d0034e007be4e84999566a52934d064fa9896650529e01c55e63080b64e30eb7

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe
Size

364KB
MD5

3896858b1863281410edb6c0f9a853a1
SHA1

cfa451bc441fd648da21d3c4483e05983013e24e
SHA256

d0034e007be4e84999566a52934d064fa9896650529e01c55e63080b64e30eb7
SHA512

6649e9e4468a08f4f8d73bc4caf6560622933ba1a8b560ca0bed78293bcf395919115038496cb7beb1639b87d4f679da7472c62940e4c351e73b2b5c065def4e
SSDEEP

6144:bbCdh2yzFFgIX0zE9NKFEWNFfK4CS0NwI32+fFBFFrkiHw:bmdAWgIXxcXNkjN3Zf1Frjw

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1092	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1216	goolje.exe

Loads dropped DLL 2 IoCs

pid	Process
1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe
1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\{278F5008-6814-AD4F-E8EF-460FE6556512} = "C:\\Users\\Admin\\AppData\\Roaming\\Umix\\goolje.exe"	goolje.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 1092	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe
1216	goolje.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe
1216	goolje.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1216	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	30
PID 1540 wrote to memory of 1216	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	30
PID 1540 wrote to memory of 1216	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	30
PID 1540 wrote to memory of 1216	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	30
PID 1216 wrote to memory of 1104	1216	goolje.exe	19
PID 1216 wrote to memory of 1104	1216	goolje.exe	19
PID 1216 wrote to memory of 1104	1216	goolje.exe	19
PID 1216 wrote to memory of 1104	1216	goolje.exe	19
PID 1216 wrote to memory of 1104	1216	goolje.exe	19
PID 1216 wrote to memory of 1168	1216	goolje.exe	20
PID 1216 wrote to memory of 1168	1216	goolje.exe	20
PID 1216 wrote to memory of 1168	1216	goolje.exe	20
PID 1216 wrote to memory of 1168	1216	goolje.exe	20
PID 1216 wrote to memory of 1168	1216	goolje.exe	20
PID 1216 wrote to memory of 1220	1216	goolje.exe	21
PID 1216 wrote to memory of 1220	1216	goolje.exe	21
PID 1216 wrote to memory of 1220	1216	goolje.exe	21
PID 1216 wrote to memory of 1220	1216	goolje.exe	21
PID 1216 wrote to memory of 1220	1216	goolje.exe	21
PID 1216 wrote to memory of 1656	1216	goolje.exe	25
PID 1216 wrote to memory of 1656	1216	goolje.exe	25
PID 1216 wrote to memory of 1656	1216	goolje.exe	25
PID 1216 wrote to memory of 1656	1216	goolje.exe	25
PID 1216 wrote to memory of 1656	1216	goolje.exe	25
PID 1216 wrote to memory of 1540	1216	goolje.exe	29
PID 1216 wrote to memory of 1540	1216	goolje.exe	29
PID 1216 wrote to memory of 1540	1216	goolje.exe	29
PID 1216 wrote to memory of 1540	1216	goolje.exe	29
PID 1216 wrote to memory of 1540	1216	goolje.exe	29
PID 1540 wrote to memory of 1092	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	31
PID 1540 wrote to memory of 1092	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	31
PID 1540 wrote to memory of 1092	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	31
PID 1540 wrote to memory of 1092	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	31
PID 1540 wrote to memory of 1092	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	31
PID 1540 wrote to memory of 1092	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	31
PID 1540 wrote to memory of 1092	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	31
PID 1540 wrote to memory of 1092	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	31
PID 1540 wrote to memory of 1092	1540	3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe	31
PID 1216 wrote to memory of 2792	1216	goolje.exe	34
PID 1216 wrote to memory of 2792	1216	goolje.exe	34
PID 1216 wrote to memory of 2792	1216	goolje.exe	34
PID 1216 wrote to memory of 2792	1216	goolje.exe	34
PID 1216 wrote to memory of 2792	1216	goolje.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3896858b1863281410edb6c0f9a853a1_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Roaming\Umix\goolje.exe
    "C:\Users\Admin\AppData\Roaming\Umix\goolje.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp71c68b3d.bat"
    3⤵
    - Deletes itself
    PID:1092

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp71c68b3d.bat

Filesize
271B

MD5
efc1402bfca4a002f20104d25c5eca1c

SHA1
bc8e2d266689f602bc290a510999c398609e0086

SHA256
d12433c2e527ed31c5fca7be42117eabd8456b06d7056ce6cd1b912f73830f0c

SHA512
b0a731f205f26c0a830cf5a2c72162240540d866fafe293ae7d461158a44d6c93d7a02931ea88bc95c00417d2dedcc6a4e34065f1da63bdb5d834d7927ae7754

Download Submit
\Users\Admin\AppData\Roaming\Umix\goolje.exe

Filesize
364KB

MD5
ffc8a381291b5503a95a20bd9549e01b

SHA1
657c97ca6fe579c39c76af92076645130cfb32d0

SHA256
c2927ce98ab6836ba6aaabb3f17ff302f355a901d0a1e8b5150857cc6a328ad6

SHA512
c2091a03eae03481fd99aa465cacea061672d21561e7db3f33b04a2390a9d96a7bd4c21942bd8940a4a3ac66615df3e69da8d450a5eae7a2fc289b6aa0895141

Download Submit
memory/1104-20-0x0000000002230000-0x0000000002274000-memory.dmp

Filesize
272KB

Download
memory/1104-24-0x0000000002230000-0x0000000002274000-memory.dmp

Filesize
272KB

Download
memory/1104-16-0x0000000002230000-0x0000000002274000-memory.dmp

Filesize
272KB

Download
memory/1104-18-0x0000000002230000-0x0000000002274000-memory.dmp

Filesize
272KB

Download
memory/1104-22-0x0000000002230000-0x0000000002274000-memory.dmp

Filesize
272KB

Download
memory/1168-27-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1168-30-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1168-29-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1168-28-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1216-38-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1216-289-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1216-37-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download
memory/1216-36-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/1220-32-0x0000000002D90000-0x0000000002DD4000-memory.dmp

Filesize
272KB

Download
memory/1220-33-0x0000000002D90000-0x0000000002DD4000-memory.dmp

Filesize
272KB

Download
memory/1220-34-0x0000000002D90000-0x0000000002DD4000-memory.dmp

Filesize
272KB

Download
memory/1220-35-0x0000000002D90000-0x0000000002DD4000-memory.dmp

Filesize
272KB

Download
memory/1540-77-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-71-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-61-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-59-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-57-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-55-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-53-0x0000000001D40000-0x0000000001D84000-memory.dmp

Filesize
272KB

Download
memory/1540-52-0x0000000001D40000-0x0000000001D84000-memory.dmp

Filesize
272KB

Download
memory/1540-51-0x0000000001D40000-0x0000000001D84000-memory.dmp

Filesize
272KB

Download
memory/1540-50-0x0000000001D40000-0x0000000001D84000-memory.dmp

Filesize
272KB

Download
memory/1540-1-0x0000000000380000-0x00000000003DC000-memory.dmp

Filesize
368KB

Download
memory/1540-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1540-166-0x0000000001D40000-0x0000000001D84000-memory.dmp

Filesize
272KB

Download
memory/1540-65-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-69-0x0000000001D40000-0x0000000001D84000-memory.dmp

Filesize
272KB

Download
memory/1540-165-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1540-70-0x0000000076F10000-0x0000000076F11000-memory.dmp

Filesize
4KB

Download
memory/1540-63-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-73-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-75-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-0-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/1540-79-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-81-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-67-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-54-0x0000000001D40000-0x0000000001D84000-memory.dmp

Filesize
272KB

Download
memory/1540-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1540-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1540-140-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1540-163-0x0000000000380000-0x00000000003DC000-memory.dmp

Filesize
368KB

Download
memory/1540-164-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/1656-45-0x0000000002340000-0x0000000002384000-memory.dmp

Filesize
272KB

Download
memory/1656-41-0x0000000002340000-0x0000000002384000-memory.dmp

Filesize
272KB

Download
memory/1656-43-0x0000000002340000-0x0000000002384000-memory.dmp

Filesize
272KB

Download
memory/1656-47-0x0000000002340000-0x0000000002384000-memory.dmp

Filesize
272KB

Download