9a0d20eb578497b7dba20db2900034a514e02aeaa7bef55a40a17508169ef9da

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe
Size

124KB
MD5

3d005df0bfe8a5e337cb3ae7a77eb1a8
SHA1

5b4aadd8bd8b1e4d09dc06610d450c56cd4c98c7
SHA256

9a0d20eb578497b7dba20db2900034a514e02aeaa7bef55a40a17508169ef9da
SHA512

7d5e0d1b09bf238ebc0ef1b130eee76cfa51bb71f82c69ebdbdef26586ac8c7f66d2b7a209b6e5d30c15c0d490018790d2e45f73cef14afd8a51fbf516a43ad9
SSDEEP

3072:LeDdr8/jK4mbV9rugy4Vxcpp21FzpYx7G:LSr8/OB99yD2DM

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1248	trivax1.Bin.exe

Loads dropped DLL 2 IoCs

pid	Process
2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe
2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2252-2-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/2252-8-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral1/memory/1248-32-0x0000000000400000-0x0000000000476000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\trivax1.Bin.exe = "C:\\trivax1.Bin\\trivax1.Bin.exe"	trivax1.Bin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PhishingFilter	trivax1.Bin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0"	trivax1.Bin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0"	trivax1.Bin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery	trivax1.Bin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0"	trivax1.Bin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe
2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe
1248	trivax1.Bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe
Token: SeDebugPrivilege	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe
Token: SeDebugPrivilege	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe
Token: SeDebugPrivilege	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe
Token: SeDebugPrivilege	1248	trivax1.Bin.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1256	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	21
PID 2252 wrote to memory of 368	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	3
PID 2252 wrote to memory of 416	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	5
PID 2252 wrote to memory of 476	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	7
PID 2252 wrote to memory of 484	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	8
PID 2252 wrote to memory of 596	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	9
PID 2252 wrote to memory of 672	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	10
PID 2252 wrote to memory of 760	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	11
PID 2252 wrote to memory of 808	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	12
PID 2252 wrote to memory of 844	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	13
PID 2252 wrote to memory of 988	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	15
PID 2252 wrote to memory of 284	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	16
PID 2252 wrote to memory of 380	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	17
PID 2252 wrote to memory of 1036	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	18
PID 2252 wrote to memory of 1124	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	19
PID 2252 wrote to memory of 1180	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	20
PID 2252 wrote to memory of 1256	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	21
PID 2252 wrote to memory of 1228	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	23
PID 2252 wrote to memory of 1664	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	24
PID 2252 wrote to memory of 1740	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	25
PID 2252 wrote to memory of 2344	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	26
PID 2252 wrote to memory of 2400	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	27
PID 2252 wrote to memory of 2956	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	28
PID 2252 wrote to memory of 1248	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	31
PID 2252 wrote to memory of 1248	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	31
PID 2252 wrote to memory of 1248	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	31
PID 2252 wrote to memory of 1248	2252	3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe	31
PID 1248 wrote to memory of 1256	1248	trivax1.Bin.exe	21
PID 1248 wrote to memory of 368	1248	trivax1.Bin.exe	3
PID 1248 wrote to memory of 416	1248	trivax1.Bin.exe	5
PID 1248 wrote to memory of 476	1248	trivax1.Bin.exe	7
PID 1248 wrote to memory of 484	1248	trivax1.Bin.exe	8
PID 1248 wrote to memory of 596	1248	trivax1.Bin.exe	9
PID 1248 wrote to memory of 672	1248	trivax1.Bin.exe	10
PID 1248 wrote to memory of 760	1248	trivax1.Bin.exe	11
PID 1248 wrote to memory of 808	1248	trivax1.Bin.exe	12
PID 1248 wrote to memory of 844	1248	trivax1.Bin.exe	13
PID 1248 wrote to memory of 988	1248	trivax1.Bin.exe	15
PID 1248 wrote to memory of 284	1248	trivax1.Bin.exe	16
PID 1248 wrote to memory of 380	1248	trivax1.Bin.exe	17
PID 1248 wrote to memory of 1036	1248	trivax1.Bin.exe	18
PID 1248 wrote to memory of 1124	1248	trivax1.Bin.exe	19
PID 1248 wrote to memory of 1180	1248	trivax1.Bin.exe	20
PID 1248 wrote to memory of 1256	1248	trivax1.Bin.exe	21
PID 1248 wrote to memory of 1228	1248	trivax1.Bin.exe	23
PID 1248 wrote to memory of 1664	1248	trivax1.Bin.exe	24
PID 1248 wrote to memory of 1740	1248	trivax1.Bin.exe	25
PID 1248 wrote to memory of 2344	1248	trivax1.Bin.exe	26
PID 1248 wrote to memory of 2400	1248	trivax1.Bin.exe	27
PID 1248 wrote to memory of 680	1248	trivax1.Bin.exe	32
PID 1248 wrote to memory of 2900	1248	trivax1.Bin.exe	33
PID 1248 wrote to memory of 2040	1248	trivax1.Bin.exe	34

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:476
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:484

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:596
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe
  2⤵
  PID:1664
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1740
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
  2⤵
  PID:680
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
  2⤵
  PID:2900
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
  2⤵
  PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:808
- C:\Windows\system32\Dwm.exe
  "C:\Windows\system32\Dwm.exe"
  2⤵
  PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:844
- \\?\C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /F /T /R
  2⤵
  PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:284

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1036

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3d005df0bfe8a5e337cb3ae7a77eb1a8_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\trivax1.Bin\trivax1.Bin.exe
    "C:\trivax1.Bin\trivax1.Bin.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1248

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:2344

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\trivax1.Bin\trivax1.Bin.exe

Filesize
124KB

MD5
3d005df0bfe8a5e337cb3ae7a77eb1a8

SHA1
5b4aadd8bd8b1e4d09dc06610d450c56cd4c98c7

SHA256
9a0d20eb578497b7dba20db2900034a514e02aeaa7bef55a40a17508169ef9da

SHA512
7d5e0d1b09bf238ebc0ef1b130eee76cfa51bb71f82c69ebdbdef26586ac8c7f66d2b7a209b6e5d30c15c0d490018790d2e45f73cef14afd8a51fbf516a43ad9

Download Submit
memory/1248-27-0x0000000000390000-0x00000000003D5000-memory.dmp

Filesize
276KB

Download
memory/1248-15-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1248-21-0x0000000000390000-0x00000000003D5000-memory.dmp

Filesize
276KB

Download
memory/1248-26-0x0000000000390000-0x00000000003D5000-memory.dmp

Filesize
276KB

Download
memory/1248-32-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1248-14-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1256-78-0x000000000BB50000-0x000000000BB9F000-memory.dmp

Filesize
316KB

Download
memory/1256-18-0x000000000BAD0000-0x000000000BB15000-memory.dmp

Filesize
276KB

Download
memory/2252-0-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2252-8-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2252-3-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download
memory/2252-31-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2252-1-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2252-2-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download