383848a72073f274cc33b502030e13427981a6b144b26c8d70f4b7cf1afbbd91

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe
Size

160KB
MD5

4c651d5264683e2d654ade96736517aa
SHA1

3f719307c7f9f47e8b7b8cf4c181dd87f82befb4
SHA256

383848a72073f274cc33b502030e13427981a6b144b26c8d70f4b7cf1afbbd91
SHA512

abdf044c131c035b07637e2ca2df2ac770a3a056e900b62050e79c9e8eda9ea49564ccc6fd6296b60563f432c9b0d90cd5b4f47199873c51af0c927981905644
SSDEEP

3072:h/SY8+c2xq3ddXJAB0wJAKyUvqolAnQ0gol06jykq1x4SA:h6Y8xTJAB0ebyU2nQ0gUHykq1/

Score

8^/10

evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2884	netsh.exe

Deletes itself 1 IoCs

pid	Process
344	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2088	saiclum.exe

Loads dropped DLL 2 IoCs

pid	Process
2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe
2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\{9BE99A99-620B-2F40-6BA5-6FFB44839AB3} = "C:\\Users\\Admin\\AppData\\Roaming\\Emfa\\saiclum.exe"	saiclum.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 344	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	36

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Privacy	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\168D00D0-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe
2088	saiclum.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe
Token: SeSecurityPrivilege	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe
Token: SeSecurityPrivilege	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe
Token: SeManageVolumePrivilege	532	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
532	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
532	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
532	WinMail.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 3060	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	31
PID 2624 wrote to memory of 3060	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	31
PID 2624 wrote to memory of 3060	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	31
PID 2624 wrote to memory of 3060	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	31
PID 2624 wrote to memory of 2088	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	33
PID 2624 wrote to memory of 2088	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	33
PID 2624 wrote to memory of 2088	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	33
PID 2624 wrote to memory of 2088	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	33
PID 3060 wrote to memory of 2884	3060	cmd.exe	34
PID 3060 wrote to memory of 2884	3060	cmd.exe	34
PID 3060 wrote to memory of 2884	3060	cmd.exe	34
PID 3060 wrote to memory of 2884	3060	cmd.exe	34
PID 2088 wrote to memory of 1112	2088	saiclum.exe	19
PID 2088 wrote to memory of 1112	2088	saiclum.exe	19
PID 2088 wrote to memory of 1112	2088	saiclum.exe	19
PID 2088 wrote to memory of 1112	2088	saiclum.exe	19
PID 2088 wrote to memory of 1112	2088	saiclum.exe	19
PID 2088 wrote to memory of 1160	2088	saiclum.exe	20
PID 2088 wrote to memory of 1160	2088	saiclum.exe	20
PID 2088 wrote to memory of 1160	2088	saiclum.exe	20
PID 2088 wrote to memory of 1160	2088	saiclum.exe	20
PID 2088 wrote to memory of 1160	2088	saiclum.exe	20
PID 2088 wrote to memory of 1196	2088	saiclum.exe	21
PID 2088 wrote to memory of 1196	2088	saiclum.exe	21
PID 2088 wrote to memory of 1196	2088	saiclum.exe	21
PID 2088 wrote to memory of 1196	2088	saiclum.exe	21
PID 2088 wrote to memory of 1196	2088	saiclum.exe	21
PID 2088 wrote to memory of 1612	2088	saiclum.exe	25
PID 2088 wrote to memory of 1612	2088	saiclum.exe	25
PID 2088 wrote to memory of 1612	2088	saiclum.exe	25
PID 2088 wrote to memory of 1612	2088	saiclum.exe	25
PID 2088 wrote to memory of 1612	2088	saiclum.exe	25
PID 2088 wrote to memory of 2624	2088	saiclum.exe	30
PID 2088 wrote to memory of 2624	2088	saiclum.exe	30
PID 2088 wrote to memory of 2624	2088	saiclum.exe	30
PID 2088 wrote to memory of 2624	2088	saiclum.exe	30
PID 2088 wrote to memory of 2624	2088	saiclum.exe	30
PID 2088 wrote to memory of 532	2088	saiclum.exe	35
PID 2088 wrote to memory of 532	2088	saiclum.exe	35
PID 2088 wrote to memory of 532	2088	saiclum.exe	35
PID 2088 wrote to memory of 532	2088	saiclum.exe	35
PID 2088 wrote to memory of 532	2088	saiclum.exe	35
PID 2624 wrote to memory of 344	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	36
PID 2624 wrote to memory of 344	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	36
PID 2624 wrote to memory of 344	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	36
PID 2624 wrote to memory of 344	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	36
PID 2624 wrote to memory of 344	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	36
PID 2624 wrote to memory of 344	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	36
PID 2624 wrote to memory of 344	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	36
PID 2624 wrote to memory of 344	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	36
PID 2624 wrote to memory of 344	2624	4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe	36
PID 2088 wrote to memory of 2600	2088	saiclum.exe	38
PID 2088 wrote to memory of 2600	2088	saiclum.exe	38
PID 2088 wrote to memory of 2600	2088	saiclum.exe	38
PID 2088 wrote to memory of 2600	2088	saiclum.exe	38
PID 2088 wrote to memory of 2600	2088	saiclum.exe	38
PID 2088 wrote to memory of 2276	2088	saiclum.exe	39
PID 2088 wrote to memory of 2276	2088	saiclum.exe	39
PID 2088 wrote to memory of 2276	2088	saiclum.exe	39
PID 2088 wrote to memory of 2276	2088	saiclum.exe	39
PID 2088 wrote to memory of 2276	2088	saiclum.exe	39

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4c651d5264683e2d654ade96736517aa_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpcf6ba907.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Emfa\saiclum.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2884
- - C:\Users\Admin\AppData\Roaming\Emfa\saiclum.exe
    "C:\Users\Admin\AppData\Roaming\Emfa\saiclum.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp611d518b.bat"
    3⤵
    - Deletes itself
    PID:344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1612

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:532

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
475a8b8a04d202ae842a98ac3d1f1e2b

SHA1
839558f9add4e49f015b8a35c0d0f8556e3c9892

SHA256
b9d0a67b0ab0b5d57fa6e034fe890d8e3b6b2b1484ba62c5f96f07e0c489e863

SHA512
9190eb6c703c54f0e4af8d76f2cbdaeef5cbc9f4b5d93451e81f0056318b8129a9e36aacf0f6683940ec4a07f2989ccec741142607827d7def409556dd2d5861

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp611d518b.bat

Filesize
271B

MD5
55cc71860c585f5233360f73aa4eb55e

SHA1
513d0816ec087b88fe60917bf85c59ce30a2a026

SHA256
9e97e0f8ab9386234403053593ab88be4ae435786a480827c606e2ebc10cebf1

SHA512
ecf9987dbb90a6ad9b7bd90616ed4499fd035dfaf53f53e4ae34a151404f68f17606e9e32b40d6de7129542232c5ba109692f8256256db0d3dd0511da283bd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcf6ba907.bat

Filesize
201B

MD5
6f656c91579805ce8f733981b9b5e47e

SHA1
d40a1f5f4a2b9de210eea98a2960b83022f6a2f1

SHA256
d38dae653beb6ffcbf04749a9ae59990d446af7f1d0070c83ecc95f2f8de3ecf

SHA512
dc6081b4dc7822a8edb171d54c7a44bc4a2ec21e4c70485abe36ac25b5bb3e8a5f731cc67b123057ab71da13f3972461b27297ed36d3d0701f33ac7e40e278fb

Download Submit
C:\Users\Admin\AppData\Roaming\Gage\hukiut.poo

Filesize
380B

MD5
e3582e2cedd69055d3d27ab13144bf86

SHA1
81237e3b6e054c462a1a7a3b3065b292392c0049

SHA256
51d4c7ff12055072e677af9366c928e981599d8cbee5d5306f15912aacd28c30

SHA512
215993c390826073e4891b656f7fcc7cb4311d9a3e612cace5db76460be7c6fa2baff05da2a70084c50bf9a85a02e3bb64e2bbb405b37d45d72f7ed8c8fcf5d3

Download Submit
\Users\Admin\AppData\Roaming\Emfa\saiclum.exe

Filesize
160KB

MD5
823a4cc1b1d2e5b78a92b25327f0c563

SHA1
71f2b0beffb33eaa6406620af873b357dad5d165

SHA256
d00305b7943d39549bdf25fc274e40ed55a321948c4753a5eb731b260479e1df

SHA512
864cf853d964ee7bd7b0cee3028a65377ae62716873dd001e4bb024c91b5484d806cafc26975cd33eef06a5fdc46e49944593b816928f4e91c0385fde7b8e066

Download Submit
memory/1112-18-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1112-16-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1112-17-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1112-19-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1112-20-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1160-22-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1160-23-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1160-24-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1160-25-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/1196-27-0x0000000002E60000-0x0000000002E87000-memory.dmp

Filesize
156KB

Download
memory/1196-30-0x0000000002E60000-0x0000000002E87000-memory.dmp

Filesize
156KB

Download
memory/1196-29-0x0000000002E60000-0x0000000002E87000-memory.dmp

Filesize
156KB

Download
memory/1196-28-0x0000000002E60000-0x0000000002E87000-memory.dmp

Filesize
156KB

Download
memory/1612-33-0x0000000001D70000-0x0000000001D97000-memory.dmp

Filesize
156KB

Download
memory/1612-32-0x0000000001D70000-0x0000000001D97000-memory.dmp

Filesize
156KB

Download
memory/1612-34-0x0000000001D70000-0x0000000001D97000-memory.dmp

Filesize
156KB

Download
memory/1612-35-0x0000000001D70000-0x0000000001D97000-memory.dmp

Filesize
156KB

Download
memory/2088-340-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2088-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2624-65-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-57-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-40-0x0000000000360000-0x0000000000387000-memory.dmp

Filesize
156KB

Download
memory/2624-41-0x0000000000360000-0x0000000000387000-memory.dmp

Filesize
156KB

Download
memory/2624-79-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-77-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-75-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-73-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-71-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-69-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-67-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-38-0x0000000000360000-0x0000000000387000-memory.dmp

Filesize
156KB

Download
memory/2624-63-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-59-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-39-0x0000000000360000-0x0000000000387000-memory.dmp

Filesize
156KB

Download
memory/2624-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-53-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-52-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2624-50-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-48-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-46-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-44-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-42-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-37-0x0000000000360000-0x0000000000387000-memory.dmp

Filesize
156KB

Download
memory/2624-222-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2624-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2624-1-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2624-0-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download