9f5d02400f658961506e3c1661eb37ca3c4d6918b7faf4c85d82465fa4c2a00a

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 10:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe
Size

360KB
MD5

497811a046cdbf7cc68405b1cd71d636
SHA1

3a22182b8cefa5bf573e4d66c1b1559692f473bc
SHA256

9f5d02400f658961506e3c1661eb37ca3c4d6918b7faf4c85d82465fa4c2a00a
SHA512

c0992064c5bc5ff91469da566aeb24c37d5930bb4b16894d61b869e6629f781719ab7869717bb4b858fe6f0d322178cf4e953107bfb9f8b6ee88e208481a8d52
SSDEEP

6144:JsQzHqsbEMGSwyX3PnhLatD/sU01rkS6ODtKno:J/zK2EMG8X/nG44ADQo

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3028	omuv.exe

Loads dropped DLL 2 IoCs

pid	Process
1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe
1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\{1B0C4E28-6E66-AD4F-AB1D-A71BBF328406} = "C:\\Users\\Admin\\AppData\\Roaming\\Sunu\\omuv.exe"	omuv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1772 set thread context of 2932	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe
3028	omuv.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe
3028	omuv.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 3028	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	29
PID 1772 wrote to memory of 3028	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	29
PID 1772 wrote to memory of 3028	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	29
PID 1772 wrote to memory of 3028	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	29
PID 3028 wrote to memory of 1100	3028	omuv.exe	18
PID 3028 wrote to memory of 1100	3028	omuv.exe	18
PID 3028 wrote to memory of 1100	3028	omuv.exe	18
PID 3028 wrote to memory of 1100	3028	omuv.exe	18
PID 3028 wrote to memory of 1100	3028	omuv.exe	18
PID 3028 wrote to memory of 1156	3028	omuv.exe	19
PID 3028 wrote to memory of 1156	3028	omuv.exe	19
PID 3028 wrote to memory of 1156	3028	omuv.exe	19
PID 3028 wrote to memory of 1156	3028	omuv.exe	19
PID 3028 wrote to memory of 1156	3028	omuv.exe	19
PID 3028 wrote to memory of 1196	3028	omuv.exe	20
PID 3028 wrote to memory of 1196	3028	omuv.exe	20
PID 3028 wrote to memory of 1196	3028	omuv.exe	20
PID 3028 wrote to memory of 1196	3028	omuv.exe	20
PID 3028 wrote to memory of 1196	3028	omuv.exe	20
PID 3028 wrote to memory of 1616	3028	omuv.exe	24
PID 3028 wrote to memory of 1616	3028	omuv.exe	24
PID 3028 wrote to memory of 1616	3028	omuv.exe	24
PID 3028 wrote to memory of 1616	3028	omuv.exe	24
PID 3028 wrote to memory of 1616	3028	omuv.exe	24
PID 3028 wrote to memory of 1772	3028	omuv.exe	28
PID 3028 wrote to memory of 1772	3028	omuv.exe	28
PID 3028 wrote to memory of 1772	3028	omuv.exe	28
PID 3028 wrote to memory of 1772	3028	omuv.exe	28
PID 3028 wrote to memory of 1772	3028	omuv.exe	28
PID 1772 wrote to memory of 2932	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2932	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2932	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2932	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2932	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2932	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2932	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2932	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	30
PID 1772 wrote to memory of 2932	1772	497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\497811a046cdbf7cc68405b1cd71d636_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Roaming\Sunu\omuv.exe
    "C:\Users\Admin\AppData\Roaming\Sunu\omuv.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp03a124d4.bat"
    3⤵
    - Deletes itself
    PID:2932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp03a124d4.bat

Filesize
271B

MD5
2a11deb7cd47539844b3976445692632

SHA1
1625e9f1da4609ac4b6dbbe845ba2d0681bb9d2b

SHA256
de719cc241bf403d8f34a964b8d99b32d060c7b92023207e19fab79782650369

SHA512
c2fbc986e95ca00cb22567bb7b5e9a13bebdf3fbec81d45ba6984c5180d49e9bd2833f27116310858d6513e4721e78dc91d0fa70579d9a63c84d469a4b944a73

Download Submit
\Users\Admin\AppData\Roaming\Sunu\omuv.exe

Filesize
360KB

MD5
019b06fc5e24086b2ba53056e52806de

SHA1
9dffa8cee08c07b3a3d964180231b1249222a507

SHA256
7a9f772eae4c28551da9df245b373564bbb51aff5851230fe69fb60305c05040

SHA512
60b769a7218f5b72bd9403e063006cdf7239dd73416513b44ab0fddf6476e602abf3492cab4991e8adf6f6c12200b87f7cae92dc47ab1c9ba8ee310622e282cd

Download Submit
memory/1100-22-0x0000000002380000-0x00000000023C4000-memory.dmp

Filesize
272KB

Download
memory/1100-18-0x0000000002380000-0x00000000023C4000-memory.dmp

Filesize
272KB

Download
memory/1100-19-0x0000000002380000-0x00000000023C4000-memory.dmp

Filesize
272KB

Download
memory/1100-20-0x0000000002380000-0x00000000023C4000-memory.dmp

Filesize
272KB

Download
memory/1100-21-0x0000000002380000-0x00000000023C4000-memory.dmp

Filesize
272KB

Download
memory/1156-24-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/1156-25-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/1156-26-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/1156-27-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/1196-29-0x0000000002DE0000-0x0000000002E24000-memory.dmp

Filesize
272KB

Download
memory/1196-30-0x0000000002DE0000-0x0000000002E24000-memory.dmp

Filesize
272KB

Download
memory/1196-31-0x0000000002DE0000-0x0000000002E24000-memory.dmp

Filesize
272KB

Download
memory/1196-32-0x0000000002DE0000-0x0000000002E24000-memory.dmp

Filesize
272KB

Download
memory/1616-38-0x0000000001D90000-0x0000000001DD4000-memory.dmp

Filesize
272KB

Download
memory/1616-35-0x0000000001D90000-0x0000000001DD4000-memory.dmp

Filesize
272KB

Download
memory/1616-36-0x0000000001D90000-0x0000000001DD4000-memory.dmp

Filesize
272KB

Download
memory/1616-37-0x0000000001D90000-0x0000000001DD4000-memory.dmp

Filesize
272KB

Download
memory/1772-72-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-70-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-57-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-55-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-53-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-51-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-49-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-48-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/1772-46-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/1772-44-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/1772-42-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/1772-40-0x00000000004F0000-0x0000000000534000-memory.dmp

Filesize
272KB

Download
memory/1772-61-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-63-0x00000000774B0000-0x00000000774B1000-memory.dmp

Filesize
4KB

Download
memory/1772-64-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-66-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-68-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-59-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-0-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/1772-74-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-76-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-78-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-80-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-1-0x0000000000370000-0x00000000003CF000-memory.dmp

Filesize
380KB

Download
memory/1772-158-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1772-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1772-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1772-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1772-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1772-134-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1772-157-0x0000000000370000-0x00000000003CF000-memory.dmp

Filesize
380KB

Download
memory/3028-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3028-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3028-280-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3028-282-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download