670abc5b0b47ad97abebce1060ad0b84fea93aeafaa8b04c318e0974581e4148

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe
Size

168KB
MD5

381db094d4c83b54941608e04406d8bc
SHA1

4308735383788089271be1d42373073b6fc46bd8
SHA256

670abc5b0b47ad97abebce1060ad0b84fea93aeafaa8b04c318e0974581e4148
SHA512

a5d575b568ad461e0590ba57e04d37a03993a2f99ca8aa7947665dde451679e1d3943f1a64d77417cc0ec12decc914775d2e77517e2130f80b3859dc98ed3cdc
SSDEEP

3072:/D/JFS3O0t1pFUox8Rziop5gzFBC8NBWB7F5/+9oQ741VMfV4:qOG1pFUox1RA4odm/7SX

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2740	waix.exe
2768	waix.exe

Loads dropped DLL 2 IoCs

pid	Process
2820	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe
2820	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{AC597DF0-023F-977D-26B8-D2F8B16A2AD7} = "C:\\Users\\Admin\\AppData\\Roaming\\Taupp\\waix.exe"	waix.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 2820	2388	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	29
PID 2740 set thread context of 2768	2740	waix.exe	31

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe
2768	waix.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2820	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2388	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe
2740	waix.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2820	2388	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	29
PID 2388 wrote to memory of 2820	2388	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	29
PID 2388 wrote to memory of 2820	2388	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	29
PID 2388 wrote to memory of 2820	2388	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	29
PID 2388 wrote to memory of 2820	2388	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	29
PID 2388 wrote to memory of 2820	2388	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	29
PID 2388 wrote to memory of 2820	2388	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	29
PID 2388 wrote to memory of 2820	2388	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	29
PID 2388 wrote to memory of 2820	2388	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	29
PID 2820 wrote to memory of 2740	2820	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2740	2820	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2740	2820	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	30
PID 2820 wrote to memory of 2740	2820	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	30
PID 2740 wrote to memory of 2768	2740	waix.exe	31
PID 2740 wrote to memory of 2768	2740	waix.exe	31
PID 2740 wrote to memory of 2768	2740	waix.exe	31
PID 2740 wrote to memory of 2768	2740	waix.exe	31
PID 2740 wrote to memory of 2768	2740	waix.exe	31
PID 2740 wrote to memory of 2768	2740	waix.exe	31
PID 2740 wrote to memory of 2768	2740	waix.exe	31
PID 2740 wrote to memory of 2768	2740	waix.exe	31
PID 2740 wrote to memory of 2768	2740	waix.exe	31
PID 2820 wrote to memory of 2752	2820	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	32
PID 2820 wrote to memory of 2752	2820	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	32
PID 2820 wrote to memory of 2752	2820	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	32
PID 2820 wrote to memory of 2752	2820	381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe	32
PID 2768 wrote to memory of 1188	2768	waix.exe	18
PID 2768 wrote to memory of 1188	2768	waix.exe	18
PID 2768 wrote to memory of 1188	2768	waix.exe	18
PID 2768 wrote to memory of 1188	2768	waix.exe	18
PID 2768 wrote to memory of 1188	2768	waix.exe	18
PID 2768 wrote to memory of 1284	2768	waix.exe	19
PID 2768 wrote to memory of 1284	2768	waix.exe	19
PID 2768 wrote to memory of 1284	2768	waix.exe	19
PID 2768 wrote to memory of 1284	2768	waix.exe	19
PID 2768 wrote to memory of 1284	2768	waix.exe	19
PID 2768 wrote to memory of 1344	2768	waix.exe	20
PID 2768 wrote to memory of 1344	2768	waix.exe	20
PID 2768 wrote to memory of 1344	2768	waix.exe	20
PID 2768 wrote to memory of 1344	2768	waix.exe	20
PID 2768 wrote to memory of 1344	2768	waix.exe	20
PID 2768 wrote to memory of 1512	2768	waix.exe	22
PID 2768 wrote to memory of 1512	2768	waix.exe	22
PID 2768 wrote to memory of 1512	2768	waix.exe	22
PID 2768 wrote to memory of 1512	2768	waix.exe	22
PID 2768 wrote to memory of 1512	2768	waix.exe	22
PID 2768 wrote to memory of 2752	2768	waix.exe	32
PID 2768 wrote to memory of 2752	2768	waix.exe	32
PID 2768 wrote to memory of 2752	2768	waix.exe	32
PID 2768 wrote to memory of 2752	2768	waix.exe	32
PID 2768 wrote to memory of 2752	2768	waix.exe	32
PID 2768 wrote to memory of 2952	2768	waix.exe	33
PID 2768 wrote to memory of 2952	2768	waix.exe	33
PID 2768 wrote to memory of 2952	2768	waix.exe	33
PID 2768 wrote to memory of 2952	2768	waix.exe	33
PID 2768 wrote to memory of 2952	2768	waix.exe	33
PID 2768 wrote to memory of 2092	2768	waix.exe	34
PID 2768 wrote to memory of 2092	2768	waix.exe	34
PID 2768 wrote to memory of 2092	2768	waix.exe	34
PID 2768 wrote to memory of 2092	2768	waix.exe	34
PID 2768 wrote to memory of 2092	2768	waix.exe	34
PID 2768 wrote to memory of 784	2768	waix.exe	35
PID 2768 wrote to memory of 784	2768	waix.exe	35
PID 2768 wrote to memory of 784	2768	waix.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1188

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1284

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\381db094d4c83b54941608e04406d8bc_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Roaming\Taupp\waix.exe
      "C:\Users\Admin\AppData\Roaming\Taupp\waix.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Users\Admin\AppData\Roaming\Taupp\waix.exe
        
        "C:\Users\Admin\AppData\Roaming\Taupp\waix.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2745d2f7.bat"
      4⤵
      Deletes itself
      PID:2752

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9181252001856713969-1503124171148892210-1892589442113358123143015307-1186979835"
1⤵
PID:2952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2092

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:784

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2745d2f7.bat

Filesize
271B

MD5
9fdcfb4049674ba25898313ef6f3e44d

SHA1
8b1d3024fead796bc8e17db595f9a49efc7b7e83

SHA256
3e4e175425face54268c0f281f1e5764d24a51a6163c4596b7a99c62eb1b9f74

SHA512
92512d53a5a178f05a87a7364e9968b433fed8cbaa90b2d4aaff814a31f23769aa177e020945b77a9475250f599bdd175881563dd4032b3384c0c423c35097c9

Download Submit
\Users\Admin\AppData\Roaming\Taupp\waix.exe

Filesize
168KB

MD5
b857b9ea4604776b586ed105cd762eba

SHA1
4ce82730a7ca12cd45ab2e8e0810e916a8464409

SHA256
9bd7c7547c285f1b6e75065a4895c6b21de8408896171592b4cbef8a9e7bd905

SHA512
8e3a6f2389ad14fc8e626075e2016b729dca7f78a862ecd09b31d96000c4abaa6bad17a69c21eab1771ad54679bd805ff2db6c33f2fb7fe2fd4f2efb6dd7e408

Download Submit
memory/1188-31-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/1188-34-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/1188-32-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/1188-33-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/1188-30-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download
memory/1284-36-0x0000000001AC0000-0x0000000001ADA000-memory.dmp

Filesize
104KB

Download
memory/1284-37-0x0000000001AC0000-0x0000000001ADA000-memory.dmp

Filesize
104KB

Download
memory/1284-38-0x0000000001AC0000-0x0000000001ADA000-memory.dmp

Filesize
104KB

Download
memory/1284-39-0x0000000001AC0000-0x0000000001ADA000-memory.dmp

Filesize
104KB

Download
memory/1344-42-0x0000000002210000-0x000000000222A000-memory.dmp

Filesize
104KB

Download
memory/1344-44-0x0000000002210000-0x000000000222A000-memory.dmp

Filesize
104KB

Download
memory/1344-47-0x0000000002210000-0x000000000222A000-memory.dmp

Filesize
104KB

Download
memory/1344-48-0x0000000002210000-0x000000000222A000-memory.dmp

Filesize
104KB

Download
memory/1512-55-0x00000000022C0000-0x00000000022DA000-memory.dmp

Filesize
104KB

Download
memory/1512-59-0x00000000022C0000-0x00000000022DA000-memory.dmp

Filesize
104KB

Download
memory/1512-56-0x00000000022C0000-0x00000000022DA000-memory.dmp

Filesize
104KB

Download
memory/1512-52-0x00000000022C0000-0x00000000022DA000-memory.dmp

Filesize
104KB

Download
memory/2092-82-0x0000000000410000-0x000000000042A000-memory.dmp

Filesize
104KB

Download
memory/2092-84-0x0000000000410000-0x000000000042A000-memory.dmp

Filesize
104KB

Download
memory/2092-83-0x0000000000410000-0x000000000042A000-memory.dmp

Filesize
104KB

Download
memory/2752-65-0x0000000000230000-0x000000000024A000-memory.dmp

Filesize
104KB

Download
memory/2752-64-0x0000000000230000-0x000000000024A000-memory.dmp

Filesize
104KB

Download
memory/2752-63-0x0000000000230000-0x000000000024A000-memory.dmp

Filesize
104KB

Download
memory/2752-62-0x0000000000230000-0x000000000024A000-memory.dmp

Filesize
104KB

Download
memory/2752-61-0x0000000000230000-0x000000000024A000-memory.dmp

Filesize
104KB

Download
memory/2768-29-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2768-77-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2768-73-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2768-88-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2768-75-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2768-74-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2768-79-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2768-76-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2768-78-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2820-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2820-4-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2820-5-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2820-7-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2820-6-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2820-28-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2820-2-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2952-72-0x0000000001A50000-0x0000000001A6A000-memory.dmp

Filesize
104KB

Download
memory/2952-71-0x0000000001A50000-0x0000000001A6A000-memory.dmp

Filesize
104KB

Download
memory/2952-70-0x0000000001A50000-0x0000000001A6A000-memory.dmp

Filesize
104KB

Download
memory/2952-69-0x0000000001A50000-0x0000000001A6A000-memory.dmp

Filesize
104KB

Download