9f7573de2d65164fba85fa74c1b3a58d223fe4f70afe3c964a99f766405ae324

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe
Size

135KB
MD5

4a1a03c1bdacc608737ea07d42074a21
SHA1

f3da56d54a547f8ea19507191505c7c328814106
SHA256

9f7573de2d65164fba85fa74c1b3a58d223fe4f70afe3c964a99f766405ae324
SHA512

625b1b2e483d4955fd275118924d4f38c682cdbe9246b5291a6e506fe37f0be6f4463ce78374238d8f3a1a5ff1a2c2b6925a256066e312f56c128117d1423c14
SSDEEP

3072:IW41XL2ip4kZWAgDfqzxaGmO5doJFhcI0wrzOIbfMSdML:IW4NLb4kZhgDMWOuP0CzO+UyML

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2024	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2460	uluwp.exe

Loads dropped DLL 2 IoCs

pid	Process
2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe
2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2200-0-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/files/0x0008000000015d10-5.dat	upx
behavioral1/memory/2460-13-0x0000000000400000-0x0000000000467000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F1F1B218-A0ED-E233-0470-334C2D8E13A0} = "C:\\Users\\Admin\\AppData\\Roaming\\Gauhy\\uluwp.exe"	uluwp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 2024	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe
2460	uluwp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe
Token: SeSecurityPrivilege	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe
Token: SeSecurityPrivilege	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2460	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	28
PID 2200 wrote to memory of 2460	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	28
PID 2200 wrote to memory of 2460	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	28
PID 2200 wrote to memory of 2460	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	28
PID 2460 wrote to memory of 1148	2460	uluwp.exe	19
PID 2460 wrote to memory of 1148	2460	uluwp.exe	19
PID 2460 wrote to memory of 1148	2460	uluwp.exe	19
PID 2460 wrote to memory of 1148	2460	uluwp.exe	19
PID 2460 wrote to memory of 1148	2460	uluwp.exe	19
PID 2460 wrote to memory of 1268	2460	uluwp.exe	20
PID 2460 wrote to memory of 1268	2460	uluwp.exe	20
PID 2460 wrote to memory of 1268	2460	uluwp.exe	20
PID 2460 wrote to memory of 1268	2460	uluwp.exe	20
PID 2460 wrote to memory of 1268	2460	uluwp.exe	20
PID 2460 wrote to memory of 1324	2460	uluwp.exe	21
PID 2460 wrote to memory of 1324	2460	uluwp.exe	21
PID 2460 wrote to memory of 1324	2460	uluwp.exe	21
PID 2460 wrote to memory of 1324	2460	uluwp.exe	21
PID 2460 wrote to memory of 1324	2460	uluwp.exe	21
PID 2460 wrote to memory of 376	2460	uluwp.exe	23
PID 2460 wrote to memory of 376	2460	uluwp.exe	23
PID 2460 wrote to memory of 376	2460	uluwp.exe	23
PID 2460 wrote to memory of 376	2460	uluwp.exe	23
PID 2460 wrote to memory of 376	2460	uluwp.exe	23
PID 2460 wrote to memory of 2200	2460	uluwp.exe	27
PID 2460 wrote to memory of 2200	2460	uluwp.exe	27
PID 2460 wrote to memory of 2200	2460	uluwp.exe	27
PID 2460 wrote to memory of 2200	2460	uluwp.exe	27
PID 2460 wrote to memory of 2200	2460	uluwp.exe	27
PID 2200 wrote to memory of 2024	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	29
PID 2200 wrote to memory of 2024	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	29
PID 2200 wrote to memory of 2024	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	29
PID 2200 wrote to memory of 2024	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	29
PID 2200 wrote to memory of 2024	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	29
PID 2200 wrote to memory of 2024	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	29
PID 2200 wrote to memory of 2024	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	29
PID 2200 wrote to memory of 2024	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	29
PID 2200 wrote to memory of 2024	2200	4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe	29
PID 2460 wrote to memory of 1636	2460	uluwp.exe	33
PID 2460 wrote to memory of 1636	2460	uluwp.exe	33
PID 2460 wrote to memory of 1636	2460	uluwp.exe	33
PID 2460 wrote to memory of 1636	2460	uluwp.exe	33
PID 2460 wrote to memory of 1636	2460	uluwp.exe	33
PID 2460 wrote to memory of 1900	2460	uluwp.exe	34
PID 2460 wrote to memory of 1900	2460	uluwp.exe	34
PID 2460 wrote to memory of 1900	2460	uluwp.exe	34
PID 2460 wrote to memory of 1900	2460	uluwp.exe	34
PID 2460 wrote to memory of 1900	2460	uluwp.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1148

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1268

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1324
- C:\Users\Admin\AppData\Local\Temp\4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4a1a03c1bdacc608737ea07d42074a21_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Roaming\Gauhy\uluwp.exe
    "C:\Users\Admin\AppData\Roaming\Gauhy\uluwp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp19bf5aef.bat"
    3⤵
    - Deletes itself
    PID:2024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp19bf5aef.bat

Filesize
271B

MD5
c53eec7f12395b03f45940cbff19964e

SHA1
c331f052fb666894a2f2ab090c1d4b8d2de69db0

SHA256
1786c05c739a86e8465c48d24178715ba4ea0b4965702a851e34c02d0bcf2c2c

SHA512
6e53ec814ca0321983937682482906c9ec77f64c243fb0de68e886372531d19e25e346b919b4d046a8a3802244dc76e18b6a9f8ebafd7e68e896b3a160880109

Download Submit
C:\Users\Admin\AppData\Roaming\Giebod\ixup.aky

Filesize
380B

MD5
e604d7223cc546f0391cd0b5080d526f

SHA1
e2289b71da38f4ab19b97f051537d801b1c59e27

SHA256
49b5465f5deb2eecbe4365cdcc676ac996aff4848601d2fb7d25db6218ca4647

SHA512
81c42b7dd838e663883cef462c0a2d6ef806c58f73aacf055c4aaf2a86e0fd862dc2294ae0ac71ab02aa9efe5b7a27c0863cdce9a902dc3436911cb3cf2388f1

Download Submit
\Users\Admin\AppData\Roaming\Gauhy\uluwp.exe

Filesize
135KB

MD5
31443c214bf9a9d08bf36881f32f1f0a

SHA1
928ce970d6053303039b4f930e3460afdbba3f21

SHA256
7cd18aa1f240e2a06fb617a61b4c0fcb62e82a015ced1de85662c24f45439703

SHA512
f99953634e6215529e3b62b6d79daf05541ba6b45e58b447ec381086fa4433e89106170d0406b85114c827e8d45ba389dd8e724d04d2e81501fdaa75c79cf89e

Download Submit
memory/376-40-0x0000000001DC0000-0x0000000001DE5000-memory.dmp

Filesize
148KB

Download
memory/376-39-0x0000000001DC0000-0x0000000001DE5000-memory.dmp

Filesize
148KB

Download
memory/376-41-0x0000000001DC0000-0x0000000001DE5000-memory.dmp

Filesize
148KB

Download
memory/376-38-0x0000000001DC0000-0x0000000001DE5000-memory.dmp

Filesize
148KB

Download
memory/1148-21-0x0000000001F90000-0x0000000001FB5000-memory.dmp

Filesize
148KB

Download
memory/1148-17-0x0000000001F90000-0x0000000001FB5000-memory.dmp

Filesize
148KB

Download
memory/1148-20-0x0000000001F90000-0x0000000001FB5000-memory.dmp

Filesize
148KB

Download
memory/1148-18-0x0000000001F90000-0x0000000001FB5000-memory.dmp

Filesize
148KB

Download
memory/1148-19-0x0000000001F90000-0x0000000001FB5000-memory.dmp

Filesize
148KB

Download
memory/1268-24-0x0000000001DA0000-0x0000000001DC5000-memory.dmp

Filesize
148KB

Download
memory/1268-23-0x0000000001DA0000-0x0000000001DC5000-memory.dmp

Filesize
148KB

Download
memory/1268-25-0x0000000001DA0000-0x0000000001DC5000-memory.dmp

Filesize
148KB

Download
memory/1268-26-0x0000000001DA0000-0x0000000001DC5000-memory.dmp

Filesize
148KB

Download
memory/1324-35-0x0000000002510000-0x0000000002535000-memory.dmp

Filesize
148KB

Download
memory/1324-29-0x0000000002510000-0x0000000002535000-memory.dmp

Filesize
148KB

Download
memory/1324-31-0x0000000002510000-0x0000000002535000-memory.dmp

Filesize
148KB

Download
memory/1324-33-0x0000000002510000-0x0000000002535000-memory.dmp

Filesize
148KB

Download
memory/2200-58-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-76-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-45-0x00000000002A0000-0x00000000002C5000-memory.dmp

Filesize
148KB

Download
memory/2200-43-0x00000000002A0000-0x00000000002C5000-memory.dmp

Filesize
148KB

Download
memory/2200-1-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2200-12-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2200-49-0x00000000002A0000-0x00000000002C5000-memory.dmp

Filesize
148KB

Download
memory/2200-51-0x00000000002A0000-0x00000000002C5000-memory.dmp

Filesize
148KB

Download
memory/2200-147-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2200-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2200-60-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2200-66-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-64-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-72-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-70-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-68-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-62-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-56-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-54-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-52-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-78-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-47-0x00000000002A0000-0x00000000002C5000-memory.dmp

Filesize
148KB

Download
memory/2200-74-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-80-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2200-130-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2460-13-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2460-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2460-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2460-264-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download