f47e4d46d4f3b2e197975cef55634dab7b8f13e8d0bdadab5f04f0ca5cbd0368

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe
Size

133KB
MD5

3f6700f557b1e20eb8f647f79dacfa38
SHA1

429e2d5eb15694f5a0ec4ea1b1397a6fc769255b
SHA256

f47e4d46d4f3b2e197975cef55634dab7b8f13e8d0bdadab5f04f0ca5cbd0368
SHA512

8839e8b95a6aae7d6056d3e16fcd0287eba1ab1c21774fdf0f31f9ac20c52cb2827df7201f1d5eddaa8e9ea4624d4342ff625c6bce43d41e4576c1abd08e48ca
SSDEEP

3072:+kwfBWX/oJGBhKcXsqog9SFXOgT2i20y5PuhHDS/Vg:s+IksqofhKlaHDS/V

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1696	Cnunoa.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cnunoa.exe	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Cnunoa.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Cnunoa.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe
File created	C:\Windows\Cnunoa.exe	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	Cnunoa.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\International	Cnunoa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe
1696	Cnunoa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2548	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe
1696	Cnunoa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1696	2548	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe	30
PID 2548 wrote to memory of 1696	2548	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe	30
PID 2548 wrote to memory of 1696	2548	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe	30
PID 2548 wrote to memory of 1696	2548	3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f6700f557b1e20eb8f647f79dacfa38_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\Cnunoa.exe
  C:\Windows\Cnunoa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Cnunoa.exe

Filesize
133KB

MD5
3f6700f557b1e20eb8f647f79dacfa38

SHA1
429e2d5eb15694f5a0ec4ea1b1397a6fc769255b

SHA256
f47e4d46d4f3b2e197975cef55634dab7b8f13e8d0bdadab5f04f0ca5cbd0368

SHA512
8839e8b95a6aae7d6056d3e16fcd0287eba1ab1c21774fdf0f31f9ac20c52cb2827df7201f1d5eddaa8e9ea4624d4342ff625c6bce43d41e4576c1abd08e48ca

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
372B

MD5
03c6697fb3f70270c3e6cc87bce5627e

SHA1
e3738730f73b2bcbe2a2f11d5efdc483b9cd2a21

SHA256
404f2eed447da918f5cb1b79968716dbf57371a5960f9b50ed08b60f4eec34e3

SHA512
b6be77a0bbce6458d05d1274b1fe8d2e582a5379b626f40c9dca9f6a74e28e62c6fad99a5ae9cb350f3de568200c0de857c878b797dcfddfa1c12b37939a643d

Download Submit
memory/1696-45490-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-45488-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-45491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-45492-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-45494-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-45498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-45487-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-45489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-0-0x0000000000220000-0x000000000023D000-memory.dmp

Filesize
116KB

Download