02d6f0eb267f667994da87098c1fb942d07a9487d72a150f2ea9b5e02d3b793a

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe
Size

129KB
MD5

357f183ca1741b4c4eb096fc1581db19
SHA1

d27ea09a082a3bfca0b7e2182c17588f0a739d29
SHA256

02d6f0eb267f667994da87098c1fb942d07a9487d72a150f2ea9b5e02d3b793a
SHA512

7399fb82fd49f1f60267887ad4a0437e3aa06daa9d6b056f16bfd1d5d2014f6245375a46bc0041400b7e4f8c1560be37f069158d0b858d5264c2ba76f0df8fcc
SSDEEP

3072:ZKeYu+tguObk59eIX1AmUQLgF7A9vKBvc:ZfYHX9e41wQgF89X

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2328	myutu.exe

Loads dropped DLL 2 IoCs

pid	Process
2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe
2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6D4A7724-61FD-61CA-F16D-244D6E75D46C} = "C:\\Users\\Admin\\AppData\\Roaming\\Ynzu\\myutu.exe"	myutu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 3052	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe
2328	myutu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe
Token: SeSecurityPrivilege	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe
Token: SeSecurityPrivilege	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2328	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2328	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2328	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2328	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	30
PID 2328 wrote to memory of 1136	2328	myutu.exe	19
PID 2328 wrote to memory of 1136	2328	myutu.exe	19
PID 2328 wrote to memory of 1136	2328	myutu.exe	19
PID 2328 wrote to memory of 1136	2328	myutu.exe	19
PID 2328 wrote to memory of 1136	2328	myutu.exe	19
PID 2328 wrote to memory of 1248	2328	myutu.exe	20
PID 2328 wrote to memory of 1248	2328	myutu.exe	20
PID 2328 wrote to memory of 1248	2328	myutu.exe	20
PID 2328 wrote to memory of 1248	2328	myutu.exe	20
PID 2328 wrote to memory of 1248	2328	myutu.exe	20
PID 2328 wrote to memory of 1300	2328	myutu.exe	21
PID 2328 wrote to memory of 1300	2328	myutu.exe	21
PID 2328 wrote to memory of 1300	2328	myutu.exe	21
PID 2328 wrote to memory of 1300	2328	myutu.exe	21
PID 2328 wrote to memory of 1300	2328	myutu.exe	21
PID 2328 wrote to memory of 1776	2328	myutu.exe	23
PID 2328 wrote to memory of 1776	2328	myutu.exe	23
PID 2328 wrote to memory of 1776	2328	myutu.exe	23
PID 2328 wrote to memory of 1776	2328	myutu.exe	23
PID 2328 wrote to memory of 1776	2328	myutu.exe	23
PID 2328 wrote to memory of 2448	2328	myutu.exe	29
PID 2328 wrote to memory of 2448	2328	myutu.exe	29
PID 2328 wrote to memory of 2448	2328	myutu.exe	29
PID 2328 wrote to memory of 2448	2328	myutu.exe	29
PID 2328 wrote to memory of 2448	2328	myutu.exe	29
PID 2448 wrote to memory of 3052	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	31
PID 2448 wrote to memory of 3052	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	31
PID 2448 wrote to memory of 3052	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	31
PID 2448 wrote to memory of 3052	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	31
PID 2448 wrote to memory of 3052	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	31
PID 2448 wrote to memory of 3052	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	31
PID 2448 wrote to memory of 3052	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	31
PID 2448 wrote to memory of 3052	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	31
PID 2448 wrote to memory of 3052	2448	357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe	31
PID 2328 wrote to memory of 2020	2328	myutu.exe	33
PID 2328 wrote to memory of 2020	2328	myutu.exe	33
PID 2328 wrote to memory of 2020	2328	myutu.exe	33
PID 2328 wrote to memory of 2020	2328	myutu.exe	33
PID 2328 wrote to memory of 2020	2328	myutu.exe	33
PID 2328 wrote to memory of 2100	2328	myutu.exe	34
PID 2328 wrote to memory of 2100	2328	myutu.exe	34
PID 2328 wrote to memory of 2100	2328	myutu.exe	34
PID 2328 wrote to memory of 2100	2328	myutu.exe	34
PID 2328 wrote to memory of 2100	2328	myutu.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1248

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1300
- C:\Users\Admin\AppData\Local\Temp\357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\357f183ca1741b4c4eb096fc1581db19_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Roaming\Ynzu\myutu.exe
    "C:\Users\Admin\AppData\Roaming\Ynzu\myutu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5d24e9bc.bat"
    3⤵
    - Deletes itself
    PID:3052

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5d24e9bc.bat

Filesize
271B

MD5
57a7e211f223ed77cc013b2f2ad2b001

SHA1
c0ebf1c2aaa6e8d5aeeafc0c90e4a9dbbbf98077

SHA256
6d72c376eacbd0a9d04aaf632d3efbf4d1c4c325b85e055b4d38fd01b71f7bad

SHA512
96c8b7822d3f6e14043698023044d95bc2b219b8be11a5aaefff85fe58d75d2347cf4d9b712b2edae1fb74bc920765157fe8e9054bba441e3c9069f632bcc275

Download Submit
C:\Users\Admin\AppData\Roaming\Gycyc\roet.exi

Filesize
380B

MD5
6c87d9c3c872017b56a1e5d71e8e8be1

SHA1
75d4ed8ffbcab6745383603193fe201321469655

SHA256
2c6dc8d1e77dd42b31acd345e63cfcba1befe7364dd0a758cb2fb473fc031b7a

SHA512
f81dbff7106bc6bf428e7abd575b622694da17f0edfb9f75fe08fafefc7f66cbbd91d1268b52b5357588ca9922ee7b69b0a4237d06225ae16606e161aa48cd7a

Download Submit
\Users\Admin\AppData\Roaming\Ynzu\myutu.exe

Filesize
129KB

MD5
cf08f12d69e1880ac2c17813e49f6e02

SHA1
e09480cd5e4663e410fe0efd034bda8bcc250b8f

SHA256
939a3ff7b24c585dba6821699ac29412d904c5948e726caa28d058bfe832b399

SHA512
caf6bfc6ba6db3b8dd692a2bf3816b9fdec2757a532f4c885e83a172317bbc97d71839bf9a6db2cbc0fbe27b29d2d31a35c318f341eda6065bbffe96d2e1d365

Download Submit
memory/1136-19-0x0000000000410000-0x000000000042E000-memory.dmp

Filesize
120KB

Download
memory/1136-17-0x0000000000410000-0x000000000042E000-memory.dmp

Filesize
120KB

Download
memory/1136-15-0x0000000000410000-0x000000000042E000-memory.dmp

Filesize
120KB

Download
memory/1136-13-0x0000000000410000-0x000000000042E000-memory.dmp

Filesize
120KB

Download
memory/1136-21-0x0000000000410000-0x000000000042E000-memory.dmp

Filesize
120KB

Download
memory/1248-25-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/1248-26-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/1248-28-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/1248-27-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/1300-33-0x0000000002660000-0x000000000267E000-memory.dmp

Filesize
120KB

Download
memory/1300-30-0x0000000002660000-0x000000000267E000-memory.dmp

Filesize
120KB

Download
memory/1300-32-0x0000000002660000-0x000000000267E000-memory.dmp

Filesize
120KB

Download
memory/1300-31-0x0000000002660000-0x000000000267E000-memory.dmp

Filesize
120KB

Download
memory/1776-42-0x0000000001F20000-0x0000000001F3E000-memory.dmp

Filesize
120KB

Download
memory/1776-38-0x0000000001F20000-0x0000000001F3E000-memory.dmp

Filesize
120KB

Download
memory/1776-36-0x0000000001F20000-0x0000000001F3E000-memory.dmp

Filesize
120KB

Download
memory/1776-40-0x0000000001F20000-0x0000000001F3E000-memory.dmp

Filesize
120KB

Download
memory/2328-141-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2328-11-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2448-71-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-67-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-47-0x0000000000350000-0x000000000036E000-memory.dmp

Filesize
120KB

Download
memory/2448-46-0x0000000000350000-0x000000000036E000-memory.dmp

Filesize
120KB

Download
memory/2448-45-0x0000000000350000-0x000000000036E000-memory.dmp

Filesize
120KB

Download
memory/2448-50-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-52-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-54-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-56-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-58-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-60-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-62-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-64-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-48-0x0000000000350000-0x000000000036E000-memory.dmp

Filesize
120KB

Download
memory/2448-69-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2448-73-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-75-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-77-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2448-66-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2448-98-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2448-1-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2448-49-0x0000000000350000-0x000000000036E000-memory.dmp

Filesize
120KB

Download
memory/3052-128-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3052-126-0x00000000776F0000-0x00000000776F1000-memory.dmp

Filesize
4KB

Download
memory/3052-129-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download
memory/3052-99-0x0000000000050000-0x000000000006E000-memory.dmp

Filesize
120KB

Download