dc903ba1771754ff3e1f767ebcbc20734e8955924a10c1a5913925e5d4bf5ba7

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 14:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe
Size

307KB
MD5

3979e5c30375da83f0e15f15a00a655a
SHA1

3856e5117bb7cbf02e25830ef0c76857b3fff35e
SHA256

dc903ba1771754ff3e1f767ebcbc20734e8955924a10c1a5913925e5d4bf5ba7
SHA512

d47081c2e8a728622bff13ef04606adcb07c54ad364feafcf1c9e615d184188d1efd5d139fbb790d4211ec09ce4475791443edf96902311e9e72ca0202b8e72e
SSDEEP

6144:2qzvT72Y0SrzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOvPECYeixlYGicJBo:2Cr7SSCYsY1UMqMZJYSN7wbstOv8fveX

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1320	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2424	odygk.exe

Loads dropped DLL 1 IoCs

pid	Process
1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\{36F482E8-6FE9-AD4F-5F98-37194FCB1404} = "C:\\Users\\Admin\\AppData\\Roaming\\Iqpuj\\odygk.exe"	odygk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 1320	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	32

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe
2424	odygk.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2424	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2424	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2424	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	30
PID 1976 wrote to memory of 2424	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	30
PID 2424 wrote to memory of 1096	2424	odygk.exe	19
PID 2424 wrote to memory of 1096	2424	odygk.exe	19
PID 2424 wrote to memory of 1096	2424	odygk.exe	19
PID 2424 wrote to memory of 1096	2424	odygk.exe	19
PID 2424 wrote to memory of 1096	2424	odygk.exe	19
PID 2424 wrote to memory of 1160	2424	odygk.exe	20
PID 2424 wrote to memory of 1160	2424	odygk.exe	20
PID 2424 wrote to memory of 1160	2424	odygk.exe	20
PID 2424 wrote to memory of 1160	2424	odygk.exe	20
PID 2424 wrote to memory of 1160	2424	odygk.exe	20
PID 2424 wrote to memory of 1196	2424	odygk.exe	21
PID 2424 wrote to memory of 1196	2424	odygk.exe	21
PID 2424 wrote to memory of 1196	2424	odygk.exe	21
PID 2424 wrote to memory of 1196	2424	odygk.exe	21
PID 2424 wrote to memory of 1196	2424	odygk.exe	21
PID 2424 wrote to memory of 1712	2424	odygk.exe	25
PID 2424 wrote to memory of 1712	2424	odygk.exe	25
PID 2424 wrote to memory of 1712	2424	odygk.exe	25
PID 2424 wrote to memory of 1712	2424	odygk.exe	25
PID 2424 wrote to memory of 1712	2424	odygk.exe	25
PID 2424 wrote to memory of 1976	2424	odygk.exe	29
PID 2424 wrote to memory of 1976	2424	odygk.exe	29
PID 2424 wrote to memory of 1976	2424	odygk.exe	29
PID 2424 wrote to memory of 1976	2424	odygk.exe	29
PID 2424 wrote to memory of 1976	2424	odygk.exe	29
PID 1976 wrote to memory of 1320	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	32
PID 1976 wrote to memory of 1320	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	32
PID 1976 wrote to memory of 1320	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	32
PID 1976 wrote to memory of 1320	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	32
PID 1976 wrote to memory of 1320	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	32
PID 1976 wrote to memory of 1320	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	32
PID 1976 wrote to memory of 1320	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	32
PID 1976 wrote to memory of 1320	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	32
PID 1976 wrote to memory of 1320	1976	3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe	32
PID 2424 wrote to memory of 1972	2424	odygk.exe	34
PID 2424 wrote to memory of 1972	2424	odygk.exe	34
PID 2424 wrote to memory of 1972	2424	odygk.exe	34
PID 2424 wrote to memory of 1972	2424	odygk.exe	34
PID 2424 wrote to memory of 1972	2424	odygk.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1096

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3979e5c30375da83f0e15f15a00a655a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Roaming\Iqpuj\odygk.exe
    "C:\Users\Admin\AppData\Roaming\Iqpuj\odygk.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1fab82b7.bat"
    3⤵
    - Deletes itself
    PID:1320

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1712

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1fab82b7.bat

Filesize
271B

MD5
45fe057e11cb50a93a30fc85fd8cb2d1

SHA1
3e32c3fb54624f2f76a395122636ee41218693b8

SHA256
36e14d03a9928344b4dd4fd9015716363f8b9e84d86e0dd8e8acc17bf672aadb

SHA512
a5b9a266187b4fd724498d10d5f4740c2231f19588347bb7a83efce942786b25ac2f2dbc9f1ade1543e1514cf0a96546b1ddbd53dc62f29e89b7c7ae9c295b6c

Download Submit
\Users\Admin\AppData\Roaming\Iqpuj\odygk.exe

Filesize
307KB

MD5
3057e810d70d8f990dd206e26f0f7f6d

SHA1
2cd02e2a4f0ddc9b15ae0006f642175e4a3b3550

SHA256
be01844926a245280092f88ab41925c5545246b4cb7ea2b17b232239612d21be

SHA512
55416b4297adae21a8fda530e4b92fc2b805111d43b193ba68b84b28b0ea6b83215ccd0abb389f7b02b492dbc47c9a5f3408f174f8272b600fea2a66378830da

Download Submit
memory/1096-19-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1096-20-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1096-15-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1096-17-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1096-18-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1160-22-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1160-24-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1160-26-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1160-28-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1196-31-0x0000000002DE0000-0x0000000002E24000-memory.dmp

Filesize
272KB

Download
memory/1196-32-0x0000000002DE0000-0x0000000002E24000-memory.dmp

Filesize
272KB

Download
memory/1196-33-0x0000000002DE0000-0x0000000002E24000-memory.dmp

Filesize
272KB

Download
memory/1196-34-0x0000000002DE0000-0x0000000002E24000-memory.dmp

Filesize
272KB

Download
memory/1712-40-0x0000000001D20000-0x0000000001D64000-memory.dmp

Filesize
272KB

Download
memory/1712-39-0x0000000001D20000-0x0000000001D64000-memory.dmp

Filesize
272KB

Download
memory/1712-37-0x0000000001D20000-0x0000000001D64000-memory.dmp

Filesize
272KB

Download
memory/1712-38-0x0000000001D20000-0x0000000001D64000-memory.dmp

Filesize
272KB

Download
memory/1976-65-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-0-0x0000000000060000-0x00000000000B0000-memory.dmp

Filesize
320KB

Download
memory/1976-57-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-55-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-51-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-49-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-47-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-45-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1976-44-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1976-43-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1976-42-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1976-63-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-67-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-69-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-71-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-73-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-75-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-61-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-59-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-53-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-46-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1976-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1976-160-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1976-9-0x0000000000190000-0x00000000001E0000-memory.dmp

Filesize
320KB

Download
memory/1976-6-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1976-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1976-3-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1976-136-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1976-135-0x0000000077CA0000-0x0000000077CA1000-memory.dmp

Filesize
4KB

Download
memory/1976-134-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1976-159-0x0000000000060000-0x00000000000B0000-memory.dmp

Filesize
320KB

Download
memory/1976-161-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/2424-12-0x0000000000810000-0x0000000000860000-memory.dmp

Filesize
320KB

Download
memory/2424-14-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2424-286-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download