72231235248da004a908a8b8449d6bbccadbd084b0e5e557a035daba5092db34

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 17:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe
Size

355KB
MD5

316064a2f5510c2e10b0312aa4014039
SHA1

532bf5273e6ab2431c163734f3db38bc184d1c8f
SHA256

72231235248da004a908a8b8449d6bbccadbd084b0e5e557a035daba5092db34
SHA512

9420699db8bc312b796de45728c8d58f09ef99aceb108ab1a52d86cc5866f199182af040f694164fbc6ad3f366e1ca4160cd2cb702488b9dcba92a0da5c32872
SSDEEP

6144:ZJLwtVGJcKxEz7QYV/hcnAptNU3Rwd+7bqJOkrayVpR:XLAVKEz75/9ptGyCbqJ6yB

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	ehoc.exe
2884	ehoc.exe

Loads dropped DLL 2 IoCs

pid	Process
2648	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe
2648	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\{36F482E8-6FE9-AD4F-5F98-37194FCB1404} = "C:\\Users\\Admin\\AppData\\Roaming\\Hifew\\ehoc.exe"	ehoc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2120 set thread context of 2648	2120	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	31
PID 2792 set thread context of 2884	2792	ehoc.exe	33

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe
2884	ehoc.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2648	2120	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2648	2120	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2648	2120	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2648	2120	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2648	2120	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2648	2120	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2648	2120	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2648	2120	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	31
PID 2120 wrote to memory of 2648	2120	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2792	2648	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2792	2648	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2792	2648	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	32
PID 2648 wrote to memory of 2792	2648	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2884	2792	ehoc.exe	33
PID 2792 wrote to memory of 2884	2792	ehoc.exe	33
PID 2792 wrote to memory of 2884	2792	ehoc.exe	33
PID 2792 wrote to memory of 2884	2792	ehoc.exe	33
PID 2792 wrote to memory of 2884	2792	ehoc.exe	33
PID 2792 wrote to memory of 2884	2792	ehoc.exe	33
PID 2792 wrote to memory of 2884	2792	ehoc.exe	33
PID 2792 wrote to memory of 2884	2792	ehoc.exe	33
PID 2792 wrote to memory of 2884	2792	ehoc.exe	33
PID 2648 wrote to memory of 2584	2648	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	34
PID 2648 wrote to memory of 2584	2648	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	34
PID 2648 wrote to memory of 2584	2648	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	34
PID 2648 wrote to memory of 2584	2648	316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe	34
PID 2884 wrote to memory of 1032	2884	ehoc.exe	17
PID 2884 wrote to memory of 1032	2884	ehoc.exe	17
PID 2884 wrote to memory of 1032	2884	ehoc.exe	17
PID 2884 wrote to memory of 1032	2884	ehoc.exe	17
PID 2884 wrote to memory of 1032	2884	ehoc.exe	17
PID 2884 wrote to memory of 1056	2884	ehoc.exe	18
PID 2884 wrote to memory of 1056	2884	ehoc.exe	18
PID 2884 wrote to memory of 1056	2884	ehoc.exe	18
PID 2884 wrote to memory of 1056	2884	ehoc.exe	18
PID 2884 wrote to memory of 1056	2884	ehoc.exe	18
PID 2884 wrote to memory of 1100	2884	ehoc.exe	19
PID 2884 wrote to memory of 1100	2884	ehoc.exe	19
PID 2884 wrote to memory of 1100	2884	ehoc.exe	19
PID 2884 wrote to memory of 1100	2884	ehoc.exe	19
PID 2884 wrote to memory of 1100	2884	ehoc.exe	19
PID 2884 wrote to memory of 1356	2884	ehoc.exe	23
PID 2884 wrote to memory of 1356	2884	ehoc.exe	23
PID 2884 wrote to memory of 1356	2884	ehoc.exe	23
PID 2884 wrote to memory of 1356	2884	ehoc.exe	23
PID 2884 wrote to memory of 1356	2884	ehoc.exe	23

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1032

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1056
- C:\Users\Admin\AppData\Local\Temp\316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\316064a2f5510c2e10b0312aa4014039_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Roaming\Hifew\ehoc.exe
      "C:\Users\Admin\AppData\Roaming\Hifew\ehoc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Users\Admin\AppData\Roaming\Hifew\ehoc.exe
        
        "C:\Users\Admin\AppData\Roaming\Hifew\ehoc.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc33e517b.bat"
      4⤵
      Deletes itself
      PID:2584

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc33e517b.bat

Filesize
271B

MD5
830fce90354663b77590c673286ead4d

SHA1
d8144ec09a58f1e45e43ee6d316d15e003b9169d

SHA256
1ad998a345a88c3023edc821a071347d4c5328bcebcdf6151d7149943949bee6

SHA512
8375a02cdc3117e3d32d0c870ca36b945c7f0b6dfac544d174d64bbaa2c26017c179155a307929804906d0851f3bfb323384ea77fc015667fdc5895f92a3144c

Download Submit
\Users\Admin\AppData\Roaming\Hifew\ehoc.exe

Filesize
355KB

MD5
ed41ad38bee1e8e589df1f1d51df2912

SHA1
c24076e0719f17773d62ac123bcbbb6613ce0927

SHA256
d51af8ecfadf5f78671f97fc6c3bf6cf2fc6563494a56ba6df79069065515688

SHA512
0084544c9449283da4a9c402a622a74ab526637fe27c47f0107007a3197b420a7559a2c12ceb6f80c321bc74f861b6089b7d299fdef55b411c6bcdd433369d9e

Download Submit
memory/1032-58-0x00000000020A0000-0x00000000020E4000-memory.dmp

Filesize
272KB

Download
memory/1032-59-0x00000000020A0000-0x00000000020E4000-memory.dmp

Filesize
272KB

Download
memory/1032-55-0x00000000020A0000-0x00000000020E4000-memory.dmp

Filesize
272KB

Download
memory/1032-57-0x00000000020A0000-0x00000000020E4000-memory.dmp

Filesize
272KB

Download
memory/1056-62-0x00000000024C0000-0x0000000002504000-memory.dmp

Filesize
272KB

Download
memory/1056-63-0x00000000024C0000-0x0000000002504000-memory.dmp

Filesize
272KB

Download
memory/1056-61-0x00000000024C0000-0x0000000002504000-memory.dmp

Filesize
272KB

Download
memory/1056-64-0x00000000024C0000-0x0000000002504000-memory.dmp

Filesize
272KB

Download
memory/1100-68-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/1100-66-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/1100-67-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/1100-69-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/1356-75-0x0000000002180000-0x00000000021C4000-memory.dmp

Filesize
272KB

Download
memory/1356-71-0x0000000002180000-0x00000000021C4000-memory.dmp

Filesize
272KB

Download
memory/1356-73-0x0000000002180000-0x00000000021C4000-memory.dmp

Filesize
272KB

Download
memory/1356-77-0x0000000002180000-0x00000000021C4000-memory.dmp

Filesize
272KB

Download
memory/2120-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2120-6-0x00000000003A0000-0x00000000003FE000-memory.dmp

Filesize
376KB

Download
memory/2120-15-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2648-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2648-52-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-30-0x00000000003A0000-0x00000000003FE000-memory.dmp

Filesize
376KB

Download
memory/2648-29-0x00000000003A0000-0x00000000003FE000-memory.dmp

Filesize
376KB

Download
memory/2648-22-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-45-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2884-79-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-86-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download