89d6efff9cfba9ec7efc6d6f3a8e85be954ddb5fc7f92db8235c97dee49ec026

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe
Size

329KB
MD5

3bf3fad742423726828147bd9dd5b5f8
SHA1

ee1dd0c3b9bc6a695a562dc1471ead145e32c3fb
SHA256

89d6efff9cfba9ec7efc6d6f3a8e85be954ddb5fc7f92db8235c97dee49ec026
SHA512

d28841a85980b1de5ec12024bf31783bef52d8ea5ec2f767df8da75043c1d4d61e07d8e00105337b30605ae56cb1615a3f030779d6d0c6e65a0f83bf560077ae
SSDEEP

6144:3tEK7FUgViyUXe2ZsD9eBVtQRlc12iVkIFzy9TLSDoC3FHvKHManP:3awFDiym920jcc1f9e9XS335vHs

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2456	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3036	atamu.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe
2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\{278F5008-6814-AD4F-E8EF-460FE6556512} = "C:\\Users\\Admin\\AppData\\Roaming\\Vajom\\atamu.exe"	atamu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2456	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	32

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe
3036	atamu.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe
3036	atamu.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 3036	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	31
PID 2324 wrote to memory of 3036	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	31
PID 2324 wrote to memory of 3036	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	31
PID 2324 wrote to memory of 3036	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	31
PID 3036 wrote to memory of 1108	3036	atamu.exe	19
PID 3036 wrote to memory of 1108	3036	atamu.exe	19
PID 3036 wrote to memory of 1108	3036	atamu.exe	19
PID 3036 wrote to memory of 1108	3036	atamu.exe	19
PID 3036 wrote to memory of 1108	3036	atamu.exe	19
PID 3036 wrote to memory of 1172	3036	atamu.exe	20
PID 3036 wrote to memory of 1172	3036	atamu.exe	20
PID 3036 wrote to memory of 1172	3036	atamu.exe	20
PID 3036 wrote to memory of 1172	3036	atamu.exe	20
PID 3036 wrote to memory of 1172	3036	atamu.exe	20
PID 3036 wrote to memory of 1228	3036	atamu.exe	21
PID 3036 wrote to memory of 1228	3036	atamu.exe	21
PID 3036 wrote to memory of 1228	3036	atamu.exe	21
PID 3036 wrote to memory of 1228	3036	atamu.exe	21
PID 3036 wrote to memory of 1228	3036	atamu.exe	21
PID 3036 wrote to memory of 1080	3036	atamu.exe	23
PID 3036 wrote to memory of 1080	3036	atamu.exe	23
PID 3036 wrote to memory of 1080	3036	atamu.exe	23
PID 3036 wrote to memory of 1080	3036	atamu.exe	23
PID 3036 wrote to memory of 1080	3036	atamu.exe	23
PID 3036 wrote to memory of 2324	3036	atamu.exe	30
PID 3036 wrote to memory of 2324	3036	atamu.exe	30
PID 3036 wrote to memory of 2324	3036	atamu.exe	30
PID 3036 wrote to memory of 2324	3036	atamu.exe	30
PID 3036 wrote to memory of 2324	3036	atamu.exe	30
PID 2324 wrote to memory of 2456	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2456	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2456	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2456	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2456	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2456	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2456	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2456	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	32
PID 2324 wrote to memory of 2456	2324	3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2004	3036	atamu.exe	34
PID 3036 wrote to memory of 2004	3036	atamu.exe	34
PID 3036 wrote to memory of 2004	3036	atamu.exe	34
PID 3036 wrote to memory of 2004	3036	atamu.exe	34
PID 3036 wrote to memory of 2004	3036	atamu.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3bf3fad742423726828147bd9dd5b5f8_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Roaming\Vajom\atamu.exe
    "C:\Users\Admin\AppData\Roaming\Vajom\atamu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp86f173a1.bat"
    3⤵
    - Deletes itself
    PID:2456

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1080

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp86f173a1.bat

Filesize
271B

MD5
d8a0f13721b9e05d3fb6a067465cf526

SHA1
d5487ce32f825ce7044c9132a2e242ae77fd09c0

SHA256
ac4c823f6b3a3ae1b0156a289a2f2ba22e2a39bf6a7a8c7e77b0f87bfe0f56dc

SHA512
380d889cb3bd65d5308bee700c3606cd0d5e04aa2a47578189710072e1beee274e59a6ad635dd535925dec532e4c99f991113af9133bbf788d455f8ab88b7304

Download Submit
C:\Users\Admin\AppData\Roaming\Vajom\atamu.exe

Filesize
329KB

MD5
e72ff671685851927f37ffd642c5f0d3

SHA1
f1275bd14bdd7809271b5b90697e47198121913e

SHA256
680e8d79d5b78041c1ec4e51431357bfae713f243f2d850bb75f3c81cae669fc

SHA512
97252a15952ab207c25fab7bf5748e37e36bd86ea45d701ac940f879b08e593624371b3527e79dade176ca7207f4da8d4f97e3d34802bbfcf1a67bfe6e6002ae

Download Submit
memory/1080-38-0x0000000000470000-0x00000000004B4000-memory.dmp

Filesize
272KB

Download
memory/1080-36-0x0000000000470000-0x00000000004B4000-memory.dmp

Filesize
272KB

Download
memory/1080-35-0x0000000000470000-0x00000000004B4000-memory.dmp

Filesize
272KB

Download
memory/1080-37-0x0000000000470000-0x00000000004B4000-memory.dmp

Filesize
272KB

Download
memory/1108-23-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1108-22-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1108-21-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1108-20-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1108-19-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1172-25-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1172-26-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1172-28-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1172-27-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1228-30-0x0000000002DE0000-0x0000000002E24000-memory.dmp

Filesize
272KB

Download
memory/1228-31-0x0000000002DE0000-0x0000000002E24000-memory.dmp

Filesize
272KB

Download
memory/1228-32-0x0000000002DE0000-0x0000000002E24000-memory.dmp

Filesize
272KB

Download
memory/1228-33-0x0000000002DE0000-0x0000000002E24000-memory.dmp

Filesize
272KB

Download
memory/2324-77-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-73-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-63-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-61-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-59-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-57-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-55-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-53-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-51-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-49-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-47-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-45-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-43-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2324-42-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2324-41-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2324-40-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2324-67-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-69-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-71-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-65-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-75-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-0-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/2324-79-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-131-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2324-132-0x0000000077E00000-0x0000000077E01000-memory.dmp

Filesize
4KB

Download
memory/2324-44-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2324-1-0x0000000001C20000-0x0000000001C75000-memory.dmp

Filesize
340KB

Download
memory/2324-156-0x0000000001C20000-0x0000000001C75000-memory.dmp

Filesize
340KB

Download
memory/2324-157-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2324-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2324-133-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2324-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2324-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2324-158-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/3036-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3036-17-0x0000000000350000-0x00000000003A5000-memory.dmp

Filesize
340KB

Download
memory/3036-16-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/3036-281-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download