49bee8c31a635acd64ea4a99568e4150932d6194dd09edb14dcc0b01992e2b6c

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 18:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe
Size

195KB
MD5

3187b6bf8b462df59bb183a31d86c97e
SHA1

d8f5342e1aed3a75a5b678b30423372f8e063fe6
SHA256

49bee8c31a635acd64ea4a99568e4150932d6194dd09edb14dcc0b01992e2b6c
SHA512

bdb5fded754e1241f650543b0cabf5e4fadebe1df8dd3b35dc65d1d6f393068e8794ac457fa38e284a24f8b0b37befb24af6000326b13ebb09c2bdc42aa67003
SSDEEP

3072:C3MGtqXWAxCGYAGq2D8HZ8TTwtR++xb3FB3fSmkQH5xWk03KjZn:YtqmA4dD8ZsTy++xJJfSmkuJ0OZn

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2948	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	nania.exe

Loads dropped DLL 2 IoCs

pid	Process
2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe
2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E580D03F-4FCF-F843-A3CB-EC2B13A3F5DE} = "C:\\Users\\Admin\\AppData\\Roaming\\Omco\\nania.exe"	nania.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 2948	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe
2728	nania.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2728	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	29
PID 2132 wrote to memory of 2728	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	29
PID 2132 wrote to memory of 2728	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	29
PID 2132 wrote to memory of 2728	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	29
PID 2728 wrote to memory of 1188	2728	nania.exe	18
PID 2728 wrote to memory of 1188	2728	nania.exe	18
PID 2728 wrote to memory of 1188	2728	nania.exe	18
PID 2728 wrote to memory of 1188	2728	nania.exe	18
PID 2728 wrote to memory of 1188	2728	nania.exe	18
PID 2728 wrote to memory of 1284	2728	nania.exe	19
PID 2728 wrote to memory of 1284	2728	nania.exe	19
PID 2728 wrote to memory of 1284	2728	nania.exe	19
PID 2728 wrote to memory of 1284	2728	nania.exe	19
PID 2728 wrote to memory of 1284	2728	nania.exe	19
PID 2728 wrote to memory of 1344	2728	nania.exe	20
PID 2728 wrote to memory of 1344	2728	nania.exe	20
PID 2728 wrote to memory of 1344	2728	nania.exe	20
PID 2728 wrote to memory of 1344	2728	nania.exe	20
PID 2728 wrote to memory of 1344	2728	nania.exe	20
PID 2728 wrote to memory of 1512	2728	nania.exe	22
PID 2728 wrote to memory of 1512	2728	nania.exe	22
PID 2728 wrote to memory of 1512	2728	nania.exe	22
PID 2728 wrote to memory of 1512	2728	nania.exe	22
PID 2728 wrote to memory of 1512	2728	nania.exe	22
PID 2728 wrote to memory of 2132	2728	nania.exe	28
PID 2728 wrote to memory of 2132	2728	nania.exe	28
PID 2728 wrote to memory of 2132	2728	nania.exe	28
PID 2728 wrote to memory of 2132	2728	nania.exe	28
PID 2728 wrote to memory of 2132	2728	nania.exe	28
PID 2132 wrote to memory of 2948	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2948	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2948	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2948	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2948	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2948	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2948	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2948	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2948	2132	3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2736	2728	nania.exe	31
PID 2728 wrote to memory of 2736	2728	nania.exe	31
PID 2728 wrote to memory of 2736	2728	nania.exe	31
PID 2728 wrote to memory of 2736	2728	nania.exe	31
PID 2728 wrote to memory of 2736	2728	nania.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1188

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1284

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3187b6bf8b462df59bb183a31d86c97e_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Roaming\Omco\nania.exe
    "C:\Users\Admin\AppData\Roaming\Omco\nania.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5b45a2ed.bat"
    3⤵
    - Deletes itself
    PID:2948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9181252001856713969-1503124171148892210-1892589442113358123143015307-1186979835"
1⤵
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5b45a2ed.bat

Filesize
271B

MD5
4193a2ecf93046af4ae31727657dc730

SHA1
d6a3e4c1a097a726d6eb52ff54a74b827c1e1031

SHA256
b5f2016d05631e6b5673fea874e6da4f918ec8d1ec99cb767c2508105d84b444

SHA512
04bec2c6fb328bfbeeba34bf0aa355604e8a157f591ee9b314f4fd971642a1fba5773678467b251a79a659267a882ed56cfd17e211c687bf0d6c1a16f00e312a

Download Submit
C:\Users\Admin\AppData\Roaming\Omco\nania.exe

Filesize
195KB

MD5
af870e104c6cae82f38ee81b74049f40

SHA1
f1ee4775bb6cc357f79bb14c8ef0f82473909995

SHA256
2c8f4727b9bd8038c2bb0f30a369f9f70d6bba1bc2a8b386f5d9621b756f1566

SHA512
d11b5416c030f03c555096acc83d12181978837eab52d148cfadc706b7d2efb8288502ab64b57e146a6fe0f8e13185a9ee8c311543c83240f3b217aa0b043047

Download Submit
memory/1188-20-0x0000000001DE0000-0x0000000001E08000-memory.dmp

Filesize
160KB

Download
memory/1188-17-0x0000000001DE0000-0x0000000001E08000-memory.dmp

Filesize
160KB

Download
memory/1188-21-0x0000000001DE0000-0x0000000001E08000-memory.dmp

Filesize
160KB

Download
memory/1188-18-0x0000000001DE0000-0x0000000001E08000-memory.dmp

Filesize
160KB

Download
memory/1188-19-0x0000000001DE0000-0x0000000001E08000-memory.dmp

Filesize
160KB

Download
memory/1284-25-0x0000000001AC0000-0x0000000001AE8000-memory.dmp

Filesize
160KB

Download
memory/1284-26-0x0000000001AC0000-0x0000000001AE8000-memory.dmp

Filesize
160KB

Download
memory/1284-23-0x0000000001AC0000-0x0000000001AE8000-memory.dmp

Filesize
160KB

Download
memory/1284-24-0x0000000001AC0000-0x0000000001AE8000-memory.dmp

Filesize
160KB

Download
memory/1344-28-0x00000000025F0000-0x0000000002618000-memory.dmp

Filesize
160KB

Download
memory/1344-29-0x00000000025F0000-0x0000000002618000-memory.dmp

Filesize
160KB

Download
memory/1344-30-0x00000000025F0000-0x0000000002618000-memory.dmp

Filesize
160KB

Download
memory/1344-31-0x00000000025F0000-0x0000000002618000-memory.dmp

Filesize
160KB

Download
memory/1512-36-0x00000000022C0000-0x00000000022E8000-memory.dmp

Filesize
160KB

Download
memory/1512-34-0x00000000022C0000-0x00000000022E8000-memory.dmp

Filesize
160KB

Download
memory/1512-33-0x00000000022C0000-0x00000000022E8000-memory.dmp

Filesize
160KB

Download
memory/1512-35-0x00000000022C0000-0x00000000022E8000-memory.dmp

Filesize
160KB

Download
memory/2132-78-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-68-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-62-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-60-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-58-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-56-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-54-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-50-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-48-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-46-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-44-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-43-0x0000000000300000-0x0000000000328000-memory.dmp

Filesize
160KB

Download
memory/2132-42-0x0000000000300000-0x0000000000328000-memory.dmp

Filesize
160KB

Download
memory/2132-41-0x0000000000300000-0x0000000000328000-memory.dmp

Filesize
160KB

Download
memory/2132-40-0x0000000000300000-0x0000000000328000-memory.dmp

Filesize
160KB

Download
memory/2132-38-0x0000000000300000-0x0000000000328000-memory.dmp

Filesize
160KB

Download
memory/2132-66-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-64-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-70-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-72-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-74-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-76-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-80-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-52-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2132-0-0x000000000042B000-0x000000000042D000-memory.dmp

Filesize
8KB

Download
memory/2132-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-3-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2132-39-0x0000000000300000-0x0000000000328000-memory.dmp

Filesize
160KB

Download
memory/2728-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2728-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2728-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2728-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download