47225-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1068-47229-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1180-13-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1180-19237-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1180-19363-0x0000000001D50000-0x0000000001E50000-memory.dmp

Filesize
1024KB

Download
memory/1180-47228-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1180-19361-0x0000000001D50000-0x0000000001E50000-memory.dmp

Filesize
1024KB

Download
memory/1180-19378-0x0000000001D50000-0x0000000001E50000-memory.dmp

Filesize
1024KB

Download
memory/1180-19362-0x0000000001D50000-0x0000000001E50000-memory.dmp

Filesize
1024KB

Download
memory/1180-19398-0x0000000001D50000-0x0000000001E50000-memory.dmp

Filesize
1024KB

Download
memory/1180-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download