a75022c9a20ff92e31c85da50b7d450b6136a52bb9758d147f1901386766d39f

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe
Size

138KB
MD5

30faa66beaf3fbe941fb827b52248463
SHA1

cb12a518127f4310b4e59089a6e9a272d155eaf8
SHA256

a75022c9a20ff92e31c85da50b7d450b6136a52bb9758d147f1901386766d39f
SHA512

3cd9bc6fc51b177a918ae19d28fbeea26c1032e022f8504aa1e353f970c73bca8caa25b68215c1cabc0d46ee684b19de48539ec2d948c6950aedd8629f56f165
SSDEEP

3072:hcAW51Je95KCkkVn1Wx9DZ1UnEiJKxq6uO7v8z3lKIwgrWYi:hcAkWHnE911UnEiX6uOAzomr8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
772	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1564	afyg.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe
1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8DB5F6D9-0EC0-B78D-4FD7-F48A4A78AA90} = "C:\\Users\\Admin\\AppData\\Roaming\\Waohwe\\afyg.exe"	afyg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 772	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	32

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\29B577EB-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe
1564	afyg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe
Token: SeSecurityPrivilege	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe
Token: SeSecurityPrivilege	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2820	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2820	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2820	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2820	WinMail.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1564	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	30
PID 1928 wrote to memory of 1564	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	30
PID 1928 wrote to memory of 1564	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	30
PID 1928 wrote to memory of 1564	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	30
PID 1564 wrote to memory of 1200	1564	afyg.exe	19
PID 1564 wrote to memory of 1200	1564	afyg.exe	19
PID 1564 wrote to memory of 1200	1564	afyg.exe	19
PID 1564 wrote to memory of 1200	1564	afyg.exe	19
PID 1564 wrote to memory of 1200	1564	afyg.exe	19
PID 1564 wrote to memory of 1288	1564	afyg.exe	20
PID 1564 wrote to memory of 1288	1564	afyg.exe	20
PID 1564 wrote to memory of 1288	1564	afyg.exe	20
PID 1564 wrote to memory of 1288	1564	afyg.exe	20
PID 1564 wrote to memory of 1288	1564	afyg.exe	20
PID 1564 wrote to memory of 1340	1564	afyg.exe	21
PID 1564 wrote to memory of 1340	1564	afyg.exe	21
PID 1564 wrote to memory of 1340	1564	afyg.exe	21
PID 1564 wrote to memory of 1340	1564	afyg.exe	21
PID 1564 wrote to memory of 1340	1564	afyg.exe	21
PID 1564 wrote to memory of 1080	1564	afyg.exe	23
PID 1564 wrote to memory of 1080	1564	afyg.exe	23
PID 1564 wrote to memory of 1080	1564	afyg.exe	23
PID 1564 wrote to memory of 1080	1564	afyg.exe	23
PID 1564 wrote to memory of 1080	1564	afyg.exe	23
PID 1564 wrote to memory of 1928	1564	afyg.exe	29
PID 1564 wrote to memory of 1928	1564	afyg.exe	29
PID 1564 wrote to memory of 1928	1564	afyg.exe	29
PID 1564 wrote to memory of 1928	1564	afyg.exe	29
PID 1564 wrote to memory of 1928	1564	afyg.exe	29
PID 1928 wrote to memory of 772	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	32
PID 1928 wrote to memory of 772	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	32
PID 1928 wrote to memory of 772	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	32
PID 1928 wrote to memory of 772	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	32
PID 1928 wrote to memory of 772	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	32
PID 1928 wrote to memory of 772	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	32
PID 1928 wrote to memory of 772	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	32
PID 1928 wrote to memory of 772	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	32
PID 1928 wrote to memory of 772	1928	30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe	32
PID 1564 wrote to memory of 1908	1564	afyg.exe	34
PID 1564 wrote to memory of 1908	1564	afyg.exe	34
PID 1564 wrote to memory of 1908	1564	afyg.exe	34
PID 1564 wrote to memory of 1908	1564	afyg.exe	34
PID 1564 wrote to memory of 1908	1564	afyg.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1200

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1288

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1340
- C:\Users\Admin\AppData\Local\Temp\30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\30faa66beaf3fbe941fb827b52248463_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Roaming\Waohwe\afyg.exe
    "C:\Users\Admin\AppData\Roaming\Waohwe\afyg.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp66fdf034.bat"
    3⤵
    - Deletes itself
    PID:772

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1080

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
3e319c03ef9690fca7d5891441ced55c

SHA1
311b44c277e14aa7839142e539eba98119e844af

SHA256
307f3699d68aa520b8b4882b425a875f1c902262f1cc54fd380dc6a5e149d6ce

SHA512
e96b442566aef6c51c1c3c7a8eecb2dca9d0d7ffe7d58d896b4d5feb445008918d473074eb09c86e83e1514907ce3016fe2c92209c2dff6949b32cb98088c3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp66fdf034.bat

Filesize
271B

MD5
4600d360603673f6a1e5ac2c06e21266

SHA1
33901d7d993fffb146d4236d0d412358852be80f

SHA256
5b7b8a1b17045e0902d67994c81b25b2f172e9adb9f5d41959e6d10ac9258886

SHA512
d9b6a513fc77da8bc5a1dc4eba277a56ee6008b1f0334d86c87051b665f7a1ae566473de49cdc93bed3d497ada6ffdac5c7f6ebd2c0f062fa2b888ed551e524b

Download Submit
C:\Users\Admin\AppData\Roaming\Ibneuv\vaco.aqa

Filesize
380B

MD5
24bd5bb59ca7e84a2431e866bdf42d2b

SHA1
387d67c68d004afa18032052c1b605cb7b2f5fd2

SHA256
f105e8203e330735eea63fd626879bcbd21b6275d93b3123f83886f12a10d7c7

SHA512
098845655f0aa73177017ac51ec8c4f2aae0e374d95b4a668f673a0c20efadc3fccc6af43b126e3f7a87814b21701d2c2f44cce6fe2aae889ad200828e9cdfb1

Download Submit
\Users\Admin\AppData\Roaming\Waohwe\afyg.exe

Filesize
138KB

MD5
7fc3accdd3e324a9e8c1ec582bbbd3ef

SHA1
2ff846d60d5d2de46c2b699b684abb6665bef5f0

SHA256
7ff8d7349ed1629937c1d8174355b895924dea49f059b3b21bb02ddc86f4cd33

SHA512
f96b532343f897f6aae5d75ade250600e14f61c882207570e30bb764f449f93c730c3d502702237a3b10196bc5a507509696d44d10d43582a73e61d8e5d81980

Download Submit
memory/1080-32-0x0000000001E10000-0x0000000001E37000-memory.dmp

Filesize
156KB

Download
memory/1080-31-0x0000000001E10000-0x0000000001E37000-memory.dmp

Filesize
156KB

Download
memory/1080-28-0x0000000001E10000-0x0000000001E37000-memory.dmp

Filesize
156KB

Download
memory/1080-26-0x0000000001E10000-0x0000000001E37000-memory.dmp

Filesize
156KB

Download
memory/1200-14-0x0000000001CA0000-0x0000000001CC7000-memory.dmp

Filesize
156KB

Download
memory/1200-13-0x0000000001CA0000-0x0000000001CC7000-memory.dmp

Filesize
156KB

Download
memory/1200-12-0x0000000001CA0000-0x0000000001CC7000-memory.dmp

Filesize
156KB

Download
memory/1200-11-0x0000000001CA0000-0x0000000001CC7000-memory.dmp

Filesize
156KB

Download
memory/1200-10-0x0000000001CA0000-0x0000000001CC7000-memory.dmp

Filesize
156KB

Download
memory/1288-16-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1288-17-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1288-18-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1288-19-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1340-21-0x00000000029F0000-0x0000000002A17000-memory.dmp

Filesize
156KB

Download
memory/1340-22-0x00000000029F0000-0x0000000002A17000-memory.dmp

Filesize
156KB

Download
memory/1340-24-0x00000000029F0000-0x0000000002A17000-memory.dmp

Filesize
156KB

Download
memory/1340-23-0x00000000029F0000-0x0000000002A17000-memory.dmp

Filesize
156KB

Download
memory/1928-64-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-56-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-40-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-39-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1928-37-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1928-36-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1928-35-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1928-44-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-46-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-48-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-50-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-52-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-54-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-42-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-58-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-60-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-62-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-66-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-68-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-70-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-72-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-122-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1928-123-0x0000000077DD0000-0x0000000077DD1000-memory.dmp

Filesize
4KB

Download
memory/1928-124-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-74-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download