100c7b494c1aa4afd5261e148f7a4fa7580098e074bbd81b9718fa07e80a34ab

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 18:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe
Size

193KB
MD5

35cf92f81285945ec23c2a4ce9f398ed
SHA1

27a56f05f99c023bdd85aae7c5cb8f7c81562356
SHA256

100c7b494c1aa4afd5261e148f7a4fa7580098e074bbd81b9718fa07e80a34ab
SHA512

b85be69650a813b5510c68f9e3cf544463950c98423548f7ea2ece0353142a2f2cc0441913c6296c653a42de7142fc93fe362ddc318a67de757335d2a5caedf8
SSDEEP

3072:hUnLIj3Bo0UjQawEnDLMcpX8yRIt2XkiE98fQnGYaSq7mtkUJdMkPkgm7Wt:hOLIjRpUMOD4cBiQzEyfaBFVVD46

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2928	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2280	xoow.exe

Loads dropped DLL 2 IoCs

pid	Process
2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe
2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\{646C8E9F-4F10-F843-C9F9-80E36C099916} = "C:\\Users\\Admin\\AppData\\Roaming\\Ushue\\xoow.exe"	xoow.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 2928	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe
2280	xoow.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2280	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2280	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2280	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2280	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	30
PID 2280 wrote to memory of 1100	2280	xoow.exe	19
PID 2280 wrote to memory of 1100	2280	xoow.exe	19
PID 2280 wrote to memory of 1100	2280	xoow.exe	19
PID 2280 wrote to memory of 1100	2280	xoow.exe	19
PID 2280 wrote to memory of 1100	2280	xoow.exe	19
PID 2280 wrote to memory of 1160	2280	xoow.exe	20
PID 2280 wrote to memory of 1160	2280	xoow.exe	20
PID 2280 wrote to memory of 1160	2280	xoow.exe	20
PID 2280 wrote to memory of 1160	2280	xoow.exe	20
PID 2280 wrote to memory of 1160	2280	xoow.exe	20
PID 2280 wrote to memory of 1200	2280	xoow.exe	21
PID 2280 wrote to memory of 1200	2280	xoow.exe	21
PID 2280 wrote to memory of 1200	2280	xoow.exe	21
PID 2280 wrote to memory of 1200	2280	xoow.exe	21
PID 2280 wrote to memory of 1200	2280	xoow.exe	21
PID 2280 wrote to memory of 2024	2280	xoow.exe	23
PID 2280 wrote to memory of 2024	2280	xoow.exe	23
PID 2280 wrote to memory of 2024	2280	xoow.exe	23
PID 2280 wrote to memory of 2024	2280	xoow.exe	23
PID 2280 wrote to memory of 2024	2280	xoow.exe	23
PID 2280 wrote to memory of 2624	2280	xoow.exe	29
PID 2280 wrote to memory of 2624	2280	xoow.exe	29
PID 2280 wrote to memory of 2624	2280	xoow.exe	29
PID 2280 wrote to memory of 2624	2280	xoow.exe	29
PID 2280 wrote to memory of 2624	2280	xoow.exe	29
PID 2624 wrote to memory of 2928	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2928	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2928	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2928	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2928	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2928	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2928	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2928	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2928	2624	35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\35cf92f81285945ec23c2a4ce9f398ed_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Roaming\Ushue\xoow.exe
    "C:\Users\Admin\AppData\Roaming\Ushue\xoow.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1e5dbf13.bat"
    3⤵
    - Deletes itself
    PID:2928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1e5dbf13.bat

Filesize
271B

MD5
384ab150c6171cfaf8165361b6c0be69

SHA1
291d879c94e9a77b4bdbc8de76a8d9ac49781020

SHA256
5a106921bb23613b436efb4b8d9d4714a9d77ed2daa11e7c437ff1a47b608487

SHA512
10bf18f171522bc5f2fbcfc81bb548c29040be18f7b7e3bd4295f4b55490aab4df8eda32fd3cae7aa63c43a41b31ee36e41c3482b47a23c6bcc5ba3547c032e7

Download Submit
\Users\Admin\AppData\Roaming\Ushue\xoow.exe

Filesize
193KB

MD5
733606b3281a8185f107b1428db8f0f3

SHA1
7ec6d8ca96d54adc83c92bc5fa3f19b98ae94554

SHA256
55dec936b9f422b852160b158805fff575328dd589ca0eea05a2f66bb67ecc62

SHA512
739320e5d21f04bc3690cbd7725495bbc0817b6c05c1c6424effbb735022e9534a16d20aa5b7bc32935f4df17ba34ee7ba6bd838851147717849d2f0c4208dc9

Download Submit
memory/1100-16-0x0000000000320000-0x0000000000348000-memory.dmp

Filesize
160KB

Download
memory/1100-20-0x0000000000320000-0x0000000000348000-memory.dmp

Filesize
160KB

Download
memory/1100-19-0x0000000000320000-0x0000000000348000-memory.dmp

Filesize
160KB

Download
memory/1100-17-0x0000000000320000-0x0000000000348000-memory.dmp

Filesize
160KB

Download
memory/1100-18-0x0000000000320000-0x0000000000348000-memory.dmp

Filesize
160KB

Download
memory/1160-23-0x0000000000340000-0x0000000000368000-memory.dmp

Filesize
160KB

Download
memory/1160-22-0x0000000000340000-0x0000000000368000-memory.dmp

Filesize
160KB

Download
memory/1160-24-0x0000000000340000-0x0000000000368000-memory.dmp

Filesize
160KB

Download
memory/1160-25-0x0000000000340000-0x0000000000368000-memory.dmp

Filesize
160KB

Download
memory/1200-28-0x00000000021D0000-0x00000000021F8000-memory.dmp

Filesize
160KB

Download
memory/1200-32-0x00000000021D0000-0x00000000021F8000-memory.dmp

Filesize
160KB

Download
memory/1200-30-0x00000000021D0000-0x00000000021F8000-memory.dmp

Filesize
160KB

Download
memory/1200-34-0x00000000021D0000-0x00000000021F8000-memory.dmp

Filesize
160KB

Download
memory/2024-40-0x0000000001F30000-0x0000000001F58000-memory.dmp

Filesize
160KB

Download
memory/2024-39-0x0000000001F30000-0x0000000001F58000-memory.dmp

Filesize
160KB

Download
memory/2024-38-0x0000000001F30000-0x0000000001F58000-memory.dmp

Filesize
160KB

Download
memory/2024-37-0x0000000001F30000-0x0000000001F58000-memory.dmp

Filesize
160KB

Download
memory/2280-252-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2280-13-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2280-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2280-12-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2624-46-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/2624-71-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-43-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/2624-44-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/2624-45-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/2624-1-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2624-47-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/2624-56-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-54-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-79-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-77-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-75-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-73-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-42-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/2624-69-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-67-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-66-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2624-64-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-62-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-60-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-58-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-52-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-50-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-48-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2624-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2624-2-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2624-0-0x000000000042A000-0x000000000042D000-memory.dmp

Filesize
12KB

Download