10c08643ad2b5459da86df8c171e374fe582bce60333ac8bf2abef29da68ca2c

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30cfdf2765dc1be9d12893a0489ffa4a_JaffaCakes118.exe
Size

138KB
MD5

30cfdf2765dc1be9d12893a0489ffa4a
SHA1

a333e5f975c623583e11c2958cd53d2aaf7577b9
SHA256

10c08643ad2b5459da86df8c171e374fe582bce60333ac8bf2abef29da68ca2c
SHA512

fd6361ca8676dce42d6e35c15e5c62b58b4dc4381850be79d80359c6847a07899b05ef2aa3de816e654996f394d2307505448583b3d60be406a6818c21e675f6
SSDEEP

3072:/caqyte6sV77snHLLxt0ZyaXOqdPNbnhW4IxZx5kCZuubFrhU1wKKrONmE:/caBty77snHRisY7PNNW4IxZ7zbC0rOf

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2120	unli.exe

Loads dropped DLL 2 IoCs

pid	Process
2536	30cfdf2765dc1be9d12893a0489ffa4a_JaffaCakes118.exe
2536	30cfdf2765dc1be9d12893a0489ffa4a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D409BECD-4B92-494B-22B8-958F53D621E5} = "C:\\Users\\Admin\\AppData\\Roaming\\Naxu\\unli.exe"	unli.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe
2120	unli.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2536	30cfdf2765dc1be9d12893a0489ffa4a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2120	2536	30cfdf2765dc1be9d12893a0489ffa4a_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2120	2536	30cfdf2765dc1be9d12893a0489ffa4a_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2120	2536	30cfdf2765dc1be9d12893a0489ffa4a_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2120	2536	30cfdf2765dc1be9d12893a0489ffa4a_JaffaCakes118.exe	31
PID 2120 wrote to memory of 1064	2120	unli.exe	17
PID 2120 wrote to memory of 1064	2120	unli.exe	17
PID 2120 wrote to memory of 1064	2120	unli.exe	17
PID 2120 wrote to memory of 1064	2120	unli.exe	17
PID 2120 wrote to memory of 1064	2120	unli.exe	17
PID 2120 wrote to memory of 1092	2120	unli.exe	18
PID 2120 wrote to memory of 1092	2120	unli.exe	18
PID 2120 wrote to memory of 1092	2120	unli.exe	18
PID 2120 wrote to memory of 1092	2120	unli.exe	18
PID 2120 wrote to memory of 1092	2120	unli.exe	18
PID 2120 wrote to memory of 1144	2120	unli.exe	20
PID 2120 wrote to memory of 1144	2120	unli.exe	20
PID 2120 wrote to memory of 1144	2120	unli.exe	20
PID 2120 wrote to memory of 1144	2120	unli.exe	20
PID 2120 wrote to memory of 1144	2120	unli.exe	20
PID 2120 wrote to memory of 924	2120	unli.exe	25
PID 2120 wrote to memory of 924	2120	unli.exe	25
PID 2120 wrote to memory of 924	2120	unli.exe	25
PID 2120 wrote to memory of 924	2120	unli.exe	25
PID 2120 wrote to memory of 924	2120	unli.exe	25
PID 2120 wrote to memory of 2536	2120	unli.exe	29
PID 2120 wrote to memory of 2536	2120	unli.exe	29
PID 2120 wrote to memory of 2536	2120	unli.exe	29
PID 2120 wrote to memory of 2536	2120	unli.exe	29
PID 2120 wrote to memory of 2536	2120	unli.exe	29
PID 2120 wrote to memory of 2228	2120	unli.exe	32
PID 2120 wrote to memory of 2228	2120	unli.exe	32
PID 2120 wrote to memory of 2228	2120	unli.exe	32
PID 2120 wrote to memory of 2228	2120	unli.exe	32
PID 2120 wrote to memory of 2228	2120	unli.exe	32
PID 2120 wrote to memory of 2652	2120	unli.exe	33
PID 2120 wrote to memory of 2652	2120	unli.exe	33
PID 2120 wrote to memory of 2652	2120	unli.exe	33
PID 2120 wrote to memory of 2652	2120	unli.exe	33
PID 2120 wrote to memory of 2652	2120	unli.exe	33
PID 2120 wrote to memory of 1484	2120	unli.exe	34
PID 2120 wrote to memory of 1484	2120	unli.exe	34
PID 2120 wrote to memory of 1484	2120	unli.exe	34
PID 2120 wrote to memory of 1484	2120	unli.exe	34
PID 2120 wrote to memory of 1484	2120	unli.exe	34
PID 2120 wrote to memory of 408	2120	unli.exe	35
PID 2120 wrote to memory of 408	2120	unli.exe	35
PID 2120 wrote to memory of 408	2120	unli.exe	35
PID 2120 wrote to memory of 408	2120	unli.exe	35
PID 2120 wrote to memory of 408	2120	unli.exe	35

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1064

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\30cfdf2765dc1be9d12893a0489ffa4a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\30cfdf2765dc1be9d12893a0489ffa4a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Roaming\Naxu\unli.exe
    "C:\Users\Admin\AppData\Roaming\Naxu\unli.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:924

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2228

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1484

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Naxu\unli.exe

Filesize
138KB

MD5
1be2214a3b75b73d8197f38c84f9430f

SHA1
cf45d5c93112b4a2c0b952817ca522b859aa910d

SHA256
836f7dcd9dc22e9d456ace560972b424a2e47afff8b4c4142df88f93bea0c630

SHA512
a530c490ef8fe88d22fffb0300c61b8b02f4fb8aec14223d02e4a16dc59e62a3f3f02622d2a602c36be97d449ae18200cff304e7f7325e846344b926d0e94b68

Download Submit
memory/924-32-0x0000000001C80000-0x0000000001CA7000-memory.dmp

Filesize
156KB

Download
memory/924-31-0x0000000001C80000-0x0000000001CA7000-memory.dmp

Filesize
156KB

Download
memory/924-34-0x0000000001C80000-0x0000000001CA7000-memory.dmp

Filesize
156KB

Download
memory/924-33-0x0000000001C80000-0x0000000001CA7000-memory.dmp

Filesize
156KB

Download
memory/1064-12-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/1064-10-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/1064-14-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/1064-16-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/1064-18-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/1092-23-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1092-24-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1092-22-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1092-21-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/1144-29-0x00000000024B0000-0x00000000024D7000-memory.dmp

Filesize
156KB

Download
memory/1144-28-0x00000000024B0000-0x00000000024D7000-memory.dmp

Filesize
156KB

Download
memory/1144-27-0x00000000024B0000-0x00000000024D7000-memory.dmp

Filesize
156KB

Download
memory/1144-26-0x00000000024B0000-0x00000000024D7000-memory.dmp

Filesize
156KB

Download
memory/1484-60-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/1484-61-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/1484-59-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/1484-58-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/2228-48-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/2228-51-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/2228-50-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/2228-49-0x0000000001BE0000-0x0000000001C07000-memory.dmp

Filesize
156KB

Download
memory/2536-37-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/2536-45-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/2536-43-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/2536-41-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/2536-39-0x0000000000260000-0x0000000000287000-memory.dmp

Filesize
156KB

Download
memory/2652-54-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/2652-56-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/2652-55-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/2652-53-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download