b35693cc33425fd215c0ccb37102525976cab2701a90dfd8b68a707aa220e1b8

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

342321b1065f87917827380efe8ad094_JaffaCakes118.exe
Size

303KB
MD5

342321b1065f87917827380efe8ad094
SHA1

43fc49d5741cad3c614babb0ef705906435dfdd9
SHA256

b35693cc33425fd215c0ccb37102525976cab2701a90dfd8b68a707aa220e1b8
SHA512

1d3fef881e215090de8f47c5a6acfee197ce832d9e3bf642f97157f39c98b2c2860fe92fe7f161bcdb5f9ecd6b563d0a5b6e2566ac34aea2258b3765a6d142b5
SSDEEP

6144:7aFbxM0wB442mNFzpKbkYAs/Cnem80uZd:7N/lpzssB8Rd

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2464	yrasys.exe

Loads dropped DLL 1 IoCs

pid	Process
2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\{3109E6C8-6F84-AD4F-D756-D1AEF6AEF2B3} = "C:\\Users\\Admin\\AppData\\Roaming\\Ojkiv\\yrasys.exe"	yrasys.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 2040	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy	342321b1065f87917827380efe8ad094_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	342321b1065f87917827380efe8ad094_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe
2464	yrasys.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe
2464	yrasys.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2464	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2464	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2464	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2464	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	30
PID 2464 wrote to memory of 1096	2464	yrasys.exe	19
PID 2464 wrote to memory of 1096	2464	yrasys.exe	19
PID 2464 wrote to memory of 1096	2464	yrasys.exe	19
PID 2464 wrote to memory of 1096	2464	yrasys.exe	19
PID 2464 wrote to memory of 1096	2464	yrasys.exe	19
PID 2464 wrote to memory of 1168	2464	yrasys.exe	20
PID 2464 wrote to memory of 1168	2464	yrasys.exe	20
PID 2464 wrote to memory of 1168	2464	yrasys.exe	20
PID 2464 wrote to memory of 1168	2464	yrasys.exe	20
PID 2464 wrote to memory of 1168	2464	yrasys.exe	20
PID 2464 wrote to memory of 1204	2464	yrasys.exe	21
PID 2464 wrote to memory of 1204	2464	yrasys.exe	21
PID 2464 wrote to memory of 1204	2464	yrasys.exe	21
PID 2464 wrote to memory of 1204	2464	yrasys.exe	21
PID 2464 wrote to memory of 1204	2464	yrasys.exe	21
PID 2464 wrote to memory of 2044	2464	yrasys.exe	23
PID 2464 wrote to memory of 2044	2464	yrasys.exe	23
PID 2464 wrote to memory of 2044	2464	yrasys.exe	23
PID 2464 wrote to memory of 2044	2464	yrasys.exe	23
PID 2464 wrote to memory of 2044	2464	yrasys.exe	23
PID 2464 wrote to memory of 2336	2464	yrasys.exe	29
PID 2464 wrote to memory of 2336	2464	yrasys.exe	29
PID 2464 wrote to memory of 2336	2464	yrasys.exe	29
PID 2464 wrote to memory of 2336	2464	yrasys.exe	29
PID 2464 wrote to memory of 2336	2464	yrasys.exe	29
PID 2336 wrote to memory of 2040	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2040	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2040	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2040	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2040	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2040	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2040	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2040	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2040	2336	342321b1065f87917827380efe8ad094_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1096

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\342321b1065f87917827380efe8ad094_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\342321b1065f87917827380efe8ad094_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Roaming\Ojkiv\yrasys.exe
    "C:\Users\Admin\AppData\Roaming\Ojkiv\yrasys.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc57f9031.bat"
    3⤵
    - Deletes itself
    PID:2040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc57f9031.bat

Filesize
271B

MD5
895580b42836c372044d0a16a8c04466

SHA1
1f9669ad3b8d89efe0efcd699db2b2f622df40af

SHA256
dd9d0804854df4539ad0415e82e5a8c54b7d5f4dbd37561c0dfc0df788eb3bb4

SHA512
01c0a435f8c2f17b2fa353284f96db242cac38c72cc639baf04b96e1389bb5727150697156502735977e426545da44035fa713a7ad36ecb7e84e7580836bf200

Download Submit
\Users\Admin\AppData\Roaming\Ojkiv\yrasys.exe

Filesize
303KB

MD5
95cb2406af03afe8aadf73e3520e9801

SHA1
c196640517523aeb2230975b9b66a95a47ce232a

SHA256
526a17459620e8214e73fab5fe09c8790b16887e8dfd0a9a883ae08f7cf1ade7

SHA512
f0254d29f4b8f94c456126407ad365d03970b57f166e1c388d851e7ecc0534376c66d91850bc884ac39c588f0fc09e278d677ab555bd25bfff0191456168ad20

Download Submit
memory/1096-15-0x0000000000180000-0x00000000001C3000-memory.dmp

Filesize
268KB

Download
memory/1096-17-0x0000000000180000-0x00000000001C3000-memory.dmp

Filesize
268KB

Download
memory/1096-19-0x0000000000180000-0x00000000001C3000-memory.dmp

Filesize
268KB

Download
memory/1096-18-0x0000000000180000-0x00000000001C3000-memory.dmp

Filesize
268KB

Download
memory/1096-16-0x0000000000180000-0x00000000001C3000-memory.dmp

Filesize
268KB

Download
memory/1168-28-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/1168-24-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/1168-26-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/1168-22-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/1204-31-0x0000000002E70000-0x0000000002EB3000-memory.dmp

Filesize
268KB

Download
memory/1204-32-0x0000000002E70000-0x0000000002EB3000-memory.dmp

Filesize
268KB

Download
memory/1204-33-0x0000000002E70000-0x0000000002EB3000-memory.dmp

Filesize
268KB

Download
memory/1204-34-0x0000000002E70000-0x0000000002EB3000-memory.dmp

Filesize
268KB

Download
memory/2044-39-0x0000000001DE0000-0x0000000001E23000-memory.dmp

Filesize
268KB

Download
memory/2044-36-0x0000000001DE0000-0x0000000001E23000-memory.dmp

Filesize
268KB

Download
memory/2044-37-0x0000000001DE0000-0x0000000001E23000-memory.dmp

Filesize
268KB

Download
memory/2044-38-0x0000000001DE0000-0x0000000001E23000-memory.dmp

Filesize
268KB

Download
memory/2336-50-0x0000000001E30000-0x0000000001E73000-memory.dmp

Filesize
268KB

Download
memory/2336-72-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-42-0x0000000001E30000-0x0000000001E73000-memory.dmp

Filesize
268KB

Download
memory/2336-43-0x0000000001E30000-0x0000000001E73000-memory.dmp

Filesize
268KB

Download
memory/2336-46-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-48-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-58-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-60-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-62-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-56-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-1-0x0000000000570000-0x00000000005BE000-memory.dmp

Filesize
312KB

Download
memory/2336-51-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-53-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-55-0x0000000077320000-0x0000000077321000-memory.dmp

Filesize
4KB

Download
memory/2336-44-0x0000000001E30000-0x0000000001E73000-memory.dmp

Filesize
268KB

Download
memory/2336-66-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-78-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-76-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-74-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-41-0x0000000001E30000-0x0000000001E73000-memory.dmp

Filesize
268KB

Download
memory/2336-70-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-68-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-64-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-45-0x0000000001E30000-0x0000000001E73000-memory.dmp

Filesize
268KB

Download
memory/2336-0-0x0000000000520000-0x0000000000563000-memory.dmp

Filesize
268KB

Download
memory/2336-3-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2336-4-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2336-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2336-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2336-155-0x0000000001E30000-0x0000000001E73000-memory.dmp

Filesize
268KB

Download
memory/2336-130-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2336-154-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2336-153-0x0000000000570000-0x00000000005BE000-memory.dmp

Filesize
312KB

Download
memory/2464-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2464-273-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2464-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download