1db1f2507a25c60490566cf36d3711f242a5c0e77dfa491923ce6682d049c196

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

492412faf7d31541273b0551954fe61b_JaffaCakes118.exe
Size

305KB
MD5

492412faf7d31541273b0551954fe61b
SHA1

e52070a22e7ec2a08efd02e1f729fa244dae68a0
SHA256

1db1f2507a25c60490566cf36d3711f242a5c0e77dfa491923ce6682d049c196
SHA512

7d4ffda25394c3747c6e601b4724b1b2fb5a63dfb85e8badbdd9d37dc47d3a03a243f907e9714baedd36ff50cf3388f46944c8e07d8aa6dd124bc0657a65620d
SSDEEP

6144:5GSz1T72Y0SmzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOsPECYeixlYGic2:5Gq57SShYsY1UMqMZJYSN7wbstOs8fvw

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2396	ixojuv.exe

Loads dropped DLL 1 IoCs

pid	Process
1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\{1B0C4E28-6E66-AD4F-AB1D-A71BBF328406} = "C:\\Users\\Admin\\AppData\\Roaming\\Vuan\\ixojuv.exe"	ixojuv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 2676	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	32

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe
2396	ixojuv.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2396	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2396	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2396	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	31
PID 1964 wrote to memory of 2396	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	31
PID 2396 wrote to memory of 1116	2396	ixojuv.exe	19
PID 2396 wrote to memory of 1116	2396	ixojuv.exe	19
PID 2396 wrote to memory of 1116	2396	ixojuv.exe	19
PID 2396 wrote to memory of 1116	2396	ixojuv.exe	19
PID 2396 wrote to memory of 1116	2396	ixojuv.exe	19
PID 2396 wrote to memory of 1176	2396	ixojuv.exe	20
PID 2396 wrote to memory of 1176	2396	ixojuv.exe	20
PID 2396 wrote to memory of 1176	2396	ixojuv.exe	20
PID 2396 wrote to memory of 1176	2396	ixojuv.exe	20
PID 2396 wrote to memory of 1176	2396	ixojuv.exe	20
PID 2396 wrote to memory of 1252	2396	ixojuv.exe	21
PID 2396 wrote to memory of 1252	2396	ixojuv.exe	21
PID 2396 wrote to memory of 1252	2396	ixojuv.exe	21
PID 2396 wrote to memory of 1252	2396	ixojuv.exe	21
PID 2396 wrote to memory of 1252	2396	ixojuv.exe	21
PID 2396 wrote to memory of 1208	2396	ixojuv.exe	23
PID 2396 wrote to memory of 1208	2396	ixojuv.exe	23
PID 2396 wrote to memory of 1208	2396	ixojuv.exe	23
PID 2396 wrote to memory of 1208	2396	ixojuv.exe	23
PID 2396 wrote to memory of 1208	2396	ixojuv.exe	23
PID 2396 wrote to memory of 1964	2396	ixojuv.exe	30
PID 2396 wrote to memory of 1964	2396	ixojuv.exe	30
PID 2396 wrote to memory of 1964	2396	ixojuv.exe	30
PID 2396 wrote to memory of 1964	2396	ixojuv.exe	30
PID 2396 wrote to memory of 1964	2396	ixojuv.exe	30
PID 1964 wrote to memory of 2676	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2676	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2676	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2676	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2676	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2676	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2676	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2676	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2676	1964	492412faf7d31541273b0551954fe61b_JaffaCakes118.exe	32
PID 2396 wrote to memory of 1296	2396	ixojuv.exe	34
PID 2396 wrote to memory of 1296	2396	ixojuv.exe	34
PID 2396 wrote to memory of 1296	2396	ixojuv.exe	34
PID 2396 wrote to memory of 1296	2396	ixojuv.exe	34
PID 2396 wrote to memory of 1296	2396	ixojuv.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\492412faf7d31541273b0551954fe61b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\492412faf7d31541273b0551954fe61b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Roaming\Vuan\ixojuv.exe
    "C:\Users\Admin\AppData\Roaming\Vuan\ixojuv.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp399e72c7.bat"
    3⤵
    - Deletes itself
    PID:2676

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1208

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp399e72c7.bat

Filesize
271B

MD5
f4f560e859bcec08f9af62e397e5aca9

SHA1
ac2a8c125f2831091510067289e41e19bd3cbeb5

SHA256
c5c823899790d6d5f0f1ac790cd83c996394a0d3af8433636a634a86ad4d16d8

SHA512
67910b043e6208e34f2a6aba50a9f7a943929a463ef0f30dab365e6888520ca8c2fb526e6c967ea0543fdbc4604d1cac8fd6ab498dd3b7758ac7ff83c1c28e01

Download Submit
C:\Users\Admin\AppData\Roaming\Vuan\ixojuv.exe

Filesize
305KB

MD5
e47355323f5072ca54c41eda0158e91c

SHA1
0e0f04373c6920faa5f683736001be8184a38fc2

SHA256
e04a728c82e43db7af3414024cb567d13c5fe014fe674bcb121ccafe9bc14036

SHA512
f97df78dbb3a4865a8675b42d9699077127d725262fdff58311862fae7433cda4fbcdb320b31b242ff1e605e8cf345c5c920e5f50223d4f3f7a8f2309c3d671e

Download Submit
memory/1116-18-0x0000000002260000-0x00000000022A4000-memory.dmp

Filesize
272KB

Download
memory/1116-14-0x0000000002260000-0x00000000022A4000-memory.dmp

Filesize
272KB

Download
memory/1116-15-0x0000000002260000-0x00000000022A4000-memory.dmp

Filesize
272KB

Download
memory/1116-16-0x0000000002260000-0x00000000022A4000-memory.dmp

Filesize
272KB

Download
memory/1116-17-0x0000000002260000-0x00000000022A4000-memory.dmp

Filesize
272KB

Download
memory/1176-23-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1176-20-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1176-21-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1176-22-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1208-32-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1208-33-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1208-30-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1208-31-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1252-25-0x0000000002EE0000-0x0000000002F24000-memory.dmp

Filesize
272KB

Download
memory/1252-26-0x0000000002EE0000-0x0000000002F24000-memory.dmp

Filesize
272KB

Download
memory/1252-27-0x0000000002EE0000-0x0000000002F24000-memory.dmp

Filesize
272KB

Download
memory/1252-28-0x0000000002EE0000-0x0000000002F24000-memory.dmp

Filesize
272KB

Download
memory/1964-71-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-67-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-57-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-53-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-51-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-50-0x00000000770F0000-0x00000000770F1000-memory.dmp

Filesize
4KB

Download
memory/1964-49-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/1964-47-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-45-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-43-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-41-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-40-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/1964-39-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/1964-38-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/1964-37-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/1964-36-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/1964-61-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-63-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-65-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-59-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-69-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-0-0x0000000001230000-0x0000000001280000-memory.dmp

Filesize
320KB

Download
memory/1964-73-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-75-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-132-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-77-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-55-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1964-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1964-10-0x0000000000270000-0x00000000002C0000-memory.dmp

Filesize
320KB

Download
memory/1964-155-0x0000000001230000-0x0000000001280000-memory.dmp

Filesize
320KB

Download
memory/1964-5-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1964-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1964-157-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/1964-156-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2396-11-0x0000000000B70000-0x0000000000BC0000-memory.dmp

Filesize
320KB

Download
memory/2396-13-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2396-282-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download