aff31cff567948ba4ae2144bbcc562a4d3ab115f7e8b00482414b81ebf40a543

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/07/2024, 05:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe
Size

262KB
MD5

518c295dd4bc20e300c2bf5fe3bd540a
SHA1

845c6ddc19e0dad406a3cd96cb416080d196989d
SHA256

aff31cff567948ba4ae2144bbcc562a4d3ab115f7e8b00482414b81ebf40a543
SHA512

02ca9a41141c31a205c2f3ea4782d3135910aaa7434dd87a3d8b4866b889873aa00fe5449fea782641a74fd5edc9433303b9e4c7b8f49b0f4997ede7a41f9217
SSDEEP

6144:758Gp+df0afmVTRMdwdpn94sLrNXel9ibb98+MAAD:F8YkfXf4TRME94svNuzibb9Z+

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1228	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	ukle.exe

Loads dropped DLL 1 IoCs

pid	Process
1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{75DA6328-6F30-AD4F-96DD-2BAD86C808B0} = "C:\\Users\\Admin\\AppData\\Roaming\\Putoa\\ukle.exe"	ukle.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 1228	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe
3056	ukle.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe
Token: SeSecurityPrivilege	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe
Token: SeSecurityPrivilege	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe
3056	ukle.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 3056	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	30
PID 1292 wrote to memory of 3056	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	30
PID 1292 wrote to memory of 3056	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	30
PID 1292 wrote to memory of 3056	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	30
PID 3056 wrote to memory of 1088	3056	ukle.exe	19
PID 3056 wrote to memory of 1088	3056	ukle.exe	19
PID 3056 wrote to memory of 1088	3056	ukle.exe	19
PID 3056 wrote to memory of 1088	3056	ukle.exe	19
PID 3056 wrote to memory of 1088	3056	ukle.exe	19
PID 3056 wrote to memory of 1144	3056	ukle.exe	20
PID 3056 wrote to memory of 1144	3056	ukle.exe	20
PID 3056 wrote to memory of 1144	3056	ukle.exe	20
PID 3056 wrote to memory of 1144	3056	ukle.exe	20
PID 3056 wrote to memory of 1144	3056	ukle.exe	20
PID 3056 wrote to memory of 1184	3056	ukle.exe	21
PID 3056 wrote to memory of 1184	3056	ukle.exe	21
PID 3056 wrote to memory of 1184	3056	ukle.exe	21
PID 3056 wrote to memory of 1184	3056	ukle.exe	21
PID 3056 wrote to memory of 1184	3056	ukle.exe	21
PID 3056 wrote to memory of 1544	3056	ukle.exe	25
PID 3056 wrote to memory of 1544	3056	ukle.exe	25
PID 3056 wrote to memory of 1544	3056	ukle.exe	25
PID 3056 wrote to memory of 1544	3056	ukle.exe	25
PID 3056 wrote to memory of 1544	3056	ukle.exe	25
PID 3056 wrote to memory of 1292	3056	ukle.exe	29
PID 3056 wrote to memory of 1292	3056	ukle.exe	29
PID 3056 wrote to memory of 1292	3056	ukle.exe	29
PID 3056 wrote to memory of 1292	3056	ukle.exe	29
PID 3056 wrote to memory of 1292	3056	ukle.exe	29
PID 1292 wrote to memory of 1228	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	31
PID 1292 wrote to memory of 1228	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	31
PID 1292 wrote to memory of 1228	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	31
PID 1292 wrote to memory of 1228	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	31
PID 1292 wrote to memory of 1228	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	31
PID 1292 wrote to memory of 1228	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	31
PID 1292 wrote to memory of 1228	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	31
PID 1292 wrote to memory of 1228	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	31
PID 1292 wrote to memory of 1228	1292	518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1088

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1144

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\518c295dd4bc20e300c2bf5fe3bd540a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Roaming\Putoa\ukle.exe
    "C:\Users\Admin\AppData\Roaming\Putoa\ukle.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2db85440.bat"
    3⤵
    - Deletes itself
    PID:1228

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2db85440.bat

Filesize
271B

MD5
a6a3a818db3e929bc53c0d20d03ed5cb

SHA1
14c13a7761a475e2a6bab55a7dff3e55d127f319

SHA256
df451b4390b3c8735fd20d2faa25bae4e99858f9f6c0402418baea90140c0a16

SHA512
e2c31adf288b4d138635f186d49edec23163f6ef8649f2fab88f478b625322ce30d29347c9c606b25f41c0ccebbe69a6035d64df9aa51cb87d19b8b9f3ac2634

Download Submit
C:\Users\Admin\AppData\Roaming\Ilez\yhhuu.kus

Filesize
380B

MD5
523a499b2e94966e1330bc1b7d6124f2

SHA1
6e0ace326722e7ae5989dc42f6579a71cdca50be

SHA256
a8a782a7d73f1f5eb89620a5d6949f8e11432fdf01e565cee29b8bf0698cfab0

SHA512
6f672f4698cbef77b09a4cb7497120733cd0c688385afca8f46708230a6070183159c8c6e4a0de3a5aa14f7015e896300387705d0d3b153134b2c06115501269

Download Submit
\Users\Admin\AppData\Roaming\Putoa\ukle.exe

Filesize
262KB

MD5
c09acefaf6ba0834d880a66dc578df5b

SHA1
a5d0e5e4a0dc4e0e65254b4c5d2cb3ff6fd6be2f

SHA256
694c0abaae40f8fe1d423de58a29c17c0d7ce8e75b9b2f92857c2739d7733910

SHA512
b7c80f18c2fd123b0faa0025e8828e6fb6258eb517b025e45662a7764394ef8cf6bdb716be5766698ef0c90f8c2aaed9527c226d8a15976ea2a8ea8ed83758ca

Download Submit
memory/1088-18-0x0000000001B40000-0x0000000001B81000-memory.dmp

Filesize
260KB

Download
memory/1088-20-0x0000000001B40000-0x0000000001B81000-memory.dmp

Filesize
260KB

Download
memory/1088-19-0x0000000001B40000-0x0000000001B81000-memory.dmp

Filesize
260KB

Download
memory/1088-16-0x0000000001B40000-0x0000000001B81000-memory.dmp

Filesize
260KB

Download
memory/1088-17-0x0000000001B40000-0x0000000001B81000-memory.dmp

Filesize
260KB

Download
memory/1144-25-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1144-22-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1144-23-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1144-24-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1184-30-0x0000000002A20000-0x0000000002A61000-memory.dmp

Filesize
260KB

Download
memory/1184-27-0x0000000002A20000-0x0000000002A61000-memory.dmp

Filesize
260KB

Download
memory/1184-28-0x0000000002A20000-0x0000000002A61000-memory.dmp

Filesize
260KB

Download
memory/1184-29-0x0000000002A20000-0x0000000002A61000-memory.dmp

Filesize
260KB

Download
memory/1292-74-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-39-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/1292-66-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-64-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-128-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-62-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-60-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-59-0x0000000076EE0000-0x0000000076EE1000-memory.dmp

Filesize
4KB

Download
memory/1292-58-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/1292-54-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-52-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-50-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-48-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-46-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-44-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-42-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-40-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/1292-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1292-37-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/1292-0-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1292-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1292-68-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-152-0x00000000004C0000-0x0000000000505000-memory.dmp

Filesize
276KB

Download
memory/1292-70-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-72-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-1-0x00000000004C0000-0x0000000000505000-memory.dmp

Filesize
276KB

Download
memory/1292-76-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-78-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-56-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1292-41-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/1292-38-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/1292-154-0x00000000005A0000-0x00000000005E1000-memory.dmp

Filesize
260KB

Download
memory/1292-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1292-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1292-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1544-33-0x0000000001C30000-0x0000000001C71000-memory.dmp

Filesize
260KB

Download
memory/1544-32-0x0000000001C30000-0x0000000001C71000-memory.dmp

Filesize
260KB

Download
memory/1544-34-0x0000000001C30000-0x0000000001C71000-memory.dmp

Filesize
260KB

Download
memory/1544-35-0x0000000001C30000-0x0000000001C71000-memory.dmp

Filesize
260KB

Download
memory/3056-12-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/3056-13-0x00000000002F0000-0x0000000000335000-memory.dmp

Filesize
276KB

Download
memory/3056-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3056-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download