cdb05a1dcc2581da7ca3edead71e3201cbd44dfdc97f6ebfeb874b378862300d

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe
Size

358KB
MD5

3165511485d965679a4cac8ec6bcb0ad
SHA1

c5ceded7502bcaac99c283fea51fa5208c72a589
SHA256

cdb05a1dcc2581da7ca3edead71e3201cbd44dfdc97f6ebfeb874b378862300d
SHA512

7dc293bf4f42cd58e6fc1fc301316edd72fb55b59ecf3c6781579e50f833adda7335ded54aff2d4686325e883319a61565ed28e1e8fce26e3d6ae7be0c0729f3
SSDEEP

6144:xDnzwMPKotBWuFq/440OQ6iQHWSRpjvpyoWlRlDqDjl4AFyO7Q379VulTweZZa7:aEPBW5/4L6ifSRPFWlRl2t4AyiQjA8eg

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2192	isip.exe
2712	isip.exe

Loads dropped DLL 3 IoCs

pid	Process
2760	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe
2760	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe
2192	isip.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C6C07C68-68EF-AD4F-3837-F372201AD06F} = "C:\\Users\\Admin\\AppData\\Roaming\\Dualc\\isip.exe"	isip.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2696 set thread context of 2760	2696	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	31
PID 2192 set thread context of 2712	2192	isip.exe	33

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Privacy	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe
2712	isip.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2760	2696	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2760	2696	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2760	2696	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2760	2696	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2760	2696	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2760	2696	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2760	2696	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2760	2696	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	31
PID 2696 wrote to memory of 2760	2696	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2192	2760	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	32
PID 2760 wrote to memory of 2192	2760	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	32
PID 2760 wrote to memory of 2192	2760	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	32
PID 2760 wrote to memory of 2192	2760	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	32
PID 2192 wrote to memory of 2712	2192	isip.exe	33
PID 2192 wrote to memory of 2712	2192	isip.exe	33
PID 2192 wrote to memory of 2712	2192	isip.exe	33
PID 2192 wrote to memory of 2712	2192	isip.exe	33
PID 2192 wrote to memory of 2712	2192	isip.exe	33
PID 2192 wrote to memory of 2712	2192	isip.exe	33
PID 2192 wrote to memory of 2712	2192	isip.exe	33
PID 2192 wrote to memory of 2712	2192	isip.exe	33
PID 2192 wrote to memory of 2712	2192	isip.exe	33
PID 2712 wrote to memory of 1092	2712	isip.exe	19
PID 2712 wrote to memory of 1092	2712	isip.exe	19
PID 2712 wrote to memory of 1092	2712	isip.exe	19
PID 2712 wrote to memory of 1092	2712	isip.exe	19
PID 2712 wrote to memory of 1092	2712	isip.exe	19
PID 2712 wrote to memory of 1172	2712	isip.exe	20
PID 2712 wrote to memory of 1172	2712	isip.exe	20
PID 2712 wrote to memory of 1172	2712	isip.exe	20
PID 2712 wrote to memory of 1172	2712	isip.exe	20
PID 2712 wrote to memory of 1172	2712	isip.exe	20
PID 2712 wrote to memory of 1204	2712	isip.exe	21
PID 2712 wrote to memory of 1204	2712	isip.exe	21
PID 2712 wrote to memory of 1204	2712	isip.exe	21
PID 2712 wrote to memory of 1204	2712	isip.exe	21
PID 2712 wrote to memory of 1204	2712	isip.exe	21
PID 2712 wrote to memory of 1540	2712	isip.exe	23
PID 2712 wrote to memory of 1540	2712	isip.exe	23
PID 2712 wrote to memory of 1540	2712	isip.exe	23
PID 2712 wrote to memory of 1540	2712	isip.exe	23
PID 2712 wrote to memory of 1540	2712	isip.exe	23
PID 2712 wrote to memory of 2760	2712	isip.exe	31
PID 2712 wrote to memory of 2760	2712	isip.exe	31
PID 2712 wrote to memory of 2760	2712	isip.exe	31
PID 2712 wrote to memory of 2760	2712	isip.exe	31
PID 2712 wrote to memory of 2760	2712	isip.exe	31
PID 2760 wrote to memory of 2648	2760	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	34
PID 2760 wrote to memory of 2648	2760	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	34
PID 2760 wrote to memory of 2648	2760	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	34
PID 2760 wrote to memory of 2648	2760	3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe	34
PID 2712 wrote to memory of 2648	2712	isip.exe	34
PID 2712 wrote to memory of 2648	2712	isip.exe	34
PID 2712 wrote to memory of 2648	2712	isip.exe	34
PID 2712 wrote to memory of 2648	2712	isip.exe	34
PID 2712 wrote to memory of 2648	2712	isip.exe	34
PID 2712 wrote to memory of 2356	2712	isip.exe	35
PID 2712 wrote to memory of 2356	2712	isip.exe	35
PID 2712 wrote to memory of 2356	2712	isip.exe	35
PID 2712 wrote to memory of 2356	2712	isip.exe	35
PID 2712 wrote to memory of 2356	2712	isip.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1092

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3165511485d965679a4cac8ec6bcb0ad_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Roaming\Dualc\isip.exe
      "C:\Users\Admin\AppData\Roaming\Dualc\isip.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Users\Admin\AppData\Roaming\Dualc\isip.exe
        
        "C:\Users\Admin\AppData\Roaming\Dualc\isip.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7f7dbe2e.bat"
      4⤵
      Deletes itself
      PID:2648

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-191155735-640499886-640025995-203442253114131289311993916916626972792-1020027411"
1⤵
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7f7dbe2e.bat

Filesize
271B

MD5
72b85ce157e99a713719d600e5f3b006

SHA1
99cd8d1b809ffe232a9f6bb9c83cc13f37417024

SHA256
ddbf5eae4f583e9033d2ac1423876f8851e6127c648a68cd4bf2df3adf26193a

SHA512
5782a3a850152ba62c04ddd4116986fbdaa07bdf2657c260e9f3f7fda93ddd8315251e3a5a5785775c135b47b7206e70f81bca7edcdafd05f916f1e3bdfc2f14

Download Submit
\Users\Admin\AppData\Roaming\Dualc\isip.exe

Filesize
358KB

MD5
4613e182bb98c3e08f4daec82cdc750b

SHA1
1e05c4bddf4e5aaf05fb9fea471dd3bd23321e63

SHA256
0415afb0978d0618994e69cbd1a25dd59689d16c707fa6f4ef4a6e2b511dc98b

SHA512
b19ed6f815a865f6998aec7a6b8f3a03636272006278794b87ca792cab01c866fb268d28e04b1392a45f32c115c9a73a157c18e77cbf97355004d88b4a4060bb

Download Submit
memory/1092-58-0x0000000002250000-0x0000000002294000-memory.dmp

Filesize
272KB

Download
memory/1092-56-0x0000000002250000-0x0000000002294000-memory.dmp

Filesize
272KB

Download
memory/1092-60-0x0000000002250000-0x0000000002294000-memory.dmp

Filesize
272KB

Download
memory/1092-54-0x0000000002250000-0x0000000002294000-memory.dmp

Filesize
272KB

Download
memory/1172-66-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/1172-63-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/1172-64-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/1172-65-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/1204-68-0x0000000002D90000-0x0000000002DD4000-memory.dmp

Filesize
272KB

Download
memory/1204-71-0x0000000002D90000-0x0000000002DD4000-memory.dmp

Filesize
272KB

Download
memory/1204-70-0x0000000002D90000-0x0000000002DD4000-memory.dmp

Filesize
272KB

Download
memory/1204-69-0x0000000002D90000-0x0000000002DD4000-memory.dmp

Filesize
272KB

Download
memory/1540-73-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1540-76-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1540-74-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1540-75-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/2192-33-0x0000000000320000-0x000000000037F000-memory.dmp

Filesize
380KB

Download
memory/2192-48-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2648-108-0x0000000000080000-0x00000000000C4000-memory.dmp

Filesize
272KB

Download
memory/2648-205-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2648-186-0x0000000077AA0000-0x0000000077AA1000-memory.dmp

Filesize
4KB

Download
memory/2648-207-0x0000000000080000-0x00000000000C4000-memory.dmp

Filesize
272KB

Download
memory/2696-0-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2696-14-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2712-51-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2712-209-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-81-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/2760-101-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/2760-29-0x0000000000490000-0x00000000004EF000-memory.dmp

Filesize
380KB

Download
memory/2760-30-0x0000000000490000-0x00000000004EF000-memory.dmp

Filesize
380KB

Download
memory/2760-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-86-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2760-84-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2760-82-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/2760-80-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/2760-79-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/2760-78-0x0000000000490000-0x00000000004D4000-memory.dmp

Filesize
272KB

Download
memory/2760-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download