b8fbe06f67bcc604d2b2ab45a8ec17b4add2d8afd4bd0caa8694eb6af1219dd6

Analysis

max time kernel
52s
max time network
19s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe
Size

197KB
MD5

31c71243beb4fd4025ea2350217fd162
SHA1

0c46d10c70857ca33fbf1fc86e926f66613c9e9f
SHA256

b8fbe06f67bcc604d2b2ab45a8ec17b4add2d8afd4bd0caa8694eb6af1219dd6
SHA512

cd90e0780cbc1c64e327d127c934d0919e8848d4e6f9525e9085f13c09f4339639c199e8b0e8f08b8a804a4e589f427911bacbfe6d3636555ee90eb2f2f8af32
SSDEEP

3072:yF2SRGOYiDEah5u2606Tqa4esT/TCJCKEOcP5/9iIttyB2BSz:yF22ojRnqa3DkvOIiwR0

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2816	Rlygea.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/700-0-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/files/0x0008000000016527-10.dat	upx
behavioral1/memory/2816-13-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\TJHTHX1O7X = "C:\\Windows\\Rlygea.exe"	Rlygea.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe
File created	C:\Windows\Rlygea.exe	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe
File opened for modification	C:\Windows\Rlygea.exe	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	Rlygea.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe
2816	Rlygea.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	700	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe
Token: SeBackupPrivilege	700	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
700	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe
2816	Rlygea.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 700 wrote to memory of 2816	700	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe	30
PID 700 wrote to memory of 2816	700	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe	30
PID 700 wrote to memory of 2816	700	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe	30
PID 700 wrote to memory of 2816	700	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe	30
PID 700 wrote to memory of 2816	700	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe	30
PID 700 wrote to memory of 2816	700	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe	30
PID 700 wrote to memory of 2816	700	31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31c71243beb4fd4025ea2350217fd162_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:700
- C:\Windows\Rlygea.exe
  C:\Windows\Rlygea.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Rlygea.exe

Filesize
197KB

MD5
31c71243beb4fd4025ea2350217fd162

SHA1
0c46d10c70857ca33fbf1fc86e926f66613c9e9f

SHA256
b8fbe06f67bcc604d2b2ab45a8ec17b4add2d8afd4bd0caa8694eb6af1219dd6

SHA512
cd90e0780cbc1c64e327d127c934d0919e8848d4e6f9525e9085f13c09f4339639c199e8b0e8f08b8a804a4e589f427911bacbfe6d3636555ee90eb2f2f8af32

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
372B

MD5
4dfc5f4615a6d2f16ea865728bccb0fd

SHA1
27b439272f4743f632af6a4f3592ced040239a45

SHA256
2a879713d87e8ada4e251a2bfee9705a691a247bb649cabf9c6dbcdc81ad92be

SHA512
e6b4273f6b4e2a2faa19a35aafc43c0ec1a652a9c572f3bf29ec5c58efa3c39069d5097783f86ef52d90cd11e1a0e35049c325ccabd548c6dc9b91d5a9d45184

Download Submit
memory/700-1-0x0000000000860000-0x00000000008CC000-memory.dmp

Filesize
432KB

Download
memory/700-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/700-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/700-3-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/700-48254-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/700-12-0x00000000027B0000-0x000000000281C000-memory.dmp

Filesize
432KB

Download
memory/2816-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-20852-0x0000000001DD0000-0x0000000001ED0000-memory.dmp

Filesize
1024KB

Download
memory/2816-20818-0x0000000001DD0000-0x0000000001ED0000-memory.dmp

Filesize
1024KB

Download
memory/2816-48257-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-13-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2816-20817-0x0000000001DD0000-0x0000000001ED0000-memory.dmp

Filesize
1024KB

Download
memory/2816-20815-0x0000000001DD0000-0x0000000001ED0000-memory.dmp

Filesize
1024KB

Download
memory/2816-20832-0x0000000001DD0000-0x0000000001ED0000-memory.dmp

Filesize
1024KB

Download
memory/2816-20816-0x0000000001DD0000-0x0000000001ED0000-memory.dmp

Filesize
1024KB

Download