67ccfb0369e7d8bb85a4bdeb1d89a1ef45061312ccc57edc81739edfe8a296c7

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe
Size

296KB
MD5

474d4d3b2ec4cb908c44ad17aff85805
SHA1

c036059376f20d5c243d9ca5fac5b99169eff001
SHA256

67ccfb0369e7d8bb85a4bdeb1d89a1ef45061312ccc57edc81739edfe8a296c7
SHA512

5be257d14608edb6540c931a175c0fff0aa2bca6c94a726914f585206912e5e2da406fb273b6065742edefc9b17467de2b0807913f3746fac3d6aef04b5d7bf1
SSDEEP

6144:A5GL86QqsaUFRzfeFJROZPUODVGvV8s76RYwRfPgFAtdDAf+O2:nLkqsaUFxfe63UN0RfUudsfy

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1936	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1284	vaquz.exe

Loads dropped DLL 2 IoCs

pid	Process
2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe
2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2476-0-0x0000000000400000-0x0000000000813000-memory.dmp	upx
behavioral1/files/0x000a000000016d90-8.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{75DA6328-6F30-AD4F-96DD-2BAD86C808B0} = "C:\\Users\\Admin\\AppData\\Roaming\\Emweus\\vaquz.exe"	vaquz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2476 set thread context of 1936	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	32

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe
1284	vaquz.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe
Token: SeSecurityPrivilege	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe
Token: SeSecurityPrivilege	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1284	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	31
PID 2476 wrote to memory of 1284	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	31
PID 2476 wrote to memory of 1284	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	31
PID 2476 wrote to memory of 1284	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	31
PID 1284 wrote to memory of 1188	1284	vaquz.exe	19
PID 1284 wrote to memory of 1188	1284	vaquz.exe	19
PID 1284 wrote to memory of 1188	1284	vaquz.exe	19
PID 1284 wrote to memory of 1188	1284	vaquz.exe	19
PID 1284 wrote to memory of 1188	1284	vaquz.exe	19
PID 1284 wrote to memory of 1300	1284	vaquz.exe	20
PID 1284 wrote to memory of 1300	1284	vaquz.exe	20
PID 1284 wrote to memory of 1300	1284	vaquz.exe	20
PID 1284 wrote to memory of 1300	1284	vaquz.exe	20
PID 1284 wrote to memory of 1300	1284	vaquz.exe	20
PID 1284 wrote to memory of 1360	1284	vaquz.exe	21
PID 1284 wrote to memory of 1360	1284	vaquz.exe	21
PID 1284 wrote to memory of 1360	1284	vaquz.exe	21
PID 1284 wrote to memory of 1360	1284	vaquz.exe	21
PID 1284 wrote to memory of 1360	1284	vaquz.exe	21
PID 1284 wrote to memory of 1160	1284	vaquz.exe	25
PID 1284 wrote to memory of 1160	1284	vaquz.exe	25
PID 1284 wrote to memory of 1160	1284	vaquz.exe	25
PID 1284 wrote to memory of 1160	1284	vaquz.exe	25
PID 1284 wrote to memory of 1160	1284	vaquz.exe	25
PID 1284 wrote to memory of 2476	1284	vaquz.exe	30
PID 1284 wrote to memory of 2476	1284	vaquz.exe	30
PID 1284 wrote to memory of 2476	1284	vaquz.exe	30
PID 1284 wrote to memory of 2476	1284	vaquz.exe	30
PID 1284 wrote to memory of 2476	1284	vaquz.exe	30
PID 2476 wrote to memory of 1936	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	32
PID 2476 wrote to memory of 1936	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	32
PID 2476 wrote to memory of 1936	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	32
PID 2476 wrote to memory of 1936	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	32
PID 2476 wrote to memory of 1936	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	32
PID 2476 wrote to memory of 1936	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	32
PID 2476 wrote to memory of 1936	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	32
PID 2476 wrote to memory of 1936	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	32
PID 2476 wrote to memory of 1936	2476	474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1188

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1300

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\474d4d3b2ec4cb908c44ad17aff85805_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Roaming\Emweus\vaquz.exe
    "C:\Users\Admin\AppData\Roaming\Emweus\vaquz.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb0d87fde.bat"
    3⤵
    - Deletes itself
    PID:1936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb0d87fde.bat

Filesize
271B

MD5
717cf601886345d962698de9e2c65a49

SHA1
af3853614d12b9c273f0ea7bc3d1a7e00ded493d

SHA256
0c2862b67d8ce5672d0190980c29197575d389d0a04bb96b0b980c5988130e7d

SHA512
f42fe370b1a1549746854768b661e0fd726e5746754bdc7e7a1c71b98e59ea49c3297b40ff775b4d916b4129bf24b07923f0dbdcd9c8b72856bb080fa308cb23

Download Submit
C:\Users\Admin\AppData\Roaming\Ejkiwa\baozm.rye

Filesize
380B

MD5
14126ed67657b4ab292c084d755c2d22

SHA1
60cabfe9d948b1fd1d27ebc2cd4524bcb897314d

SHA256
c33060bcba2a000c51f9be22966e956c5fa69432c80a3fc7437e3fdea9a3f02c

SHA512
e2042dfd3d6e5da5e75d84b889009fb3baa0f353b45a28f3fba748255f7f9fdc158b3692c63b0b1f580f13a53b2acdd78b21528cb73c6ddf6d69634f5018884d

Download Submit
\Users\Admin\AppData\Roaming\Emweus\vaquz.exe

Filesize
296KB

MD5
b356d55e61702bcd872e0806377ea396

SHA1
3397b81e1a94a204c13e96d95c5ebafe769a97b5

SHA256
302f51407f4198bc89917f98f5b1bba3f055b950f839043d6b19de4b88922234

SHA512
9e4adcc71a1c2aab37700dbef7310763f4286753ffb8ff60bbb044dbeee5e5828b53679a87112de9116a431413e8e1480d29c71d3b4454577d95c781dc70e916

Download Submit
memory/1160-39-0x0000000002540000-0x000000000257D000-memory.dmp

Filesize
244KB

Download
memory/1160-38-0x0000000002540000-0x000000000257D000-memory.dmp

Filesize
244KB

Download
memory/1160-37-0x0000000002540000-0x000000000257D000-memory.dmp

Filesize
244KB

Download
memory/1160-36-0x0000000002540000-0x000000000257D000-memory.dmp

Filesize
244KB

Download
memory/1188-15-0x0000000001C40000-0x0000000001C7D000-memory.dmp

Filesize
244KB

Download
memory/1188-17-0x0000000001C40000-0x0000000001C7D000-memory.dmp

Filesize
244KB

Download
memory/1188-18-0x0000000001C40000-0x0000000001C7D000-memory.dmp

Filesize
244KB

Download
memory/1188-16-0x0000000001C40000-0x0000000001C7D000-memory.dmp

Filesize
244KB

Download
memory/1188-19-0x0000000001C40000-0x0000000001C7D000-memory.dmp

Filesize
244KB

Download
memory/1284-272-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/1284-132-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/1300-24-0x00000000001A0000-0x00000000001DD000-memory.dmp

Filesize
244KB

Download
memory/1300-28-0x00000000001A0000-0x00000000001DD000-memory.dmp

Filesize
244KB

Download
memory/1300-26-0x00000000001A0000-0x00000000001DD000-memory.dmp

Filesize
244KB

Download
memory/1300-22-0x00000000001A0000-0x00000000001DD000-memory.dmp

Filesize
244KB

Download
memory/1360-33-0x0000000002730000-0x000000000276D000-memory.dmp

Filesize
244KB

Download
memory/1360-32-0x0000000002730000-0x000000000276D000-memory.dmp

Filesize
244KB

Download
memory/1360-34-0x0000000002730000-0x000000000276D000-memory.dmp

Filesize
244KB

Download
memory/1360-31-0x0000000002730000-0x000000000276D000-memory.dmp

Filesize
244KB

Download
memory/2476-69-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-63-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-47-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-133-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/2476-44-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/2476-43-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/2476-42-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/2476-41-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/2476-51-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-53-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-150-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/2476-55-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-57-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-151-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/2476-59-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-49-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-65-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-67-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-0-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/2476-71-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-73-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-75-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-77-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-79-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-61-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2476-46-0x0000000002770000-0x0000000002B83000-memory.dmp

Filesize
4.1MB

Download
memory/2476-45-0x0000000000300000-0x000000000033D000-memory.dmp

Filesize
244KB

Download
memory/2476-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2476-12-0x0000000002770000-0x0000000002B83000-memory.dmp

Filesize
4.1MB

Download
memory/2476-5-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/2476-2-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download