dd15a9894f2f011598037b9aaa06eb7b81202cdfbbfdf2b540b72c4b28f62aaf

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 22:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe
Size

151KB
MD5

603c3e1089ea47395d35c08968b41122
SHA1

379c8a8a8e4c696bb21a1686b8bb002adadf7746
SHA256

dd15a9894f2f011598037b9aaa06eb7b81202cdfbbfdf2b540b72c4b28f62aaf
SHA512

e271087c6f051440d09dbb4d5c1424cf9d9a53c1041e9384608e6b113f980879bcdc3dc7c1f7d59bc74a0e02fca5b2543a58252edb3b0769f9cae75a4707a93a
SSDEEP

3072:WCfmZMrUgUvuhynzSzMzarTw1AzLBVvV8l0z+RjcPe0QFH:zfmZMT4yM0wa/tn6cPe0Q

Score

8^/10

evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2688	netsh.exe

Deletes itself 1 IoCs

pid	Process
336	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2832	baabaq.exe

Loads dropped DLL 2 IoCs

pid	Process
2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe
2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4B35F778-C8DE-80A7-6D65-954E9131EA1B} = "C:\\Users\\Admin\\AppData\\Roaming\\Uxi\\baabaq.exe"	baabaq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2272 set thread context of 336	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	36

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\11A11AB0-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe
2832	baabaq.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe
Token: SeSecurityPrivilege	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe
Token: SeSecurityPrivilege	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe
Token: SeManageVolumePrivilege	752	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
752	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
752	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
752	WinMail.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2776	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2776	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2776	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2776	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	31
PID 2272 wrote to memory of 2832	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	33
PID 2272 wrote to memory of 2832	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	33
PID 2272 wrote to memory of 2832	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	33
PID 2272 wrote to memory of 2832	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	33
PID 2776 wrote to memory of 2688	2776	cmd.exe	34
PID 2776 wrote to memory of 2688	2776	cmd.exe	34
PID 2776 wrote to memory of 2688	2776	cmd.exe	34
PID 2776 wrote to memory of 2688	2776	cmd.exe	34
PID 2832 wrote to memory of 1080	2832	baabaq.exe	18
PID 2832 wrote to memory of 1080	2832	baabaq.exe	18
PID 2832 wrote to memory of 1080	2832	baabaq.exe	18
PID 2832 wrote to memory of 1080	2832	baabaq.exe	18
PID 2832 wrote to memory of 1080	2832	baabaq.exe	18
PID 2832 wrote to memory of 1092	2832	baabaq.exe	19
PID 2832 wrote to memory of 1092	2832	baabaq.exe	19
PID 2832 wrote to memory of 1092	2832	baabaq.exe	19
PID 2832 wrote to memory of 1092	2832	baabaq.exe	19
PID 2832 wrote to memory of 1092	2832	baabaq.exe	19
PID 2832 wrote to memory of 1148	2832	baabaq.exe	20
PID 2832 wrote to memory of 1148	2832	baabaq.exe	20
PID 2832 wrote to memory of 1148	2832	baabaq.exe	20
PID 2832 wrote to memory of 1148	2832	baabaq.exe	20
PID 2832 wrote to memory of 1148	2832	baabaq.exe	20
PID 2832 wrote to memory of 1960	2832	baabaq.exe	23
PID 2832 wrote to memory of 1960	2832	baabaq.exe	23
PID 2832 wrote to memory of 1960	2832	baabaq.exe	23
PID 2832 wrote to memory of 1960	2832	baabaq.exe	23
PID 2832 wrote to memory of 1960	2832	baabaq.exe	23
PID 2832 wrote to memory of 2272	2832	baabaq.exe	30
PID 2832 wrote to memory of 2272	2832	baabaq.exe	30
PID 2832 wrote to memory of 2272	2832	baabaq.exe	30
PID 2832 wrote to memory of 2272	2832	baabaq.exe	30
PID 2832 wrote to memory of 2272	2832	baabaq.exe	30
PID 2272 wrote to memory of 336	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	36
PID 2272 wrote to memory of 336	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	36
PID 2272 wrote to memory of 336	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	36
PID 2272 wrote to memory of 336	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	36
PID 2272 wrote to memory of 336	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	36
PID 2272 wrote to memory of 336	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	36
PID 2272 wrote to memory of 336	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	36
PID 2272 wrote to memory of 336	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	36
PID 2272 wrote to memory of 336	2272	603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe	36
PID 2832 wrote to memory of 2620	2832	baabaq.exe	38
PID 2832 wrote to memory of 2620	2832	baabaq.exe	38
PID 2832 wrote to memory of 2620	2832	baabaq.exe	38
PID 2832 wrote to memory of 2620	2832	baabaq.exe	38
PID 2832 wrote to memory of 2620	2832	baabaq.exe	38
PID 2832 wrote to memory of 2180	2832	baabaq.exe	39
PID 2832 wrote to memory of 2180	2832	baabaq.exe	39
PID 2832 wrote to memory of 2180	2832	baabaq.exe	39
PID 2832 wrote to memory of 2180	2832	baabaq.exe	39
PID 2832 wrote to memory of 2180	2832	baabaq.exe	39

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1080

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1148
- C:\Users\Admin\AppData\Local\Temp\603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\603c3e1089ea47395d35c08968b41122_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp11dc82d6.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Uxi\baabaq.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2688
- - C:\Users\Admin\AppData\Roaming\Uxi\baabaq.exe
    "C:\Users\Admin\AppData\Roaming\Uxi\baabaq.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe101ef26.bat"
    3⤵
    - Deletes itself
    PID:336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1960

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:752

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
90ae0b4b5f01791be2a379c37c66c490

SHA1
ed2cf1054a90eb14948882dfaad0391e8dcaa67d

SHA256
59cac2649a37e789d9c98da633abaf5d8dfea7c8d23a04915a282028c4d215b2

SHA512
ef270e60a84a628369a793e75b45cc07e92bbb920b3574e1e07c3bcf0ddc7a23d082a25f63f3b769567c18e1a05a0b9063d5610e4df2a651e975be6a8e5aaf3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11dc82d6.bat

Filesize
199B

MD5
f8a42d8db5930b13ab31a2af8a28eeba

SHA1
cb97687de2ddb5a23b963ca868f3a764883a138b

SHA256
a4b13cde5810cd1bd2af2304c9724299350736a95d1c3b8035ff1499e0897e83

SHA512
ccb11a0292fdcb6eb2e9e138ab17d6239600ba85db4442421e252a2df53a2ffa771de037f4d78c13aa3c6069bd611535e089b005807567e51a6e0cbc588f12b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpe101ef26.bat

Filesize
271B

MD5
5f758cecf155ef2e916729ff55235c7f

SHA1
70bff0548f2656d3e1bc409a124cd0e41d6ab078

SHA256
0f8daf3fbd7e007b83f0237f9310ca860925e2a02892b53cc0f1d95181a83709

SHA512
3612796e398f0b467e31d908d41105f4185681920847d8f617ebc4a3fa7bd804a00b2c47666ae8b8be911b63d45ad9e4e8d4e51e6c6835cd91649a11b72a24d3

Download Submit
C:\Users\Admin\AppData\Roaming\Umles\muydfov.opa

Filesize
380B

MD5
ea0f4339d7536a6af4376500b151f241

SHA1
6329a741bbc6e3dc6514217d09145a9f1f89eacf

SHA256
6316986453b90a40c15e11f3ca781d3537cb25d1e6927fa353c0373507110b53

SHA512
ea323d07b87f1a9d20a3053406af90f4bc16603f6f364fffe6f353c8dde79f7f6a755766db07544cf6e1a8a18eb41974e064f1950e43ce2c61f428398feb1997

Download Submit
\Users\Admin\AppData\Roaming\Uxi\baabaq.exe

Filesize
151KB

MD5
b57c29f13615fbc69e183494adf3317f

SHA1
1a316aabbf514222ba2e713b2e2b46612112bf4e

SHA256
f2cea881e8b4b6d1afa719af25f18ec3b35c8f4f7da87f6c2f4ce4791145b366

SHA512
c0af5c7593aa04ddd99a04c37a72e4c83e7d9932a41b9e66eeec004320394bf1057fe5b27ff9681c6f1b63665b3b0af5462cdeb2c8f170875dfe93bb93dc2fb5

Download Submit
memory/1080-18-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1080-26-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1080-22-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1080-20-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1080-24-0x00000000002C0000-0x00000000002E7000-memory.dmp

Filesize
156KB

Download
memory/1092-32-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1092-33-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1092-30-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1092-31-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1148-39-0x00000000025C0000-0x00000000025E7000-memory.dmp

Filesize
156KB

Download
memory/1148-37-0x00000000025C0000-0x00000000025E7000-memory.dmp

Filesize
156KB

Download
memory/1148-36-0x00000000025C0000-0x00000000025E7000-memory.dmp

Filesize
156KB

Download
memory/1148-38-0x00000000025C0000-0x00000000025E7000-memory.dmp

Filesize
156KB

Download
memory/1960-44-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1960-41-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1960-42-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/1960-43-0x0000000001BD0000-0x0000000001BF7000-memory.dmp

Filesize
156KB

Download
memory/2272-80-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-68-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-59-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-57-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-55-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-53-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-51-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-50-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/2272-49-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/2272-48-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/2272-47-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/2272-46-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/2272-62-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-64-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-66-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-61-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2272-70-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-72-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-74-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-76-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-1-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2272-78-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-0-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/2272-82-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2272-219-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/2272-220-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2272-2-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2272-3-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2832-15-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2832-16-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2832-34-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2832-338-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download