b9dfb3078612dc7d47c58e0e0a595c6ce4892a12789eae7e8d88765cc9434052

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe
Size

293KB
MD5

4b5e9622bc3d49f7868f18f9f9001fb3
SHA1

17c4663d0576ca485219f928ca1654ad042f9351
SHA256

b9dfb3078612dc7d47c58e0e0a595c6ce4892a12789eae7e8d88765cc9434052
SHA512

5d292a6082ff8a673e19455a9c69da5626bfda03b01064e1bd039dd661a06a8208302b42fb9689f12e68d496367ad7a35cd113771de47310fa03f81b517d4d5c
SSDEEP

6144:VPdMyMANEVzGlcEDUl4qaRYVQ6JTGbusJRhgnGXcLD7Xm2BeddhMHHY/9:5NEh8cSLqd5sisDhgnGQBBedDMnYl

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
960	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1792	qyejp.exe

Loads dropped DLL 2 IoCs

pid	Process
2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe
2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\{278F5008-6814-AD4F-E8EF-460FE6556512} = "C:\\Users\\Admin\\AppData\\Roaming\\Kana\\qyejp.exe"	qyejp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2412 set thread context of 960	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	32

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe
1792	qyejp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe
1792	qyejp.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1792	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	31
PID 2412 wrote to memory of 1792	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	31
PID 2412 wrote to memory of 1792	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	31
PID 2412 wrote to memory of 1792	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	31
PID 1792 wrote to memory of 1104	1792	qyejp.exe	19
PID 1792 wrote to memory of 1104	1792	qyejp.exe	19
PID 1792 wrote to memory of 1104	1792	qyejp.exe	19
PID 1792 wrote to memory of 1104	1792	qyejp.exe	19
PID 1792 wrote to memory of 1104	1792	qyejp.exe	19
PID 1792 wrote to memory of 1152	1792	qyejp.exe	20
PID 1792 wrote to memory of 1152	1792	qyejp.exe	20
PID 1792 wrote to memory of 1152	1792	qyejp.exe	20
PID 1792 wrote to memory of 1152	1792	qyejp.exe	20
PID 1792 wrote to memory of 1152	1792	qyejp.exe	20
PID 1792 wrote to memory of 1184	1792	qyejp.exe	21
PID 1792 wrote to memory of 1184	1792	qyejp.exe	21
PID 1792 wrote to memory of 1184	1792	qyejp.exe	21
PID 1792 wrote to memory of 1184	1792	qyejp.exe	21
PID 1792 wrote to memory of 1184	1792	qyejp.exe	21
PID 1792 wrote to memory of 1352	1792	qyejp.exe	23
PID 1792 wrote to memory of 1352	1792	qyejp.exe	23
PID 1792 wrote to memory of 1352	1792	qyejp.exe	23
PID 1792 wrote to memory of 1352	1792	qyejp.exe	23
PID 1792 wrote to memory of 1352	1792	qyejp.exe	23
PID 1792 wrote to memory of 2412	1792	qyejp.exe	30
PID 1792 wrote to memory of 2412	1792	qyejp.exe	30
PID 1792 wrote to memory of 2412	1792	qyejp.exe	30
PID 1792 wrote to memory of 2412	1792	qyejp.exe	30
PID 1792 wrote to memory of 2412	1792	qyejp.exe	30
PID 2412 wrote to memory of 960	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	32
PID 2412 wrote to memory of 960	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	32
PID 2412 wrote to memory of 960	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	32
PID 2412 wrote to memory of 960	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	32
PID 2412 wrote to memory of 960	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	32
PID 2412 wrote to memory of 960	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	32
PID 2412 wrote to memory of 960	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	32
PID 2412 wrote to memory of 960	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	32
PID 2412 wrote to memory of 960	2412	4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4b5e9622bc3d49f7868f18f9f9001fb3_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Roaming\Kana\qyejp.exe
    "C:\Users\Admin\AppData\Roaming\Kana\qyejp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6b5842cf.bat"
    3⤵
    - Deletes itself
    PID:960

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6b5842cf.bat

Filesize
271B

MD5
c31069381388b378460f4b132476d2d6

SHA1
8b26ed418ab9769ee4ee6e2339f0d59e18c76952

SHA256
a986b6ef0838d08aa8facbed13d8988f1a707c4a2321f22f0a7b543d1ce3c824

SHA512
c90455c2a9b77e6bb9491ec6a85ba4295c1a108bd1a2e534c1124552b5f703f4299137cc4b2c99bf21ba9389e220dd6cc7aed634722aef9779cc52ef16781554

Download Submit
C:\Users\Admin\AppData\Roaming\Vydiuk\cyol.ipa

Filesize
380B

MD5
71b1576afb31c3d3f8a9b5143ec07740

SHA1
13d5f9c5cd30f103ddb68329f5abef26b1c4267a

SHA256
c318314bc935948552bdc56d9aafd320a37e8cac61003de6fa646f573df152d1

SHA512
1e04406993a061abd84d5cd0050f516485a4db96a32a24229ead2eb1f8bc5144c0987addbfa5b1ce6c7531a2cf896a793e297dcc451887a5eb2e7369a5ce64b9

Download Submit
\Users\Admin\AppData\Roaming\Kana\qyejp.exe

Filesize
293KB

MD5
4761e893b94aca4542e56a649535e371

SHA1
f7eb45132b8f321b64e599b001ef9a588bcceb46

SHA256
372c474dc2b563df038796b5837f9124cbc1077149e2b51b959b9b97bd05d8b9

SHA512
9369b9f3dcda5b40cb6d5a734868228aed5faa93adaf804662ede95f928daa2fc88a57ad96c0a371d495fc598dea7c692015ba06b5c62b6dd3a6070c79f05d5d

Download Submit
memory/1104-26-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1104-24-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1104-18-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1104-22-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1104-20-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1152-36-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1152-32-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1152-34-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1152-30-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1184-42-0x0000000002EC0000-0x0000000002F01000-memory.dmp

Filesize
260KB

Download
memory/1184-41-0x0000000002EC0000-0x0000000002F01000-memory.dmp

Filesize
260KB

Download
memory/1184-39-0x0000000002EC0000-0x0000000002F01000-memory.dmp

Filesize
260KB

Download
memory/1184-40-0x0000000002EC0000-0x0000000002F01000-memory.dmp

Filesize
260KB

Download
memory/1352-51-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1352-49-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1352-45-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1352-47-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1792-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1792-15-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1792-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1792-16-0x00000000002E0000-0x000000000032B000-memory.dmp

Filesize
300KB

Download
memory/2412-81-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-73-0x0000000001E20000-0x0000000001E61000-memory.dmp

Filesize
260KB

Download
memory/2412-56-0x0000000001E20000-0x0000000001E61000-memory.dmp

Filesize
260KB

Download
memory/2412-55-0x0000000001E20000-0x0000000001E61000-memory.dmp

Filesize
260KB

Download
memory/2412-54-0x0000000001E20000-0x0000000001E61000-memory.dmp

Filesize
260KB

Download
memory/2412-58-0x0000000001E20000-0x0000000001E61000-memory.dmp

Filesize
260KB

Download
memory/2412-59-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-61-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-63-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-65-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-67-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-69-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-71-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-57-0x0000000001E20000-0x0000000001E61000-memory.dmp

Filesize
260KB

Download
memory/2412-75-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-77-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-0-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/2412-79-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-74-0x00000000774F0000-0x00000000774F1000-memory.dmp

Filesize
4KB

Download
memory/2412-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-140-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-164-0x0000000001C00000-0x0000000001C4B000-memory.dmp

Filesize
300KB

Download
memory/2412-167-0x0000000001E20000-0x0000000001E61000-memory.dmp

Filesize
260KB

Download
memory/2412-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-165-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/2412-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-1-0x0000000001C00000-0x0000000001C4B000-memory.dmp

Filesize
300KB

Download