d561c8f04a28962cb8cc916dfa36756e46e42ab51398ea6394538c0228f1569c

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 07:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe
Size

349KB
MD5

5b0d5577ddb7a04cddf45f001f914da6
SHA1

998a3809d1ed3ab979f539a2c82fa62c255a243f
SHA256

d561c8f04a28962cb8cc916dfa36756e46e42ab51398ea6394538c0228f1569c
SHA512

f3bda9b69e560bc85313ff54941d64bf54af2efce08cf3d117432bc668ba725610f6fd2fee50251915f63672b0b3242dd27e417c9e2a20c526ca5cfffa7ad017
SSDEEP

6144:m2nrFszwRUE++PJj1YdcU0wZy4pmAMWuNf:m0hx1tw9JMff

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
292	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2128	jeades.exe

Loads dropped DLL 1 IoCs

pid	Process
1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C4A05C48-6809-AD4F-9B76-1BFCA18838E1} = "C:\\Users\\Admin\\AppData\\Roaming\\Ynojok\\jeades.exe"	jeades.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1596 set thread context of 292	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	32

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Privacy	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe
2128	jeades.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe
2128	jeades.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2128	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	31
PID 1596 wrote to memory of 2128	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	31
PID 1596 wrote to memory of 2128	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	31
PID 1596 wrote to memory of 2128	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	31
PID 2128 wrote to memory of 1120	2128	jeades.exe	19
PID 2128 wrote to memory of 1120	2128	jeades.exe	19
PID 2128 wrote to memory of 1120	2128	jeades.exe	19
PID 2128 wrote to memory of 1120	2128	jeades.exe	19
PID 2128 wrote to memory of 1120	2128	jeades.exe	19
PID 2128 wrote to memory of 1200	2128	jeades.exe	20
PID 2128 wrote to memory of 1200	2128	jeades.exe	20
PID 2128 wrote to memory of 1200	2128	jeades.exe	20
PID 2128 wrote to memory of 1200	2128	jeades.exe	20
PID 2128 wrote to memory of 1200	2128	jeades.exe	20
PID 2128 wrote to memory of 1252	2128	jeades.exe	21
PID 2128 wrote to memory of 1252	2128	jeades.exe	21
PID 2128 wrote to memory of 1252	2128	jeades.exe	21
PID 2128 wrote to memory of 1252	2128	jeades.exe	21
PID 2128 wrote to memory of 1252	2128	jeades.exe	21
PID 2128 wrote to memory of 888	2128	jeades.exe	25
PID 2128 wrote to memory of 888	2128	jeades.exe	25
PID 2128 wrote to memory of 888	2128	jeades.exe	25
PID 2128 wrote to memory of 888	2128	jeades.exe	25
PID 2128 wrote to memory of 888	2128	jeades.exe	25
PID 2128 wrote to memory of 1596	2128	jeades.exe	30
PID 2128 wrote to memory of 1596	2128	jeades.exe	30
PID 2128 wrote to memory of 1596	2128	jeades.exe	30
PID 2128 wrote to memory of 1596	2128	jeades.exe	30
PID 2128 wrote to memory of 1596	2128	jeades.exe	30
PID 1596 wrote to memory of 292	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	32
PID 1596 wrote to memory of 292	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	32
PID 1596 wrote to memory of 292	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	32
PID 1596 wrote to memory of 292	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	32
PID 1596 wrote to memory of 292	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	32
PID 1596 wrote to memory of 292	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	32
PID 1596 wrote to memory of 292	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	32
PID 1596 wrote to memory of 292	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	32
PID 1596 wrote to memory of 292	1596	5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1200

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5b0d5577ddb7a04cddf45f001f914da6_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Users\Admin\AppData\Roaming\Ynojok\jeades.exe
    "C:\Users\Admin\AppData\Roaming\Ynojok\jeades.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp46e224f0.bat"
    3⤵
    - Deletes itself
    PID:292

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp46e224f0.bat

Filesize
271B

MD5
d4740c966fb41b97e6cd897e8c9554cd

SHA1
7e91136e71e5fa979a7bbfcb2d66a712aafc7d3d

SHA256
7f8ecaddfaf2bce49159f683b6f17f96c2c3e80c26bfcfb4f2f4ddeb01b0f4cc

SHA512
52cc7760b6804f175255ce47f0e1aa40f768b0a48912a0fbc7c5f938b6df5f08d3a95195cb4deeb445a79a52851220861379a876da9bc6b18ceb434afd1f1eff

Download Submit
\Users\Admin\AppData\Roaming\Ynojok\jeades.exe

Filesize
349KB

MD5
b15ba192e4ec889fc1eabed2bd3b8245

SHA1
9167bd4e5524a76b94f2b5e3db0f9a2d12c0bf3b

SHA256
d110a288b76386e67808484d90402f7e5ac4e895ccf9e89c236e7ecec61e5a7f

SHA512
6c7102de06ac3cdcd0ce42395a214cda36caf25d109b2702b04c3e8cd12c78e6260860626c07b2735411e38ac3714e894370af92e5e7f62b2f65d3ebb0f8b785

Download Submit
memory/888-33-0x0000000001D90000-0x0000000001DD3000-memory.dmp

Filesize
268KB

Download
memory/888-32-0x0000000001D90000-0x0000000001DD3000-memory.dmp

Filesize
268KB

Download
memory/888-34-0x0000000001D90000-0x0000000001DD3000-memory.dmp

Filesize
268KB

Download
memory/888-31-0x0000000001D90000-0x0000000001DD3000-memory.dmp

Filesize
268KB

Download
memory/1120-18-0x00000000020B0000-0x00000000020F3000-memory.dmp

Filesize
268KB

Download
memory/1120-17-0x00000000020B0000-0x00000000020F3000-memory.dmp

Filesize
268KB

Download
memory/1120-16-0x00000000020B0000-0x00000000020F3000-memory.dmp

Filesize
268KB

Download
memory/1120-19-0x00000000020B0000-0x00000000020F3000-memory.dmp

Filesize
268KB

Download
memory/1120-15-0x00000000020B0000-0x00000000020F3000-memory.dmp

Filesize
268KB

Download
memory/1200-22-0x0000000002110000-0x0000000002153000-memory.dmp

Filesize
268KB

Download
memory/1200-23-0x0000000002110000-0x0000000002153000-memory.dmp

Filesize
268KB

Download
memory/1200-24-0x0000000002110000-0x0000000002153000-memory.dmp

Filesize
268KB

Download
memory/1200-21-0x0000000002110000-0x0000000002153000-memory.dmp

Filesize
268KB

Download
memory/1252-26-0x00000000024E0000-0x0000000002523000-memory.dmp

Filesize
268KB

Download
memory/1252-27-0x00000000024E0000-0x0000000002523000-memory.dmp

Filesize
268KB

Download
memory/1252-28-0x00000000024E0000-0x0000000002523000-memory.dmp

Filesize
268KB

Download
memory/1252-29-0x00000000024E0000-0x0000000002523000-memory.dmp

Filesize
268KB

Download
memory/1596-65-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-51-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-49-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-47-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-45-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-43-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-41-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-40-0x00000000004F0000-0x0000000000533000-memory.dmp

Filesize
268KB

Download
memory/1596-39-0x00000000004F0000-0x0000000000533000-memory.dmp

Filesize
268KB

Download
memory/1596-38-0x00000000004F0000-0x0000000000533000-memory.dmp

Filesize
268KB

Download
memory/1596-37-0x00000000004F0000-0x0000000000533000-memory.dmp

Filesize
268KB

Download
memory/1596-36-0x00000000004F0000-0x0000000000533000-memory.dmp

Filesize
268KB

Download
memory/1596-55-0x00000000004F0000-0x0000000000533000-memory.dmp

Filesize
268KB

Download
memory/1596-57-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-59-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-61-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-63-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-1-0x0000000000380000-0x00000000003DA000-memory.dmp

Filesize
360KB

Download
memory/1596-53-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-69-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-71-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-73-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-75-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-77-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-56-0x00000000771C0000-0x00000000771C1000-memory.dmp

Filesize
4KB

Download
memory/1596-0-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/1596-6-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1596-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1596-3-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1596-150-0x0000000000380000-0x00000000003DA000-memory.dmp

Filesize
360KB

Download
memory/1596-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1596-127-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1596-152-0x00000000004F0000-0x0000000000533000-memory.dmp

Filesize
268KB

Download
memory/2128-11-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/2128-12-0x0000000000300000-0x000000000035A000-memory.dmp

Filesize
360KB

Download
memory/2128-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2128-271-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download