bb354dd642ee7520fd3f17b676531ce959e48d38dbb37303d0db363b5545e578

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe
Size

276KB
MD5

5d756b5f9c2253aee95a568e4e1c34f5
SHA1

938f359ed14012f27905f152ee4b837d62a44b6e
SHA256

bb354dd642ee7520fd3f17b676531ce959e48d38dbb37303d0db363b5545e578
SHA512

cce6d3ad80226ed1d36f06681b5d9f275c51851c00e1f4b57c4441a3fd91a30f941bcb9927961daf98f1cd11f6551c1d2c4db2704b46d1fa4f99198987e88399
SSDEEP

6144:RXKFVTW9rUSUa4klU2SC9IZTNkyBr0i51eQwJAvsuA6X:RXKFV+rUSCqUFCeNkyBt1e9AvE0

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1084	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2724	buqe.exe

Loads dropped DLL 2 IoCs

pid	Process
1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe
1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{75DA6328-6F30-AD4F-96DD-2BAD86C808B0} = "C:\\Users\\Admin\\AppData\\Roaming\\Qior\\buqe.exe"	buqe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1944 set thread context of 1084	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe
2724	buqe.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe
Token: SeSecurityPrivilege	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe
Token: SeSecurityPrivilege	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe
2724	buqe.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2724	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	29
PID 1944 wrote to memory of 2724	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	29
PID 1944 wrote to memory of 2724	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	29
PID 1944 wrote to memory of 2724	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	29
PID 2724 wrote to memory of 1232	2724	buqe.exe	18
PID 2724 wrote to memory of 1232	2724	buqe.exe	18
PID 2724 wrote to memory of 1232	2724	buqe.exe	18
PID 2724 wrote to memory of 1232	2724	buqe.exe	18
PID 2724 wrote to memory of 1232	2724	buqe.exe	18
PID 2724 wrote to memory of 1328	2724	buqe.exe	19
PID 2724 wrote to memory of 1328	2724	buqe.exe	19
PID 2724 wrote to memory of 1328	2724	buqe.exe	19
PID 2724 wrote to memory of 1328	2724	buqe.exe	19
PID 2724 wrote to memory of 1328	2724	buqe.exe	19
PID 2724 wrote to memory of 1384	2724	buqe.exe	20
PID 2724 wrote to memory of 1384	2724	buqe.exe	20
PID 2724 wrote to memory of 1384	2724	buqe.exe	20
PID 2724 wrote to memory of 1384	2724	buqe.exe	20
PID 2724 wrote to memory of 1384	2724	buqe.exe	20
PID 2724 wrote to memory of 1240	2724	buqe.exe	22
PID 2724 wrote to memory of 1240	2724	buqe.exe	22
PID 2724 wrote to memory of 1240	2724	buqe.exe	22
PID 2724 wrote to memory of 1240	2724	buqe.exe	22
PID 2724 wrote to memory of 1240	2724	buqe.exe	22
PID 2724 wrote to memory of 1944	2724	buqe.exe	28
PID 2724 wrote to memory of 1944	2724	buqe.exe	28
PID 2724 wrote to memory of 1944	2724	buqe.exe	28
PID 2724 wrote to memory of 1944	2724	buqe.exe	28
PID 2724 wrote to memory of 1944	2724	buqe.exe	28
PID 1944 wrote to memory of 1084	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	30
PID 1944 wrote to memory of 1084	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	30
PID 1944 wrote to memory of 1084	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	30
PID 1944 wrote to memory of 1084	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	30
PID 1944 wrote to memory of 1084	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	30
PID 1944 wrote to memory of 1084	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	30
PID 1944 wrote to memory of 1084	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	30
PID 1944 wrote to memory of 1084	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	30
PID 1944 wrote to memory of 1084	1944	5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5d756b5f9c2253aee95a568e4e1c34f5_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Roaming\Qior\buqe.exe
    "C:\Users\Admin\AppData\Roaming\Qior\buqe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4c7d1b0e.bat"
    3⤵
    - Deletes itself
    PID:1084

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4c7d1b0e.bat

Filesize
271B

MD5
f200039f77b28b314a5e8b7cbc41c55b

SHA1
b1efce5dafed6436f25f6beec6f92b27d86ec7ed

SHA256
501a9f85f258098b96f32b97cd676148adde106d57ed546897a8d2d62b893d0e

SHA512
570ec7e0707bb64e01b476c22514bb95a2c0dd0453c59b1d5bd456bcbdb8112fcd8b9c7b439b992089e5a4df57b40475772f0bfc1a2279efa536903ddbb5d6c9

Download Submit
C:\Users\Admin\AppData\Roaming\Dypab\okyjo.enn

Filesize
380B

MD5
32758cc2668bb285114d34162ad7cca0

SHA1
0d664b489b103ffff2d09678e0116aad7c303b81

SHA256
a00a1d0592009c80e8038b36ea97a80fdd0e11aa9c2b0a7ecf7f4a9ddb58dd1d

SHA512
b3023bd9ec66ec52df2ca6174f8b5ff8191b5a0162c5e511b0d6a5f278510d56c8ce0b2f5b08533cf9baf385d63ae56b1b8b33855f656471ee24e5b99ac3a0a3

Download Submit
C:\Users\Admin\AppData\Roaming\Qior\buqe.exe

Filesize
276KB

MD5
0cd35124b5e6ded93c1e2f9effcf3069

SHA1
2dbb0a8cfe83e6b713a1bb5c74966fd01b8a52f5

SHA256
eddebdd1afa93a206bff18da673736ffb099206aae4e929c5d394bdc890861fd

SHA512
b566272bdb89510d9fbeefa8cb1d4729491c4a347c978978488bf3c28ab6525e053e58adc4ba490d7dd1229640c927b042bfcc8ab852c90d3a9d6bb2795d967d

Download Submit
memory/1232-22-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/1232-20-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/1232-18-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/1232-19-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/1232-21-0x00000000003A0000-0x00000000003E1000-memory.dmp

Filesize
260KB

Download
memory/1240-35-0x0000000001CA0000-0x0000000001CE1000-memory.dmp

Filesize
260KB

Download
memory/1240-41-0x0000000001CA0000-0x0000000001CE1000-memory.dmp

Filesize
260KB

Download
memory/1240-39-0x0000000001CA0000-0x0000000001CE1000-memory.dmp

Filesize
260KB

Download
memory/1240-37-0x0000000001CA0000-0x0000000001CE1000-memory.dmp

Filesize
260KB

Download
memory/1328-27-0x00000000019C0000-0x0000000001A01000-memory.dmp

Filesize
260KB

Download
memory/1328-24-0x00000000019C0000-0x0000000001A01000-memory.dmp

Filesize
260KB

Download
memory/1328-25-0x00000000019C0000-0x0000000001A01000-memory.dmp

Filesize
260KB

Download
memory/1328-26-0x00000000019C0000-0x0000000001A01000-memory.dmp

Filesize
260KB

Download
memory/1384-31-0x0000000002620000-0x0000000002661000-memory.dmp

Filesize
260KB

Download
memory/1384-32-0x0000000002620000-0x0000000002661000-memory.dmp

Filesize
260KB

Download
memory/1384-30-0x0000000002620000-0x0000000002661000-memory.dmp

Filesize
260KB

Download
memory/1384-29-0x0000000002620000-0x0000000002661000-memory.dmp

Filesize
260KB

Download
memory/1944-73-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-75-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-55-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-53-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-52-0x0000000001E50000-0x0000000001E91000-memory.dmp

Filesize
260KB

Download
memory/1944-50-0x0000000001E50000-0x0000000001E91000-memory.dmp

Filesize
260KB

Download
memory/1944-48-0x0000000001E50000-0x0000000001E91000-memory.dmp

Filesize
260KB

Download
memory/1944-46-0x0000000001E50000-0x0000000001E91000-memory.dmp

Filesize
260KB

Download
memory/1944-44-0x0000000001E50000-0x0000000001E91000-memory.dmp

Filesize
260KB

Download
memory/1944-59-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-61-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-63-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-65-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-67-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-69-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-71-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-1-0x0000000001C30000-0x0000000001C77000-memory.dmp

Filesize
284KB

Download
memory/1944-57-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-77-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-134-0x0000000077A90000-0x0000000077A91000-memory.dmp

Filesize
4KB

Download
memory/1944-79-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-0-0x0000000001BE0000-0x0000000001C21000-memory.dmp

Filesize
260KB

Download
memory/1944-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-135-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1944-159-0x0000000001C30000-0x0000000001C77000-memory.dmp

Filesize
284KB

Download
memory/2724-15-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2724-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2724-278-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2724-279-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2724-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download