cff7d4680495922e463ad6d2959179043ad882ac946bdc27026d28c95384bb4b

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe
Size

250KB
MD5

48df49a7dbe5cc7a153633133a8fc9d6
SHA1

4dadf4d92648521067925f02d3e071b3fe3bbc04
SHA256

cff7d4680495922e463ad6d2959179043ad882ac946bdc27026d28c95384bb4b
SHA512

3f7a0680ef43584464394419cb4dc21a90f09357d86c1de8f134afeb564d6ef1297a5b087af51a55783d3b196547ba4ce5230a1bf28e74ede45d025f1fa144cf
SSDEEP

6144:NoxDTbg1+6B3mq4GeUaHDDwGNzDOSK/FUuQk8E2qk:GDTbg1XXeUejxiJ/m/kz

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1052	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1816	agaj.exe

Loads dropped DLL 2 IoCs

pid	Process
2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe
2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000016dcf-2.dat	upx
behavioral1/memory/2384-9-0x0000000000400000-0x00000000028F9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\{15320D28-6FEE-AD4F-3AAA-40C7281D63DA} = "C:\\Users\\Admin\\AppData\\Roaming\\Gyac\\agaj.exe"	agaj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 1052	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe
1816	agaj.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1816	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	30
PID 2384 wrote to memory of 1816	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	30
PID 2384 wrote to memory of 1816	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	30
PID 2384 wrote to memory of 1816	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	30
PID 1816 wrote to memory of 1108	1816	agaj.exe	19
PID 1816 wrote to memory of 1108	1816	agaj.exe	19
PID 1816 wrote to memory of 1108	1816	agaj.exe	19
PID 1816 wrote to memory of 1108	1816	agaj.exe	19
PID 1816 wrote to memory of 1108	1816	agaj.exe	19
PID 1816 wrote to memory of 1176	1816	agaj.exe	20
PID 1816 wrote to memory of 1176	1816	agaj.exe	20
PID 1816 wrote to memory of 1176	1816	agaj.exe	20
PID 1816 wrote to memory of 1176	1816	agaj.exe	20
PID 1816 wrote to memory of 1176	1816	agaj.exe	20
PID 1816 wrote to memory of 1200	1816	agaj.exe	21
PID 1816 wrote to memory of 1200	1816	agaj.exe	21
PID 1816 wrote to memory of 1200	1816	agaj.exe	21
PID 1816 wrote to memory of 1200	1816	agaj.exe	21
PID 1816 wrote to memory of 1200	1816	agaj.exe	21
PID 1816 wrote to memory of 552	1816	agaj.exe	25
PID 1816 wrote to memory of 552	1816	agaj.exe	25
PID 1816 wrote to memory of 552	1816	agaj.exe	25
PID 1816 wrote to memory of 552	1816	agaj.exe	25
PID 1816 wrote to memory of 552	1816	agaj.exe	25
PID 1816 wrote to memory of 2384	1816	agaj.exe	29
PID 1816 wrote to memory of 2384	1816	agaj.exe	29
PID 1816 wrote to memory of 2384	1816	agaj.exe	29
PID 1816 wrote to memory of 2384	1816	agaj.exe	29
PID 1816 wrote to memory of 2384	1816	agaj.exe	29
PID 2384 wrote to memory of 1052	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1052	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1052	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1052	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1052	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1052	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1052	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1052	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1052	2384	48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\48df49a7dbe5cc7a153633133a8fc9d6_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Roaming\Gyac\agaj.exe
    "C:\Users\Admin\AppData\Roaming\Gyac\agaj.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp11f0ee58.bat"
    3⤵
    - Deletes itself
    PID:1052

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp11f0ee58.bat

Filesize
271B

MD5
d8c9817ca94eebbf287efe7f11abfab0

SHA1
a0534a6c6639350c8798d2e9e4ddd9a9672dbaef

SHA256
fd56aa8ee7791ac97d01017cbd992f7d6f21b43ddc705104d2e074c70a657828

SHA512
573cfdf75ff3dec93cc01bfeab37b872af026011ff9d3759854b94b0b73a7b31c66bf7db124ead7974ddbad6ea41a443f573a79c64bd123f83d5e446358ae91d

Download Submit
C:\Users\Admin\AppData\Roaming\Apwa\soohe.vof

Filesize
380B

MD5
9f2af3c5b1fd528f5bd95102a909885d

SHA1
25d896ecdc2ce7e039ddaf08d6c870004c9c6695

SHA256
cd4905b929e29a487237758c2f7081e72f57898e79bf77f2925cb1ced2448ef8

SHA512
fadf525589ab2d68dc40a69da77dafeb1edb86a7122f3820358791dbafc6de3b2448529a54df29221311b866e603039d7de7a6ee1430b554a9a458c358053b13

Download Submit
\Users\Admin\AppData\Roaming\Gyac\agaj.exe

Filesize
250KB

MD5
ea0d97f9d954f2d506702e90afc8c0f2

SHA1
09c57e79ec6cbddb1e0a5cfa6325cd0f2e3582c5

SHA256
b8140199d584dafbc1b4af3ea8513b218c1a67c9f3b6710c1ad6036281b2b836

SHA512
6a8c6d31a55ea88b3c32ae23848a844bfef3470351f6c700d3bf8953d2f88aeb278cefe696c2b4c3350566502bb05ebe034e5ac30c1e4a3f395acedb90192a2f

Download Submit
memory/552-51-0x0000000001EB0000-0x0000000001EE5000-memory.dmp

Filesize
212KB

Download
memory/552-45-0x0000000001EB0000-0x0000000001EE5000-memory.dmp

Filesize
212KB

Download
memory/552-47-0x0000000001EB0000-0x0000000001EE5000-memory.dmp

Filesize
212KB

Download
memory/552-49-0x0000000001EB0000-0x0000000001EE5000-memory.dmp

Filesize
212KB

Download
memory/1108-13-0x00000000021D0000-0x0000000002205000-memory.dmp

Filesize
212KB

Download
memory/1108-15-0x00000000021D0000-0x0000000002205000-memory.dmp

Filesize
212KB

Download
memory/1108-17-0x00000000021D0000-0x0000000002205000-memory.dmp

Filesize
212KB

Download
memory/1108-19-0x00000000021D0000-0x0000000002205000-memory.dmp

Filesize
212KB

Download
memory/1108-21-0x00000000021D0000-0x0000000002205000-memory.dmp

Filesize
212KB

Download
memory/1176-25-0x0000000001F90000-0x0000000001FC5000-memory.dmp

Filesize
212KB

Download
memory/1176-27-0x0000000001F90000-0x0000000001FC5000-memory.dmp

Filesize
212KB

Download
memory/1176-29-0x0000000001F90000-0x0000000001FC5000-memory.dmp

Filesize
212KB

Download
memory/1176-31-0x0000000001F90000-0x0000000001FC5000-memory.dmp

Filesize
212KB

Download
memory/1200-41-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1200-35-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1200-37-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/1200-39-0x0000000002CE0000-0x0000000002D15000-memory.dmp

Filesize
212KB

Download
memory/2384-195-0x0000000000400000-0x00000000028F9000-memory.dmp

Filesize
37.0MB

Download
memory/2384-74-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2384-68-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2384-66-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2384-64-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2384-55-0x0000000002B00000-0x0000000002B35000-memory.dmp

Filesize
212KB

Download
memory/2384-57-0x0000000002B00000-0x0000000002B35000-memory.dmp

Filesize
212KB

Download
memory/2384-194-0x0000000000400000-0x00000000028F9000-memory.dmp

Filesize
37.0MB

Download
memory/2384-72-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2384-59-0x0000000002B00000-0x0000000002B35000-memory.dmp

Filesize
212KB

Download
memory/2384-76-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2384-70-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2384-61-0x0000000002B00000-0x0000000002B35000-memory.dmp

Filesize
212KB

Download
memory/2384-11-0x0000000000412000-0x0000000000413000-memory.dmp

Filesize
4KB

Download
memory/2384-10-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2384-9-0x0000000000400000-0x00000000028F9000-memory.dmp

Filesize
37.0MB

Download
memory/2384-63-0x0000000002B00000-0x0000000002B35000-memory.dmp

Filesize
212KB

Download
memory/2384-315-0x0000000000400000-0x00000000028F9000-memory.dmp

Filesize
37.0MB

Download