0f06690f2a3c5c254608dae656094ff6ff9874b64951db331e6f32a7f88fd0cc

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe
Size

329KB
MD5

32ec9e3b0d8a1b8ebe90010b0198b9b4
SHA1

930370a0cbc7ffd83c20b72d707e223c6f9b8248
SHA256

0f06690f2a3c5c254608dae656094ff6ff9874b64951db331e6f32a7f88fd0cc
SHA512

f824f7e136b5217158cbdea5b176a4dcea9405c7d7501145a455e6320ba014997864aed52288b7f14c28ade7f39eb688734c9852661b37a38b0e603808f181db
SSDEEP

6144:rtEn7FUg1iyUXe2ZsD9eBVtQRlc12iVkIFza9TLSDoC3FHvKHMCnv:ra7Fziym920jcc1f929XS335vHk

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2936	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	siava.exe

Loads dropped DLL 2 IoCs

pid	Process
2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe
2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C4A05C48-6809-AD4F-9B76-1BFCA18838E1} = "C:\\Users\\Admin\\AppData\\Roaming\\Gegu\\siava.exe"	siava.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 2936	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Privacy	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe
2768	siava.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe
2768	siava.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2768	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2768	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2768	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	30
PID 2388 wrote to memory of 2768	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	30
PID 2768 wrote to memory of 1036	2768	siava.exe	17
PID 2768 wrote to memory of 1036	2768	siava.exe	17
PID 2768 wrote to memory of 1036	2768	siava.exe	17
PID 2768 wrote to memory of 1036	2768	siava.exe	17
PID 2768 wrote to memory of 1036	2768	siava.exe	17
PID 2768 wrote to memory of 1064	2768	siava.exe	18
PID 2768 wrote to memory of 1064	2768	siava.exe	18
PID 2768 wrote to memory of 1064	2768	siava.exe	18
PID 2768 wrote to memory of 1064	2768	siava.exe	18
PID 2768 wrote to memory of 1064	2768	siava.exe	18
PID 2768 wrote to memory of 1096	2768	siava.exe	20
PID 2768 wrote to memory of 1096	2768	siava.exe	20
PID 2768 wrote to memory of 1096	2768	siava.exe	20
PID 2768 wrote to memory of 1096	2768	siava.exe	20
PID 2768 wrote to memory of 1096	2768	siava.exe	20
PID 2768 wrote to memory of 888	2768	siava.exe	23
PID 2768 wrote to memory of 888	2768	siava.exe	23
PID 2768 wrote to memory of 888	2768	siava.exe	23
PID 2768 wrote to memory of 888	2768	siava.exe	23
PID 2768 wrote to memory of 888	2768	siava.exe	23
PID 2768 wrote to memory of 2388	2768	siava.exe	29
PID 2768 wrote to memory of 2388	2768	siava.exe	29
PID 2768 wrote to memory of 2388	2768	siava.exe	29
PID 2768 wrote to memory of 2388	2768	siava.exe	29
PID 2768 wrote to memory of 2388	2768	siava.exe	29
PID 2388 wrote to memory of 2936	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2936	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2936	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2936	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2936	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2936	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2936	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2936	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	31
PID 2388 wrote to memory of 2936	2388	32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe	31
PID 2768 wrote to memory of 2072	2768	siava.exe	33
PID 2768 wrote to memory of 2072	2768	siava.exe	33
PID 2768 wrote to memory of 2072	2768	siava.exe	33
PID 2768 wrote to memory of 2072	2768	siava.exe	33
PID 2768 wrote to memory of 2072	2768	siava.exe	33

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1036

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1064

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1096
- C:\Users\Admin\AppData\Local\Temp\32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\32ec9e3b0d8a1b8ebe90010b0198b9b4_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Roaming\Gegu\siava.exe
    "C:\Users\Admin\AppData\Roaming\Gegu\siava.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp82f654f8.bat"
    3⤵
    - Deletes itself
    PID:2936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:888

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp82f654f8.bat

Filesize
271B

MD5
b09bd93154b301fd5b999de5da41b774

SHA1
5a7cd8c53f6bcbb53873c7960fc39aa9a32a9165

SHA256
270800e60cdb459cf6dd459373aeee06da545ec76049bc3e7bf50db27cd5823a

SHA512
6c55c23557d49f1dadaa771b3a464b723ab5dbc3f506383ab783fd326e3d9649bbdfce5dbeaa4186fabc3be86aa9a36b975219fb32fe0582914a1608ec876a90

Download Submit
C:\Users\Admin\AppData\Roaming\Gegu\siava.exe

Filesize
329KB

MD5
01f67b97029435f69342c0afd9d0109c

SHA1
940488db5b02e3f52ba9cc9d14fac39a8cc3f297

SHA256
6acf4f6701f2287c930e9c8aeebad5d748ea6694046b7639d9c17c34befff85c

SHA512
e815caa0f5ffaf8d7edb774818c18d5cff66e9226580aa9eca3927c8b42c89b6788c2c18efe0090cb362010d1a6101b11d422684ff04c91aa558eddf428050e0

Download Submit
memory/888-43-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/888-40-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/888-41-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/888-42-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/1036-23-0x0000000001DD0000-0x0000000001E14000-memory.dmp

Filesize
272KB

Download
memory/1036-22-0x0000000001DD0000-0x0000000001E14000-memory.dmp

Filesize
272KB

Download
memory/1036-21-0x0000000001DD0000-0x0000000001E14000-memory.dmp

Filesize
272KB

Download
memory/1036-20-0x0000000001DD0000-0x0000000001E14000-memory.dmp

Filesize
272KB

Download
memory/1036-19-0x0000000001DD0000-0x0000000001E14000-memory.dmp

Filesize
272KB

Download
memory/1064-30-0x0000000002230000-0x0000000002274000-memory.dmp

Filesize
272KB

Download
memory/1064-32-0x0000000002230000-0x0000000002274000-memory.dmp

Filesize
272KB

Download
memory/1064-28-0x0000000002230000-0x0000000002274000-memory.dmp

Filesize
272KB

Download
memory/1064-26-0x0000000002230000-0x0000000002274000-memory.dmp

Filesize
272KB

Download
memory/1096-36-0x0000000002DF0000-0x0000000002E34000-memory.dmp

Filesize
272KB

Download
memory/1096-38-0x0000000002DF0000-0x0000000002E34000-memory.dmp

Filesize
272KB

Download
memory/1096-35-0x0000000002DF0000-0x0000000002E34000-memory.dmp

Filesize
272KB

Download
memory/1096-37-0x0000000002DF0000-0x0000000002E34000-memory.dmp

Filesize
272KB

Download
memory/2388-51-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-75-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-61-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-47-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2388-48-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2388-63-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-49-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2388-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-1-0x0000000000380000-0x00000000003D5000-memory.dmp

Filesize
340KB

Download
memory/2388-50-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2388-57-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-55-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-53-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-46-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2388-0-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/2388-160-0x0000000000380000-0x00000000003D5000-memory.dmp

Filesize
340KB

Download
memory/2388-81-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-65-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-69-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-67-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-135-0x0000000076EE0000-0x0000000076EE1000-memory.dmp

Filesize
4KB

Download
memory/2388-59-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-79-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-77-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-45-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2388-73-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-71-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-136-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2388-161-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2768-283-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2768-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2768-16-0x0000000001CB0000-0x0000000001D05000-memory.dmp

Filesize
340KB

Download
memory/2768-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2768-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download