a4a5d06f7c8ad51838f3eacee5ab8c656654a5cbb7268e053a351c0b9f40dde6

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36840e112c43671900001245f2101373_JaffaCakes118.exe
Size

93KB
MD5

36840e112c43671900001245f2101373
SHA1

50f679730e074be68bc1afb5b512003baa0d1809
SHA256

a4a5d06f7c8ad51838f3eacee5ab8c656654a5cbb7268e053a351c0b9f40dde6
SHA512

6b7aa666a232ae2fd2e5a0ca9be4a0156eeb42135c327e505a34449b428f3121e70a32f0dc251b0c058a531590fef9c0a4e5507a2e1cdba729790a515c51755e
SSDEEP

1536:5wH8PDwlr3QF/GTqg8HLhobQLAfm5b8HLljs2mwEhstzWrYy:A4Mlr39Og8HlKQLAfMmLljJmwEixWrZ

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
268	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	ebpe.exe

Loads dropped DLL 2 IoCs

pid	Process
2640	36840e112c43671900001245f2101373_JaffaCakes118.exe
2640	36840e112c43671900001245f2101373_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\{56A52C12-F56B-A58F-B7D3-F48AC788E0F7} = "C:\\Users\\Admin\\AppData\\Roaming\\Azga\\ebpe.exe"	ebpe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2640 set thread context of 268	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy	36840e112c43671900001245f2101373_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	36840e112c43671900001245f2101373_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe
2688	ebpe.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe
Token: SeSecurityPrivilege	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe
Token: SeSecurityPrivilege	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2688	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2688	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2688	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2688	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	30
PID 2688 wrote to memory of 1120	2688	ebpe.exe	19
PID 2688 wrote to memory of 1120	2688	ebpe.exe	19
PID 2688 wrote to memory of 1120	2688	ebpe.exe	19
PID 2688 wrote to memory of 1120	2688	ebpe.exe	19
PID 2688 wrote to memory of 1120	2688	ebpe.exe	19
PID 2688 wrote to memory of 1180	2688	ebpe.exe	20
PID 2688 wrote to memory of 1180	2688	ebpe.exe	20
PID 2688 wrote to memory of 1180	2688	ebpe.exe	20
PID 2688 wrote to memory of 1180	2688	ebpe.exe	20
PID 2688 wrote to memory of 1180	2688	ebpe.exe	20
PID 2688 wrote to memory of 1208	2688	ebpe.exe	21
PID 2688 wrote to memory of 1208	2688	ebpe.exe	21
PID 2688 wrote to memory of 1208	2688	ebpe.exe	21
PID 2688 wrote to memory of 1208	2688	ebpe.exe	21
PID 2688 wrote to memory of 1208	2688	ebpe.exe	21
PID 2688 wrote to memory of 1288	2688	ebpe.exe	23
PID 2688 wrote to memory of 1288	2688	ebpe.exe	23
PID 2688 wrote to memory of 1288	2688	ebpe.exe	23
PID 2688 wrote to memory of 1288	2688	ebpe.exe	23
PID 2688 wrote to memory of 1288	2688	ebpe.exe	23
PID 2688 wrote to memory of 2640	2688	ebpe.exe	29
PID 2688 wrote to memory of 2640	2688	ebpe.exe	29
PID 2688 wrote to memory of 2640	2688	ebpe.exe	29
PID 2688 wrote to memory of 2640	2688	ebpe.exe	29
PID 2688 wrote to memory of 2640	2688	ebpe.exe	29
PID 2640 wrote to memory of 268	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	31
PID 2640 wrote to memory of 268	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	31
PID 2640 wrote to memory of 268	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	31
PID 2640 wrote to memory of 268	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	31
PID 2640 wrote to memory of 268	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	31
PID 2640 wrote to memory of 268	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	31
PID 2640 wrote to memory of 268	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	31
PID 2640 wrote to memory of 268	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	31
PID 2640 wrote to memory of 268	2640	36840e112c43671900001245f2101373_JaffaCakes118.exe	31
PID 2688 wrote to memory of 1164	2688	ebpe.exe	33
PID 2688 wrote to memory of 1164	2688	ebpe.exe	33
PID 2688 wrote to memory of 1164	2688	ebpe.exe	33
PID 2688 wrote to memory of 1164	2688	ebpe.exe	33
PID 2688 wrote to memory of 1164	2688	ebpe.exe	33
PID 2688 wrote to memory of 1148	2688	ebpe.exe	34
PID 2688 wrote to memory of 1148	2688	ebpe.exe	34
PID 2688 wrote to memory of 1148	2688	ebpe.exe	34
PID 2688 wrote to memory of 1148	2688	ebpe.exe	34
PID 2688 wrote to memory of 1148	2688	ebpe.exe	34
PID 2688 wrote to memory of 1020	2688	ebpe.exe	35
PID 2688 wrote to memory of 1020	2688	ebpe.exe	35
PID 2688 wrote to memory of 1020	2688	ebpe.exe	35
PID 2688 wrote to memory of 1020	2688	ebpe.exe	35
PID 2688 wrote to memory of 1020	2688	ebpe.exe	35
PID 2688 wrote to memory of 1944	2688	ebpe.exe	36
PID 2688 wrote to memory of 1944	2688	ebpe.exe	36
PID 2688 wrote to memory of 1944	2688	ebpe.exe	36
PID 2688 wrote to memory of 1944	2688	ebpe.exe	36
PID 2688 wrote to memory of 1944	2688	ebpe.exe	36

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\36840e112c43671900001245f2101373_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\36840e112c43671900001245f2101373_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Roaming\Azga\ebpe.exe
    "C:\Users\Admin\AppData\Roaming\Azga\ebpe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp304b4e6e.bat"
    3⤵
    - Deletes itself
    PID:268

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1288

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1164

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1148

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp304b4e6e.bat

Filesize
271B

MD5
97f2f9f8278bd4a294093713dd08c80a

SHA1
973b5d8a23768f8384b36303be9bee1afb7fc737

SHA256
1a581185f018f780b41bf9718d20197f0719de8b1c21911868d0ef7baf3a519e

SHA512
3fe42b82008ad323b64e1de3082dea601f9bde4887039fa718300520cf8e8bf918f1779b5198094491a38eef6161d6a0156470b775d94c480a45bd2995282a5d

Download Submit
C:\Users\Admin\AppData\Roaming\Kaepxo\uzlok.xak

Filesize
380B

MD5
687e10f7c350712f188f92dbd62c80dd

SHA1
d1815e25373dbc39b0d8a64f0bb4119cc97cae68

SHA256
96880eaab26e8748d37edacfb4c8c1d70f405b9613a69aa9cb4aa9dce739459b

SHA512
addea6110b4ecef679d4b1bf9e9c4253f7291c0398ad52314f9d97719459a1a80e576ca1fa41bac5770be7fc2dd3da468462e5ccf70d9acdfe593c523111f212

Download Submit
\Users\Admin\AppData\Roaming\Azga\ebpe.exe

Filesize
93KB

MD5
a08d2b58c66694f25fac4638e447e89d

SHA1
d654bb3a7c7275687ea44b09fbd5836f24b4fc97

SHA256
87e1f7d7b2a768dec15f1a84ffe7cec629209d50c64f4f97c6bf29c66980bc87

SHA512
979c0bb3ad99cb780c3fab28c157606c7893fd961fb76f9dc14a8a876b1a3a265e4077d453e159d59a4c36e1fb56c6f11352853863d8c2aa300790175f5408d8

Download Submit
memory/268-84-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/268-78-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/268-115-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/1120-11-0x00000000021F0000-0x000000000220A000-memory.dmp

Filesize
104KB

Download
memory/1120-10-0x00000000021F0000-0x000000000220A000-memory.dmp

Filesize
104KB

Download
memory/1120-14-0x00000000021F0000-0x000000000220A000-memory.dmp

Filesize
104KB

Download
memory/1120-13-0x00000000021F0000-0x000000000220A000-memory.dmp

Filesize
104KB

Download
memory/1120-12-0x00000000021F0000-0x000000000220A000-memory.dmp

Filesize
104KB

Download
memory/1180-19-0x00000000001C0000-0x00000000001DA000-memory.dmp

Filesize
104KB

Download
memory/1180-21-0x00000000001C0000-0x00000000001DA000-memory.dmp

Filesize
104KB

Download
memory/1180-17-0x00000000001C0000-0x00000000001DA000-memory.dmp

Filesize
104KB

Download
memory/1180-23-0x00000000001C0000-0x00000000001DA000-memory.dmp

Filesize
104KB

Download
memory/1208-26-0x0000000002470000-0x000000000248A000-memory.dmp

Filesize
104KB

Download
memory/1208-27-0x0000000002470000-0x000000000248A000-memory.dmp

Filesize
104KB

Download
memory/1208-28-0x0000000002470000-0x000000000248A000-memory.dmp

Filesize
104KB

Download
memory/1208-29-0x0000000002470000-0x000000000248A000-memory.dmp

Filesize
104KB

Download
memory/1288-33-0x0000000001E40000-0x0000000001E5A000-memory.dmp

Filesize
104KB

Download
memory/1288-34-0x0000000001E40000-0x0000000001E5A000-memory.dmp

Filesize
104KB

Download
memory/1288-31-0x0000000001E40000-0x0000000001E5A000-memory.dmp

Filesize
104KB

Download
memory/1288-32-0x0000000001E40000-0x0000000001E5A000-memory.dmp

Filesize
104KB

Download
memory/2640-55-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-51-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-37-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/2640-38-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/2640-39-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/2640-40-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/2640-41-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-43-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-45-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-47-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-49-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-36-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/2640-53-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-57-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-59-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-72-0x0000000077970000-0x0000000077971000-memory.dmp

Filesize
4KB

Download
memory/2640-69-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/2640-73-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-75-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/2640-63-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-65-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-67-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-70-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2640-61-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download