f06590549e4d091634f1810d3b05f8d1c35b9f98849e14afb2e171813f4329f1

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 06:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe
Size

284KB
MD5

449b817baf76d633d23fab6f4f2a730e
SHA1

c9b7906a49456f4cb40ac930388d4a458aad381b
SHA256

f06590549e4d091634f1810d3b05f8d1c35b9f98849e14afb2e171813f4329f1
SHA512

73057200f1df141dc0c1b156eb8833cc6518b6b8b65b0db69dab8fc4ec1d6debf104f61a9b6f77a2decb9f93a5be014a772949d9f5006d5d3cd5e7d58fb5a615
SSDEEP

6144:qNq6AL17HPwmDDANk9eAMez58Tu4+4lAGBI9gGSwDpc6j:qM6AL17HB19xHLBj

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2984	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2520	ypak.exe

Loads dropped DLL 2 IoCs

pid	Process
1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe
1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\{36F482E8-6FE9-AD4F-5F98-37194FCB1404} = "C:\\Users\\Admin\\AppData\\Roaming\\Ebelmi\\ypak.exe"	ypak.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1028 set thread context of 2984	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe
2520	ypak.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe
Token: SeSecurityPrivilege	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe
Token: SeSecurityPrivilege	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe
2520	ypak.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2520	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2520	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2520	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2520	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1116	2520	ypak.exe	19
PID 2520 wrote to memory of 1116	2520	ypak.exe	19
PID 2520 wrote to memory of 1116	2520	ypak.exe	19
PID 2520 wrote to memory of 1116	2520	ypak.exe	19
PID 2520 wrote to memory of 1116	2520	ypak.exe	19
PID 2520 wrote to memory of 1172	2520	ypak.exe	20
PID 2520 wrote to memory of 1172	2520	ypak.exe	20
PID 2520 wrote to memory of 1172	2520	ypak.exe	20
PID 2520 wrote to memory of 1172	2520	ypak.exe	20
PID 2520 wrote to memory of 1172	2520	ypak.exe	20
PID 2520 wrote to memory of 1200	2520	ypak.exe	21
PID 2520 wrote to memory of 1200	2520	ypak.exe	21
PID 2520 wrote to memory of 1200	2520	ypak.exe	21
PID 2520 wrote to memory of 1200	2520	ypak.exe	21
PID 2520 wrote to memory of 1200	2520	ypak.exe	21
PID 2520 wrote to memory of 288	2520	ypak.exe	25
PID 2520 wrote to memory of 288	2520	ypak.exe	25
PID 2520 wrote to memory of 288	2520	ypak.exe	25
PID 2520 wrote to memory of 288	2520	ypak.exe	25
PID 2520 wrote to memory of 288	2520	ypak.exe	25
PID 2520 wrote to memory of 1028	2520	ypak.exe	29
PID 2520 wrote to memory of 1028	2520	ypak.exe	29
PID 2520 wrote to memory of 1028	2520	ypak.exe	29
PID 2520 wrote to memory of 1028	2520	ypak.exe	29
PID 2520 wrote to memory of 1028	2520	ypak.exe	29
PID 1028 wrote to memory of 2984	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2984	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2984	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2984	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2984	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2984	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2984	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2984	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	31
PID 1028 wrote to memory of 2984	1028	449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\449b817baf76d633d23fab6f4f2a730e_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Users\Admin\AppData\Roaming\Ebelmi\ypak.exe
    "C:\Users\Admin\AppData\Roaming\Ebelmi\ypak.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb35d4245.bat"
    3⤵
    - Deletes itself
    PID:2984

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb35d4245.bat

Filesize
271B

MD5
a9353ca70880f6bdbeb374f1510a09b5

SHA1
b208827827c56b4dc27fe41136b38c3ab1ffe333

SHA256
2f751f750ed88552d099ebe2f4145dcf43e9060bcefc6c07392e96b656261f74

SHA512
fcbd37f3130d244c6475fc52c61c89bc6644325c99492ec500a802ceb7cefcbd436db4c05faa021a97948a9246c0242e17521debaefbd37bb524503f2ac3f4f9

Download Submit
C:\Users\Admin\AppData\Roaming\Ebelmi\ypak.exe

Filesize
284KB

MD5
a6e56555fe90195155bbd2a2104ac611

SHA1
36cfff9baafba9668fa1418530a514bb4ecf0464

SHA256
b2524eac8776b9b86096a9361ce3cbfee6dc176362b3e2a1c0442bd0f4a867c8

SHA512
00b786215254da0a552bb63e7bf68fc1a6e131db686cf852add66c094687489ea342c36aaaba08c27514b8709e2416df2c9f1b32607621623e3a9e453dad7786

Download Submit
C:\Users\Admin\AppData\Roaming\Egda\obwam.ylu

Filesize
380B

MD5
360b85c31d6c021fe29d7ecf64b3504b

SHA1
4d0b9a0d4366a2eed99702fb04f72ef81aa8d9e4

SHA256
2881bf5273a44293826e8c12c36e36f9198b64407fc075dd9ea5e069cc7964b0

SHA512
27e469b988c443f0467ce8f0f5b9ce7e638b5b5e49e4ff496f4925d79bcbef3bd6489db152886a03b2a41cbec248ae0958cdc11dfa2b0072de9421b649d46c03

Download Submit
memory/288-45-0x0000000001BC0000-0x0000000001C01000-memory.dmp

Filesize
260KB

Download
memory/288-42-0x0000000001BC0000-0x0000000001C01000-memory.dmp

Filesize
260KB

Download
memory/288-43-0x0000000001BC0000-0x0000000001C01000-memory.dmp

Filesize
260KB

Download
memory/288-44-0x0000000001BC0000-0x0000000001C01000-memory.dmp

Filesize
260KB

Download
memory/1028-59-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1028-78-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1028-1-0x0000000000370000-0x00000000003BF000-memory.dmp

Filesize
316KB

Download
memory/1028-48-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1028-50-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1028-56-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1028-54-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1028-52-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1028-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1028-138-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1028-65-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1028-80-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1028-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-57-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1028-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-61-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1028-63-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1028-72-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1028-76-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1028-74-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1028-71-0x0000000077560000-0x0000000077561000-memory.dmp

Filesize
4KB

Download
memory/1028-69-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1028-67-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1116-20-0x0000000001F30000-0x0000000001F71000-memory.dmp

Filesize
260KB

Download
memory/1116-23-0x0000000001F30000-0x0000000001F71000-memory.dmp

Filesize
260KB

Download
memory/1116-25-0x0000000001F30000-0x0000000001F71000-memory.dmp

Filesize
260KB

Download
memory/1116-21-0x0000000001F30000-0x0000000001F71000-memory.dmp

Filesize
260KB

Download
memory/1116-19-0x0000000001F30000-0x0000000001F71000-memory.dmp

Filesize
260KB

Download
memory/1172-28-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1172-30-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1172-32-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1172-34-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1200-40-0x00000000025A0000-0x00000000025E1000-memory.dmp

Filesize
260KB

Download
memory/1200-39-0x00000000025A0000-0x00000000025E1000-memory.dmp

Filesize
260KB

Download
memory/1200-37-0x00000000025A0000-0x00000000025E1000-memory.dmp

Filesize
260KB

Download
memory/1200-38-0x00000000025A0000-0x00000000025E1000-memory.dmp

Filesize
260KB

Download
memory/2520-17-0x00000000004C0000-0x000000000050F000-memory.dmp

Filesize
316KB

Download
memory/2520-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2520-16-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2520-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download