911c7a817d6c2de2c3b2278072f562ec1c1715ac2dcbd312c1c24a403216ecc3

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe
Size

185KB
MD5

5cf7f7bb450fbec398003315d1ccc4d9
SHA1

01ffa2329659cda37f61112735988b42c5b7d046
SHA256

911c7a817d6c2de2c3b2278072f562ec1c1715ac2dcbd312c1c24a403216ecc3
SHA512

57323fcb7bdb1f3111e0f6a7c3e1114efbc57b571a25fae4403aae9ecfa0702135cee6da39d5a151e9c91da5665b23f31922bee4a04e2e8d5bbaf1a7e17ce8b9
SSDEEP

3072:2Mu362iLTXIz5lWr2tIhHRBvUTfA8lbaQjKaHEUGhsNkfsXy6wcC+APvH:2M+62iPQ5lWr2KubAQbVKBUWsNTi6w3j

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1276	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	bupiy.exe

Loads dropped DLL 2 IoCs

pid	Process
2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe
2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016aa4-8.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C4A05C48-6809-AD4F-9B76-1BFCA18838E1} = "C:\\Users\\Admin\\AppData\\Roaming\\Eres\\bupiy.exe"	bupiy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 1276	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Privacy	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe
2796	bupiy.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe
Token: SeSecurityPrivilege	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe
Token: SeSecurityPrivilege	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2796	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2796	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2796	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2796	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	30
PID 2796 wrote to memory of 1120	2796	bupiy.exe	19
PID 2796 wrote to memory of 1120	2796	bupiy.exe	19
PID 2796 wrote to memory of 1120	2796	bupiy.exe	19
PID 2796 wrote to memory of 1120	2796	bupiy.exe	19
PID 2796 wrote to memory of 1120	2796	bupiy.exe	19
PID 2796 wrote to memory of 1172	2796	bupiy.exe	20
PID 2796 wrote to memory of 1172	2796	bupiy.exe	20
PID 2796 wrote to memory of 1172	2796	bupiy.exe	20
PID 2796 wrote to memory of 1172	2796	bupiy.exe	20
PID 2796 wrote to memory of 1172	2796	bupiy.exe	20
PID 2796 wrote to memory of 1208	2796	bupiy.exe	21
PID 2796 wrote to memory of 1208	2796	bupiy.exe	21
PID 2796 wrote to memory of 1208	2796	bupiy.exe	21
PID 2796 wrote to memory of 1208	2796	bupiy.exe	21
PID 2796 wrote to memory of 1208	2796	bupiy.exe	21
PID 2796 wrote to memory of 400	2796	bupiy.exe	23
PID 2796 wrote to memory of 400	2796	bupiy.exe	23
PID 2796 wrote to memory of 400	2796	bupiy.exe	23
PID 2796 wrote to memory of 400	2796	bupiy.exe	23
PID 2796 wrote to memory of 400	2796	bupiy.exe	23
PID 2796 wrote to memory of 2748	2796	bupiy.exe	29
PID 2796 wrote to memory of 2748	2796	bupiy.exe	29
PID 2796 wrote to memory of 2748	2796	bupiy.exe	29
PID 2796 wrote to memory of 2748	2796	bupiy.exe	29
PID 2796 wrote to memory of 2748	2796	bupiy.exe	29
PID 2748 wrote to memory of 1276	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	31
PID 2748 wrote to memory of 1276	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	31
PID 2748 wrote to memory of 1276	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	31
PID 2748 wrote to memory of 1276	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	31
PID 2748 wrote to memory of 1276	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	31
PID 2748 wrote to memory of 1276	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	31
PID 2748 wrote to memory of 1276	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	31
PID 2748 wrote to memory of 1276	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	31
PID 2748 wrote to memory of 1276	2748	5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5cf7f7bb450fbec398003315d1ccc4d9_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Roaming\Eres\bupiy.exe
    "C:\Users\Admin\AppData\Roaming\Eres\bupiy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa17695d4.bat"
    3⤵
    - Deletes itself
    PID:1276

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa17695d4.bat

Filesize
271B

MD5
6fb88ab8ab96441caf58d1f5953a1616

SHA1
87e4b3b2b92cfb851cf4e32e36830d7c06e188b9

SHA256
b1d5d91942d635e6fbd7f6c8fae047df21bed17173fa6de33e569c50eb92d509

SHA512
101baae8f876788c49f2ba70a4c90b75077783f103ca2285b0f5f5ec1daf12a1f4289940bb5e064982a8890a4be43c441f68e2ccfc00b9bc49bafa4b96f5b454

Download Submit
C:\Users\Admin\AppData\Roaming\Energy\ahyb.ybp

Filesize
380B

MD5
37b85285d344da77a9f9637193c6e53f

SHA1
6d296f9833392f3e930ee8a65d0c2c0817127e3a

SHA256
2e7d8efb938cb3a85671cc73199e6f3e7968671c49c03c45f572dd9a0e1caf17

SHA512
e015142c03b75c968591cb232479cefa55bca4947fe686ee5d5ddee0e7c284b00df88a876867225926f267fc23662ba22155beaef99c66a2b883a5ecb62936f6

Download Submit
C:\Users\Admin\AppData\Roaming\Eres\bupiy.exe

Filesize
185KB

MD5
add465e6b9ec258647a143219e6b3eb9

SHA1
72289834d7aa12bc56a348fcb766ca00b043dae0

SHA256
acb2c931db0111cc16ee7e21029b2bc09ee87edbb0468ae86ec602ea47d67115

SHA512
3d0043c10d7e2b7cb018d7f36fb4112cb21af36deaa5bf6dccbfa31768bbbe94767d164797a61779f7259f6c27da07ca890f96ba4d3a0615ddc4d3891ba9dea3

Download Submit
memory/400-48-0x0000000001E70000-0x0000000001EA5000-memory.dmp

Filesize
212KB

Download
memory/400-42-0x0000000001E70000-0x0000000001EA5000-memory.dmp

Filesize
212KB

Download
memory/400-44-0x0000000001E70000-0x0000000001EA5000-memory.dmp

Filesize
212KB

Download
memory/400-47-0x0000000001E70000-0x0000000001EA5000-memory.dmp

Filesize
212KB

Download
memory/1120-10-0x0000000002260000-0x0000000002295000-memory.dmp

Filesize
212KB

Download
memory/1120-12-0x0000000002260000-0x0000000002295000-memory.dmp

Filesize
212KB

Download
memory/1120-14-0x0000000002260000-0x0000000002295000-memory.dmp

Filesize
212KB

Download
memory/1120-16-0x0000000002260000-0x0000000002295000-memory.dmp

Filesize
212KB

Download
memory/1120-18-0x0000000002260000-0x0000000002295000-memory.dmp

Filesize
212KB

Download
memory/1172-24-0x0000000002070000-0x00000000020A5000-memory.dmp

Filesize
212KB

Download
memory/1172-22-0x0000000002070000-0x00000000020A5000-memory.dmp

Filesize
212KB

Download
memory/1172-26-0x0000000002070000-0x00000000020A5000-memory.dmp

Filesize
212KB

Download
memory/1172-28-0x0000000002070000-0x00000000020A5000-memory.dmp

Filesize
212KB

Download
memory/1208-38-0x0000000002DC0000-0x0000000002DF5000-memory.dmp

Filesize
212KB

Download
memory/1208-32-0x0000000002DC0000-0x0000000002DF5000-memory.dmp

Filesize
212KB

Download
memory/1208-34-0x0000000002DC0000-0x0000000002DF5000-memory.dmp

Filesize
212KB

Download
memory/1208-36-0x0000000002DC0000-0x0000000002DF5000-memory.dmp

Filesize
212KB

Download
memory/2748-64-0x0000000000400000-0x0000000002799000-memory.dmp

Filesize
35.6MB

Download
memory/2748-58-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2748-61-0x0000000000400000-0x0000000002799000-memory.dmp

Filesize
35.6MB

Download
memory/2748-63-0x0000000000412000-0x0000000000413000-memory.dmp

Filesize
4KB

Download
memory/2748-62-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2748-52-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2748-56-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2748-67-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2748-69-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2748-65-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2748-73-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2748-75-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2748-77-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2748-71-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2748-60-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2748-308-0x0000000000400000-0x0000000002799000-memory.dmp

Filesize
35.6MB

Download
memory/2748-54-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download