05e7f1bab45acb9608e738ccf689c899a83a7e49d64ba3ae5365c9ada3aae3e2

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe
Size

189KB
MD5

36d4b7bf9bf5f5d262e14b22b029c357
SHA1

d07b79f2a6b41583b2b5733dc1006593709ad6de
SHA256

05e7f1bab45acb9608e738ccf689c899a83a7e49d64ba3ae5365c9ada3aae3e2
SHA512

375f9d4dcd98c945b734fb5ac7ae7bbee513d81fb89313ebd9bb672a25f8b1c4e95d303c4dbdedd1ba494fdbb2dc76a6dff91801c2d319394a7c8cabb51564ab
SSDEEP

3072:S1LEfgYVg+J2zQRIhDhxPVqPQkQxhd4pinflYQunlrGUcMpLlKiipKbasHd:yYIYVg+J8U+DhpVqPQkqlflYllrGCpBr

Score

8^/10

evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3064	netsh.exe

Deletes itself 1 IoCs

pid	Process
2492	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3032	ebwowiy.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe
2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E9400DF3-2CF3-E207-4BE3-7F1CDA172E61} = "C:\\Users\\Admin\\AppData\\Roaming\\Say\\ebwowiy.exe"	ebwowiy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 2492	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	35

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\397D1A34-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe
3032	ebwowiy.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe
Token: SeSecurityPrivilege	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe
Token: SeSecurityPrivilege	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2832	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2832	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2832	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2832	WinMail.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2272	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2272	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2272	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2272	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	30
PID 2220 wrote to memory of 3032	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	32
PID 2220 wrote to memory of 3032	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	32
PID 2220 wrote to memory of 3032	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	32
PID 2220 wrote to memory of 3032	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	32
PID 2272 wrote to memory of 3064	2272	cmd.exe	33
PID 2272 wrote to memory of 3064	2272	cmd.exe	33
PID 2272 wrote to memory of 3064	2272	cmd.exe	33
PID 2272 wrote to memory of 3064	2272	cmd.exe	33
PID 3032 wrote to memory of 1096	3032	ebwowiy.exe	19
PID 3032 wrote to memory of 1096	3032	ebwowiy.exe	19
PID 3032 wrote to memory of 1096	3032	ebwowiy.exe	19
PID 3032 wrote to memory of 1096	3032	ebwowiy.exe	19
PID 3032 wrote to memory of 1096	3032	ebwowiy.exe	19
PID 3032 wrote to memory of 1160	3032	ebwowiy.exe	20
PID 3032 wrote to memory of 1160	3032	ebwowiy.exe	20
PID 3032 wrote to memory of 1160	3032	ebwowiy.exe	20
PID 3032 wrote to memory of 1160	3032	ebwowiy.exe	20
PID 3032 wrote to memory of 1160	3032	ebwowiy.exe	20
PID 3032 wrote to memory of 1196	3032	ebwowiy.exe	21
PID 3032 wrote to memory of 1196	3032	ebwowiy.exe	21
PID 3032 wrote to memory of 1196	3032	ebwowiy.exe	21
PID 3032 wrote to memory of 1196	3032	ebwowiy.exe	21
PID 3032 wrote to memory of 1196	3032	ebwowiy.exe	21
PID 3032 wrote to memory of 1268	3032	ebwowiy.exe	23
PID 3032 wrote to memory of 1268	3032	ebwowiy.exe	23
PID 3032 wrote to memory of 1268	3032	ebwowiy.exe	23
PID 3032 wrote to memory of 1268	3032	ebwowiy.exe	23
PID 3032 wrote to memory of 1268	3032	ebwowiy.exe	23
PID 3032 wrote to memory of 2220	3032	ebwowiy.exe	29
PID 3032 wrote to memory of 2220	3032	ebwowiy.exe	29
PID 3032 wrote to memory of 2220	3032	ebwowiy.exe	29
PID 3032 wrote to memory of 2220	3032	ebwowiy.exe	29
PID 3032 wrote to memory of 2220	3032	ebwowiy.exe	29
PID 3032 wrote to memory of 2832	3032	ebwowiy.exe	34
PID 3032 wrote to memory of 2832	3032	ebwowiy.exe	34
PID 3032 wrote to memory of 2832	3032	ebwowiy.exe	34
PID 3032 wrote to memory of 2832	3032	ebwowiy.exe	34
PID 3032 wrote to memory of 2832	3032	ebwowiy.exe	34
PID 2220 wrote to memory of 2492	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	35
PID 2220 wrote to memory of 2492	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	35
PID 2220 wrote to memory of 2492	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	35
PID 2220 wrote to memory of 2492	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	35
PID 2220 wrote to memory of 2492	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	35
PID 2220 wrote to memory of 2492	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	35
PID 2220 wrote to memory of 2492	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	35
PID 2220 wrote to memory of 2492	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	35
PID 2220 wrote to memory of 2492	2220	36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe	35
PID 3032 wrote to memory of 2604	3032	ebwowiy.exe	37
PID 3032 wrote to memory of 2604	3032	ebwowiy.exe	37
PID 3032 wrote to memory of 2604	3032	ebwowiy.exe	37
PID 3032 wrote to memory of 2604	3032	ebwowiy.exe	37
PID 3032 wrote to memory of 2604	3032	ebwowiy.exe	37
PID 3032 wrote to memory of 1740	3032	ebwowiy.exe	38
PID 3032 wrote to memory of 1740	3032	ebwowiy.exe	38
PID 3032 wrote to memory of 1740	3032	ebwowiy.exe	38
PID 3032 wrote to memory of 1740	3032	ebwowiy.exe	38
PID 3032 wrote to memory of 1740	3032	ebwowiy.exe	38

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1096

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\36d4b7bf9bf5f5d262e14b22b029c357_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc6623006.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Say\ebwowiy.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3064
- - C:\Users\Admin\AppData\Roaming\Say\ebwowiy.exe
    "C:\Users\Admin\AppData\Roaming\Say\ebwowiy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb2535055.bat"
    3⤵
    - Deletes itself
    PID:2492

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1268

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
fd6d87f3c4c766d26c1efb8662812294

SHA1
bd4ab23fe16e2e97ba7fae90803f8b9c5fff501c

SHA256
1907751d8255d926c692224960bd46b3a48ebddcb8dba960d8f00caadb4fb2c9

SHA512
cb877f28435d5adab077fa3e2ca5d97b35b3393796402f479be53f4a060899164942b861c9734e962aac02812a57e9ef81a2cd5dc34ddaf0aea05e8caffb8a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpb2535055.bat

Filesize
271B

MD5
6f8c0857f1985f57df8a0561705638ce

SHA1
726a10aae37ff35f7447b63ff59b63839d63594a

SHA256
a983e255c5fadb773df6232c6226b271b1de76c0c66198686a4362ec086b858f

SHA512
ca6863b4cf84c118be1afb94f77d56297ec333c8ec78e9a383ef85598396095b53a49bf79b5fe4171a9c0bea23a18b6d747c0507186e68fc47bec434b7090d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpc6623006.bat

Filesize
200B

MD5
4deb746f4676abd743538b3f2fadfc4b

SHA1
414ac38104bf9fa2f520c604cfa2024721881578

SHA256
9f8a4a6fd0779ee2552ae51ef677b1f564baa40ebad7ca0e3f9cdc2226dede4f

SHA512
126c2950be9831014440fd6526a7843f169f1b760e6aad305ef8609af887981e5c1b9176d5cd91152fbda92ebb8ba3bfa3369cc698041c9aaaa8a54a6cf69e4c

Download Submit
C:\Users\Admin\AppData\Roaming\Myi\zoifci.rea

Filesize
380B

MD5
13df8ddb53092181be1a326520e3e2c3

SHA1
4b481a424a141b6619b887102fd056ada925ab9b

SHA256
4c585ba48e89bd9510c582f87a405eeff166c8bbef51afe150cb2df77ef7bfd2

SHA512
8908b359b072406c2010aa7dd6990ad3dcc589f8e643cb344bbbfaa9f437586a3d301a9394b22a6c26a7e185d07ea035782cf414432493d8b11c381bb35df83c

Download Submit
\Users\Admin\AppData\Roaming\Say\ebwowiy.exe

Filesize
189KB

MD5
a881c642249e4af8796b6d904db64297

SHA1
88fa57d688bac00c2347e69aea8f32e45489eb76

SHA256
c350d7d54e26ecbdad11a5d7223ef18637ec0759983162f9cd5268bd022a0171

SHA512
81c1ee0cb7edc833c2eb754b916711f9e04c72fed00166920d4c3c5a7279d80c7b70539a93529b0a30d9a2432fc86b39f96ce12877d2f095f457563aa6df3742

Download Submit
memory/1096-20-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1096-21-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1096-17-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1096-18-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1096-19-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1160-24-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1160-26-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1160-28-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1160-30-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/1196-36-0x0000000002910000-0x0000000002937000-memory.dmp

Filesize
156KB

Download
memory/1196-33-0x0000000002910000-0x0000000002937000-memory.dmp

Filesize
156KB

Download
memory/1196-34-0x0000000002910000-0x0000000002937000-memory.dmp

Filesize
156KB

Download
memory/1196-35-0x0000000002910000-0x0000000002937000-memory.dmp

Filesize
156KB

Download
memory/1268-43-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1268-39-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1268-41-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/2220-79-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-77-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-51-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/2220-49-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/2220-48-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/2220-55-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-57-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-59-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-63-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-65-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-71-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-73-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-75-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-53-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-0-0x0000000000406000-0x0000000000409000-memory.dmp

Filesize
12KB

Download
memory/2220-69-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-67-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-61-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2220-52-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/2220-1-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2220-50-0x0000000000290000-0x00000000002B7000-memory.dmp

Filesize
156KB

Download
memory/2220-131-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2220-2-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2220-231-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2220-230-0x0000000000406000-0x0000000000409000-memory.dmp

Filesize
12KB

Download
memory/3032-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3032-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3032-350-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download