27c99460ad064b2e1a29a9cd36ecc4248eed4135c9bfd82c7e291c1f4e70f189

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe
Size

327KB
MD5

481408c4867a7f1de4f6d94ea2f93a4a
SHA1

3d397a311c129584510fa0cc860387a958cca99c
SHA256

27c99460ad064b2e1a29a9cd36ecc4248eed4135c9bfd82c7e291c1f4e70f189
SHA512

656861add7e61250618a17737a71986f785e8a803d5d2cda062a673b711c73c5984cb73a6db026c22dc0dc4b51c23d33129c94552d557a1cac4ef25a6feadfa4
SSDEEP

6144:1HSPog8gW5zJ+W1PQGXDjIzME28wfbThH3LLsih0X5zTPaNncw1PhHM2eC:1Hcf7W5j1tjIIvVfb53LYjFTPaNcGHMe

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	jufyj.exe
2356	jufyj.exe

Loads dropped DLL 3 IoCs

pid	Process
1276	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe
1276	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe
2752	jufyj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F4363D88-6FEF-AD4F-FCEF-4765F9626478} = "C:\\Users\\Admin\\AppData\\Roaming\\Okom\\jufyj.exe"	jufyj.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 1276	2364	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	30
PID 2752 set thread context of 2356	2752	jufyj.exe	32

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe
2356	jufyj.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1276	2364	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1276	2364	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1276	2364	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1276	2364	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1276	2364	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1276	2364	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1276	2364	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1276	2364	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	30
PID 2364 wrote to memory of 1276	2364	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	30
PID 1276 wrote to memory of 2752	1276	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	31
PID 1276 wrote to memory of 2752	1276	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	31
PID 1276 wrote to memory of 2752	1276	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	31
PID 1276 wrote to memory of 2752	1276	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	31
PID 2752 wrote to memory of 2356	2752	jufyj.exe	32
PID 2752 wrote to memory of 2356	2752	jufyj.exe	32
PID 2752 wrote to memory of 2356	2752	jufyj.exe	32
PID 2752 wrote to memory of 2356	2752	jufyj.exe	32
PID 2752 wrote to memory of 2356	2752	jufyj.exe	32
PID 2752 wrote to memory of 2356	2752	jufyj.exe	32
PID 2752 wrote to memory of 2356	2752	jufyj.exe	32
PID 2752 wrote to memory of 2356	2752	jufyj.exe	32
PID 2752 wrote to memory of 2356	2752	jufyj.exe	32
PID 1276 wrote to memory of 2704	1276	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	33
PID 1276 wrote to memory of 2704	1276	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	33
PID 1276 wrote to memory of 2704	1276	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	33
PID 1276 wrote to memory of 2704	1276	481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe	33
PID 2356 wrote to memory of 1100	2356	jufyj.exe	19
PID 2356 wrote to memory of 1100	2356	jufyj.exe	19
PID 2356 wrote to memory of 1100	2356	jufyj.exe	19
PID 2356 wrote to memory of 1100	2356	jufyj.exe	19
PID 2356 wrote to memory of 1100	2356	jufyj.exe	19
PID 2356 wrote to memory of 1160	2356	jufyj.exe	20
PID 2356 wrote to memory of 1160	2356	jufyj.exe	20
PID 2356 wrote to memory of 1160	2356	jufyj.exe	20
PID 2356 wrote to memory of 1160	2356	jufyj.exe	20
PID 2356 wrote to memory of 1160	2356	jufyj.exe	20
PID 2356 wrote to memory of 1200	2356	jufyj.exe	21
PID 2356 wrote to memory of 1200	2356	jufyj.exe	21
PID 2356 wrote to memory of 1200	2356	jufyj.exe	21
PID 2356 wrote to memory of 1200	2356	jufyj.exe	21
PID 2356 wrote to memory of 1200	2356	jufyj.exe	21
PID 2356 wrote to memory of 2024	2356	jufyj.exe	23
PID 2356 wrote to memory of 2024	2356	jufyj.exe	23
PID 2356 wrote to memory of 2024	2356	jufyj.exe	23
PID 2356 wrote to memory of 2024	2356	jufyj.exe	23
PID 2356 wrote to memory of 2024	2356	jufyj.exe	23

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\481408c4867a7f1de4f6d94ea2f93a4a_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Users\Admin\AppData\Roaming\Okom\jufyj.exe
      "C:\Users\Admin\AppData\Roaming\Okom\jufyj.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Users\Admin\AppData\Roaming\Okom\jufyj.exe
        
        "C:\Users\Admin\AppData\Roaming\Okom\jufyj.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5c797d46.bat"
      4⤵
      Deletes itself
      PID:2704

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5c797d46.bat

Filesize
271B

MD5
94faeec83ca050fc9c597ad9a767637a

SHA1
c587101efde3d3a0cc24c8a2aab1aa2cd872c333

SHA256
f3937f3ca94a511ee94e6de996e1571432b1081ef8170b1304e7bdd170fb9280

SHA512
586b6294a3c27c7f0f79cedfc0a0076cca265107a008bccde853244cd487aca01ac9a64f38ad347dde9797156341f20485f9e827f7a83329ee59e1c3c6927921

Download Submit
\Users\Admin\AppData\Roaming\Okom\jufyj.exe

Filesize
327KB

MD5
fcd55781d2c8b2fcc2fd3f8529a39415

SHA1
13754ae6bff881b4224391c502a7ae7d62bc20d4

SHA256
b4a1c1b0a5084be9f69cbb2e5be3735c3e1057319bd442faa85aef6a52e623de

SHA512
27c90abc948b6e65e7570293b7c0457ec033009c33dcb8f4c1ca80a40eb540078fdb047bb385f8f0a7cc6bf7a5388406506aef53ddcba4015211382e72e1ef45

Download Submit
memory/1100-64-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/1100-60-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/1100-62-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/1100-58-0x0000000001F40000-0x0000000001F84000-memory.dmp

Filesize
272KB

Download
memory/1160-68-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/1160-70-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/1160-72-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/1160-74-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/1200-78-0x00000000021D0000-0x0000000002214000-memory.dmp

Filesize
272KB

Download
memory/1200-79-0x00000000021D0000-0x0000000002214000-memory.dmp

Filesize
272KB

Download
memory/1200-80-0x00000000021D0000-0x0000000002214000-memory.dmp

Filesize
272KB

Download
memory/1200-81-0x00000000021D0000-0x0000000002214000-memory.dmp

Filesize
272KB

Download
memory/1276-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1276-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1276-52-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1276-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1276-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1276-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1276-24-0x0000000001F20000-0x0000000001F77000-memory.dmp

Filesize
348KB

Download
memory/1276-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1276-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1276-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1276-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1276-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1276-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2024-84-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/2024-86-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/2356-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2356-101-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2364-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2364-14-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2752-30-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2752-46-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2752-47-0x0000000000320000-0x0000000000377000-memory.dmp

Filesize
348KB

Download