b71c15f68ab96c3dfdeaead8322451c03f15b22fc4ea0155264bfaf1ed4ef6ac

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe
Size

149KB
MD5

3e8ab3078e716eeef386f544222eb24c
SHA1

9cd5b4391330645bda9560eec4e4e737551a809b
SHA256

b71c15f68ab96c3dfdeaead8322451c03f15b22fc4ea0155264bfaf1ed4ef6ac
SHA512

9fa42521fb80529a841b11e319e1025cc3e6d0a073c6f45781f86702d41d63a8195b5add08ff1cb6c5d2d04b13d725acad271602d6ffbf065aa26c26fb107556
SSDEEP

3072:BbO0bvknDFy0zu6wr93Xp/M+gzoWe2n+be+txwc:o0SXz49HcoQn+b9tx

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1816	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1680	giob.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe
2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\{25CF234A-48F9-C008-5539-3ACF1E984038} = "C:\\Users\\Admin\\AppData\\Roaming\\Uguf\\giob.exe"	giob.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2160 set thread context of 1816	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe	44

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Privacy	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\7F504BA7-00000001.eml:OECustomProperty	WinMail.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe
1680	giob.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe
Token: SeSecurityPrivilege	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe
Token: SeSecurityPrivilege	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	604	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
604	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
604	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
604	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2836	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2836	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2836	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2836	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe	28
PID 2836 wrote to memory of 2432	2836	net.exe	30
PID 2836 wrote to memory of 2432	2836	net.exe	30
PID 2836 wrote to memory of 2432	2836	net.exe	30
PID 2836 wrote to memory of 2432	2836	net.exe	30
PID 2160 wrote to memory of 2952	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe	31
PID 2160 wrote to memory of 2952	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe	31
PID 2160 wrote to memory of 2952	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe	31
PID 2160 wrote to memory of 2952	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe	31
PID 2952 wrote to memory of 296	2952	net.exe	33
PID 2952 wrote to memory of 296	2952	net.exe	33
PID 2952 wrote to memory of 296	2952	net.exe	33
PID 2952 wrote to memory of 296	2952	net.exe	33
PID 2160 wrote to memory of 1680	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe	36
PID 2160 wrote to memory of 1680	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe	36
PID 2160 wrote to memory of 1680	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe	36
PID 2160 wrote to memory of 1680	2160	3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe	36
PID 1680 wrote to memory of 2664	1680	giob.exe	37
PID 1680 wrote to memory of 2664	1680	giob.exe	37
PID 1680 wrote to memory of 2664	1680	giob.exe	37
PID 1680 wrote to memory of 2664	1680	giob.exe	37
PID 2664 wrote to memory of 3056	2664	net.exe	39
PID 2664 wrote to memory of 3056	2664	net.exe	39
PID 2664 wrote to memory of 3056	2664	net.exe	39
PID 2664 wrote to memory of 3056	2664	net.exe	39
PID 1680 wrote to memory of 2592	1680	giob.exe	40
PID 1680 wrote to memory of 2592	1680	giob.exe	40
PID 1680 wrote to memory of 2592	1680	giob.exe	40
PID 1680 wrote to memory of 2592	1680	giob.exe	40
PID 1680 wrote to memory of 1116	1680	giob.exe	19
PID 1680 wrote to memory of 1116	1680	giob.exe	19
PID 1680 wrote to memory of 1116	1680	giob.exe	19
PID 1680 wrote to memory of 1116	1680	giob.exe	19
PID 1680 wrote to memory of 1116	1680	giob.exe	19
PID 1680 wrote to memory of 1188	1680	giob.exe	20
PID 1680 wrote to memory of 1188	1680	giob.exe	20
PID 1680 wrote to memory of 1188	1680	giob.exe	20
PID 1680 wrote to memory of 1188	1680	giob.exe	20
PID 1680 wrote to memory of 1188	1680	giob.exe	20
PID 1680 wrote to memory of 1248	1680	giob.exe	21
PID 1680 wrote to memory of 1248	1680	giob.exe	21
PID 1680 wrote to memory of 1248	1680	giob.exe	21
PID 1680 wrote to memory of 1248	1680	giob.exe	21
PID 1680 wrote to memory of 1248	1680	giob.exe	21
PID 1680 wrote to memory of 624	1680	giob.exe	23
PID 1680 wrote to memory of 624	1680	giob.exe	23
PID 1680 wrote to memory of 624	1680	giob.exe	23
PID 1680 wrote to memory of 624	1680	giob.exe	23
PID 1680 wrote to memory of 624	1680	giob.exe	23
PID 1680 wrote to memory of 2160	1680	giob.exe	27
PID 1680 wrote to memory of 2160	1680	giob.exe	27
PID 1680 wrote to memory of 2160	1680	giob.exe	27
PID 1680 wrote to memory of 2160	1680	giob.exe	27
PID 1680 wrote to memory of 2160	1680	giob.exe	27
PID 2592 wrote to memory of 980	2592	net.exe	42
PID 2592 wrote to memory of 980	2592	net.exe	42
PID 2592 wrote to memory of 980	2592	net.exe	42
PID 2592 wrote to memory of 980	2592	net.exe	42
PID 1680 wrote to memory of 604	1680	giob.exe	43
PID 1680 wrote to memory of 604	1680	giob.exe	43
PID 1680 wrote to memory of 604	1680	giob.exe	43

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3e8ab3078e716eeef386f544222eb24c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:296
- - C:\Users\Admin\AppData\Roaming\Uguf\giob.exe
    "C:\Users\Admin\AppData\Roaming\Uguf\giob.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\net.exe
      net stop wscsvc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wscsvc
        5⤵
        
        PID:3056
  - - C:\Windows\SysWOW64\net.exe
      net stop SharedAccess
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        5⤵
        
        PID:980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc7a014e8.bat"
    3⤵
    - Deletes itself
    PID:1816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:624

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
3aee3dc873b5510e80e8bcf38cbbac04

SHA1
897b3fd02484a0e17d9278aa21cf751ca5cdba7c

SHA256
c497098ff184a56eb0b57f3fd89f506059561920cbe16c658150842d77f6cee3

SHA512
fb7de0e4d2bf046347d742b58a750ce7f32046034fd27c717ce77797c1ce785d4524a507410077cd887768c8dd709afe67d7eee7b21afefb9ed1033f8432c698

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpc7a014e8.bat

Filesize
271B

MD5
92aac0625a305a3426fb2822fde71699

SHA1
9abeddd166e750261ec435b8fb3222eabf7e75d7

SHA256
3530e8c1070f58f9cb5131fbbed69bacd309679e3b767e2ac1077bc2497d6d84

SHA512
979e1a1302b8d06910b9a3319d96f3afa9b4a038f756405e931eb131b4afedd9ef3e01b09ed8ffa7485ce61bf5dbc904fe0a9114c3235316ffa62a92d1d1320e

Download Submit
C:\Users\Admin\AppData\Roaming\Purayr\avqe.rul

Filesize
380B

MD5
a73d7f9874d64e6d7c479cc1cf39f4fc

SHA1
c2cc57564bfca6b1be775b4ca25e6fc189d5edcd

SHA256
07597cbe5409f9505dba45d3d39557d205593a0d151164c03fa167ce6df371c1

SHA512
baaf966a9a692db0011ed352f5f6026dcc8102523e5bfa23e8b4fbc128ad6e5a9ff44410ccbd4ade2b8eb90b5f10f1c86d56d356165748aa01d15be074e46447

Download Submit
\Users\Admin\AppData\Roaming\Uguf\giob.exe

Filesize
149KB

MD5
b2bd264aba0d680e449774ee178af1fc

SHA1
5abddba0bcfc7ae82b14bdc5457f3178e6f506a2

SHA256
99a24f8a49b94dd5f03d8efdf7f94f14117d8d55df9958ea647a32ea3e4b9a22

SHA512
f9ea12a4d3549932f685cf02182dd4e6af86784e8651b976e18e6637026dc55b1bf2fe2b12d3089ebee268d6b19a38188312ec5701d45de0b072470b1af48808

Download Submit
memory/624-58-0x0000000001CE0000-0x0000000001D08000-memory.dmp

Filesize
160KB

Download
memory/624-56-0x0000000001CE0000-0x0000000001D08000-memory.dmp

Filesize
160KB

Download
memory/624-60-0x0000000001CE0000-0x0000000001D08000-memory.dmp

Filesize
160KB

Download
memory/624-54-0x0000000001CE0000-0x0000000001D08000-memory.dmp

Filesize
160KB

Download
memory/1116-23-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1116-25-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1116-27-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1116-29-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1116-31-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1188-34-0x0000000002000000-0x0000000002028000-memory.dmp

Filesize
160KB

Download
memory/1188-40-0x0000000002000000-0x0000000002028000-memory.dmp

Filesize
160KB

Download
memory/1188-38-0x0000000002000000-0x0000000002028000-memory.dmp

Filesize
160KB

Download
memory/1188-36-0x0000000002000000-0x0000000002028000-memory.dmp

Filesize
160KB

Download
memory/1248-50-0x0000000002590000-0x00000000025B8000-memory.dmp

Filesize
160KB

Download
memory/1248-48-0x0000000002590000-0x00000000025B8000-memory.dmp

Filesize
160KB

Download
memory/1248-46-0x0000000002590000-0x00000000025B8000-memory.dmp

Filesize
160KB

Download
memory/1248-44-0x0000000002590000-0x00000000025B8000-memory.dmp

Filesize
160KB

Download
memory/1680-21-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1680-20-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1680-395-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1680-17-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1680-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1680-18-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2160-16-0x0000000002250000-0x00000000022A1000-memory.dmp

Filesize
324KB

Download
memory/2160-85-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2160-77-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2160-75-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2160-73-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2160-70-0x00000000005F0000-0x0000000000618000-memory.dmp

Filesize
160KB

Download
memory/2160-72-0x00000000005F0000-0x0000000000618000-memory.dmp

Filesize
160KB

Download
memory/2160-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2160-81-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2160-68-0x00000000005F0000-0x0000000000618000-memory.dmp

Filesize
160KB

Download
memory/2160-83-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2160-79-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2160-64-0x00000000005F0000-0x0000000000618000-memory.dmp

Filesize
160KB

Download
memory/2160-10-0x0000000002250000-0x00000000022A1000-memory.dmp

Filesize
324KB

Download
memory/2160-5-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2160-4-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2160-3-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2160-217-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/2160-218-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2160-277-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2160-2-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2160-1-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/2160-66-0x00000000005F0000-0x0000000000618000-memory.dmp

Filesize
160KB

Download