ef601c8d11f8699921ce7d16c2be2d435a7f96efc087def782d780b94498f514

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe
Size

305KB
MD5

2dc047f24e61a497c705f07da4133869
SHA1

37bc2588236be19f9779bfa04dfc89a20196c7ef
SHA256

ef601c8d11f8699921ce7d16c2be2d435a7f96efc087def782d780b94498f514
SHA512

3cb56e908276bcbcf57b7fa2e9990173edafaf5b13557096fdaf887c24baca2eb9d5bdfa7cac2778a70e4b00b7cd71c6e4871c28ea66644d59a9cb45cfa53be6
SSDEEP

6144:5GSzPT72Y0STzinYKTY1SQshfRPVQe1MZkIYSccr7wbstO1hPECYeixlYGicO:5GqL7SS6YsY1UMqMZJYSN7wbstO1h8fg

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	ojypa.exe

Loads dropped DLL 1 IoCs

pid	Process
2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\{76E05B48-6E67-AD4F-AEBE-B031A9A3932C} = "C:\\Users\\Admin\\AppData\\Roaming\\Seuwo\\ojypa.exe"	ojypa.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 2756	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Privacy	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe
2680	ojypa.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2680	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2680	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2680	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2680	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	30
PID 2680 wrote to memory of 1112	2680	ojypa.exe	19
PID 2680 wrote to memory of 1112	2680	ojypa.exe	19
PID 2680 wrote to memory of 1112	2680	ojypa.exe	19
PID 2680 wrote to memory of 1112	2680	ojypa.exe	19
PID 2680 wrote to memory of 1112	2680	ojypa.exe	19
PID 2680 wrote to memory of 1172	2680	ojypa.exe	20
PID 2680 wrote to memory of 1172	2680	ojypa.exe	20
PID 2680 wrote to memory of 1172	2680	ojypa.exe	20
PID 2680 wrote to memory of 1172	2680	ojypa.exe	20
PID 2680 wrote to memory of 1172	2680	ojypa.exe	20
PID 2680 wrote to memory of 1200	2680	ojypa.exe	21
PID 2680 wrote to memory of 1200	2680	ojypa.exe	21
PID 2680 wrote to memory of 1200	2680	ojypa.exe	21
PID 2680 wrote to memory of 1200	2680	ojypa.exe	21
PID 2680 wrote to memory of 1200	2680	ojypa.exe	21
PID 2680 wrote to memory of 1508	2680	ojypa.exe	25
PID 2680 wrote to memory of 1508	2680	ojypa.exe	25
PID 2680 wrote to memory of 1508	2680	ojypa.exe	25
PID 2680 wrote to memory of 1508	2680	ojypa.exe	25
PID 2680 wrote to memory of 1508	2680	ojypa.exe	25
PID 2680 wrote to memory of 2720	2680	ojypa.exe	29
PID 2680 wrote to memory of 2720	2680	ojypa.exe	29
PID 2680 wrote to memory of 2720	2680	ojypa.exe	29
PID 2680 wrote to memory of 2720	2680	ojypa.exe	29
PID 2680 wrote to memory of 2720	2680	ojypa.exe	29
PID 2720 wrote to memory of 2756	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2756	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2756	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2756	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2756	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2756	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2756	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2756	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2756	2720	2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe	31
PID 2680 wrote to memory of 2868	2680	ojypa.exe	33
PID 2680 wrote to memory of 2868	2680	ojypa.exe	33
PID 2680 wrote to memory of 2868	2680	ojypa.exe	33
PID 2680 wrote to memory of 2868	2680	ojypa.exe	33
PID 2680 wrote to memory of 2868	2680	ojypa.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2dc047f24e61a497c705f07da4133869_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Roaming\Seuwo\ojypa.exe
    "C:\Users\Admin\AppData\Roaming\Seuwo\ojypa.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbdb6e581.bat"
    3⤵
    - Deletes itself
    PID:2756

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbdb6e581.bat

Filesize
271B

MD5
07e9db0f041a595c13854d9908a93ede

SHA1
1ceca1566a1c3932aca3204380d58eba58718936

SHA256
7e021f8013040d1be2a046452d3a181f32bac11e88855732fbb1c4cdf2a297bc

SHA512
0c2a33a1c9123629a5c9d7c371a083433bc962492fc7e1990f1679c5b9207738f0fc59f43bf2d914fbbc02fe8f15302a27c9c0fb7ee5aaa3eae4e4582bf1faa2

Download Submit
C:\Users\Admin\AppData\Roaming\Seuwo\ojypa.exe

Filesize
305KB

MD5
36c73607c34679b3681156364e312dba

SHA1
476d0bf4615c336720748b172e90a61f0dd26f9f

SHA256
531ec8fe864268d3e3149f3454fb650e82c7a344d50acd865c7dd8092119afdf

SHA512
7edc76add6825352982a20ec72e535b072719fde301f43592a817f67fe4e903cff87eff9daa4613ae514e1d4ed41ef15f6c8dc6b034576d3850aa66f757ba778

Download Submit
memory/1112-18-0x0000000002110000-0x0000000002154000-memory.dmp

Filesize
272KB

Download
memory/1112-19-0x0000000002110000-0x0000000002154000-memory.dmp

Filesize
272KB

Download
memory/1112-15-0x0000000002110000-0x0000000002154000-memory.dmp

Filesize
272KB

Download
memory/1112-16-0x0000000002110000-0x0000000002154000-memory.dmp

Filesize
272KB

Download
memory/1112-17-0x0000000002110000-0x0000000002154000-memory.dmp

Filesize
272KB

Download
memory/1172-24-0x0000000001EA0000-0x0000000001EE4000-memory.dmp

Filesize
272KB

Download
memory/1172-21-0x0000000001EA0000-0x0000000001EE4000-memory.dmp

Filesize
272KB

Download
memory/1172-22-0x0000000001EA0000-0x0000000001EE4000-memory.dmp

Filesize
272KB

Download
memory/1172-23-0x0000000001EA0000-0x0000000001EE4000-memory.dmp

Filesize
272KB

Download
memory/1200-29-0x0000000002FA0000-0x0000000002FE4000-memory.dmp

Filesize
272KB

Download
memory/1200-26-0x0000000002FA0000-0x0000000002FE4000-memory.dmp

Filesize
272KB

Download
memory/1200-27-0x0000000002FA0000-0x0000000002FE4000-memory.dmp

Filesize
272KB

Download
memory/1200-28-0x0000000002FA0000-0x0000000002FE4000-memory.dmp

Filesize
272KB

Download
memory/1508-38-0x00000000022A0000-0x00000000022E4000-memory.dmp

Filesize
272KB

Download
memory/1508-33-0x00000000022A0000-0x00000000022E4000-memory.dmp

Filesize
272KB

Download
memory/1508-34-0x00000000022A0000-0x00000000022E4000-memory.dmp

Filesize
272KB

Download
memory/1508-36-0x00000000022A0000-0x00000000022E4000-memory.dmp

Filesize
272KB

Download
memory/2680-12-0x0000000000AF0000-0x0000000000B40000-memory.dmp

Filesize
320KB

Download
memory/2680-14-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2680-286-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2720-136-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-70-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-64-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-63-0x0000000076EC0000-0x0000000076EC1000-memory.dmp

Filesize
4KB

Download
memory/2720-62-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/2720-58-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-56-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-54-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-52-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-50-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-48-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-46-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-45-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/2720-44-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/2720-43-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/2720-41-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/2720-68-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-66-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-159-0x0000000000E50000-0x0000000000EA0000-memory.dmp

Filesize
320KB

Download
memory/2720-160-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2720-161-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/2720-72-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-74-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-76-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-0-0x0000000000E50000-0x0000000000EA0000-memory.dmp

Filesize
320KB

Download
memory/2720-78-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-60-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2720-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2720-3-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2720-6-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2720-42-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/2720-11-0x0000000000AF0000-0x0000000000B40000-memory.dmp

Filesize
320KB

Download
memory/2720-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download