8868f1b1a5cc474a6734f4520802c8d34177512d4dacf0e2614b231645462279

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe
Size

373KB
MD5

604166d72037ddf5e7491b8a6a637dac
SHA1

073d9e6082f6e3d1865cd405b23a9504de650c28
SHA256

8868f1b1a5cc474a6734f4520802c8d34177512d4dacf0e2614b231645462279
SHA512

188b4b76f823363cb1e3be102d3db8f628eeb652037698ccdcb015fbcb5a185779dacee186d20b34a5d4c0339462a736656b516aed19f448a179edb45e7c6115
SSDEEP

6144:bA3OtmS9IMy7Wda6VP4DnuMeup+XmDo/LH7rySxTsDVJ5aAb90iq1qOHKQBvdXl7:bAEmYIr7Yp/Meu3o/r7rxTsxJZ0DzqQx

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2972	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2336	xily.exe

Loads dropped DLL 2 IoCs

pid	Process
2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe
2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2336-13-0x0000000000400000-0x0000000000537000-memory.dmp	upx
behavioral1/files/0x0009000000015d6f-16.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\{3109E6C8-6F84-AD4F-D756-D1AEF6AEF2B3} = "C:\\Users\\Admin\\AppData\\Roaming\\Ituxk\\xily.exe"	xily.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 2972	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe
2336	xily.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe
Token: SeSecurityPrivilege	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe
Token: SeSecurityPrivilege	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2336	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	30
PID 2376 wrote to memory of 2336	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	30
PID 2376 wrote to memory of 2336	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	30
PID 2376 wrote to memory of 2336	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	30
PID 2336 wrote to memory of 1068	2336	xily.exe	18
PID 2336 wrote to memory of 1068	2336	xily.exe	18
PID 2336 wrote to memory of 1068	2336	xily.exe	18
PID 2336 wrote to memory of 1068	2336	xily.exe	18
PID 2336 wrote to memory of 1068	2336	xily.exe	18
PID 2336 wrote to memory of 1144	2336	xily.exe	20
PID 2336 wrote to memory of 1144	2336	xily.exe	20
PID 2336 wrote to memory of 1144	2336	xily.exe	20
PID 2336 wrote to memory of 1144	2336	xily.exe	20
PID 2336 wrote to memory of 1144	2336	xily.exe	20
PID 2336 wrote to memory of 1188	2336	xily.exe	21
PID 2336 wrote to memory of 1188	2336	xily.exe	21
PID 2336 wrote to memory of 1188	2336	xily.exe	21
PID 2336 wrote to memory of 1188	2336	xily.exe	21
PID 2336 wrote to memory of 1188	2336	xily.exe	21
PID 2336 wrote to memory of 316	2336	xily.exe	25
PID 2336 wrote to memory of 316	2336	xily.exe	25
PID 2336 wrote to memory of 316	2336	xily.exe	25
PID 2336 wrote to memory of 316	2336	xily.exe	25
PID 2336 wrote to memory of 316	2336	xily.exe	25
PID 2336 wrote to memory of 2376	2336	xily.exe	29
PID 2336 wrote to memory of 2376	2336	xily.exe	29
PID 2336 wrote to memory of 2376	2336	xily.exe	29
PID 2336 wrote to memory of 2376	2336	xily.exe	29
PID 2336 wrote to memory of 2376	2336	xily.exe	29
PID 2376 wrote to memory of 2972	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2972	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2972	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2972	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2972	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2972	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2972	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2972	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2972	2376	604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1068

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1144

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\604166d72037ddf5e7491b8a6a637dac_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Roaming\Ituxk\xily.exe
    "C:\Users\Admin\AppData\Roaming\Ituxk\xily.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb46648cf.bat"
    3⤵
    - Deletes itself
    PID:2972

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb46648cf.bat

Filesize
271B

MD5
95cf6951efdc7064884e4f1160f4c5cf

SHA1
50227b42dc8c5f0bb6b7c1977cf66867a1890f37

SHA256
1a008c3f3f6f0fea5bde2382abc16bc460effec5c56990ce6bdff5e8bacbf604

SHA512
b4687d3e95e411eacd19026bfd7ab117608c38c06133b246702124a8bec48f16a43b9b65a03dc5fbf047df97ef4bf43c245d83c7a891dd5daea1185f61d27173

Download Submit
C:\Users\Admin\AppData\Roaming\Ituxk\xily.exe

Filesize
373KB

MD5
cafb9d74c2f738cb2533011d8a6650e5

SHA1
a764acfbc9bf1ffd5c6026ce1f42e6614cb0aed4

SHA256
49f0a68238149476420b6ec53b9e707a9fb786bd53c76faefceb17a192b56543

SHA512
8c9004f52ff0002cf4bcb4e4fa79c9fe8d660d1fc5695976571b662a721392f99d58488f73f66d416c4b9bf5684603130c2c8463b13b1bf38b24f203830f8da3

Download Submit
C:\Users\Admin\AppData\Roaming\Usgoh\yvcay.uny

Filesize
380B

MD5
011c34235ff83f9a65319d11ddd314c8

SHA1
a6e1a279c274fe9b2d12c91c08d893e682643917

SHA256
39ccac11ac2a13877aa289328e4ed429f96c9ee8404773211b2b2a0c2463a453

SHA512
24328ed9c8c4baf2c98fff41a1d5debe44d76fae4dd878a07e6e05b9f37635d2859ba02191149421777087cf99787e0a01d0a959b8f7190fa05da44b41d56e87

Download Submit
memory/316-44-0x0000000001BF0000-0x0000000001C31000-memory.dmp

Filesize
260KB

Download
memory/316-43-0x0000000001BF0000-0x0000000001C31000-memory.dmp

Filesize
260KB

Download
memory/316-42-0x0000000001BF0000-0x0000000001C31000-memory.dmp

Filesize
260KB

Download
memory/316-45-0x0000000001BF0000-0x0000000001C31000-memory.dmp

Filesize
260KB

Download
memory/1068-21-0x00000000021F0000-0x0000000002231000-memory.dmp

Filesize
260KB

Download
memory/1068-17-0x00000000021F0000-0x0000000002231000-memory.dmp

Filesize
260KB

Download
memory/1068-19-0x00000000021F0000-0x0000000002231000-memory.dmp

Filesize
260KB

Download
memory/1068-23-0x00000000021F0000-0x0000000002231000-memory.dmp

Filesize
260KB

Download
memory/1068-25-0x00000000021F0000-0x0000000002231000-memory.dmp

Filesize
260KB

Download
memory/1144-30-0x0000000001F70000-0x0000000001FB1000-memory.dmp

Filesize
260KB

Download
memory/1144-34-0x0000000001F70000-0x0000000001FB1000-memory.dmp

Filesize
260KB

Download
memory/1144-32-0x0000000001F70000-0x0000000001FB1000-memory.dmp

Filesize
260KB

Download
memory/1144-28-0x0000000001F70000-0x0000000001FB1000-memory.dmp

Filesize
260KB

Download
memory/1188-39-0x0000000002530000-0x0000000002571000-memory.dmp

Filesize
260KB

Download
memory/1188-40-0x0000000002530000-0x0000000002571000-memory.dmp

Filesize
260KB

Download
memory/1188-38-0x0000000002530000-0x0000000002571000-memory.dmp

Filesize
260KB

Download
memory/1188-37-0x0000000002530000-0x0000000002571000-memory.dmp

Filesize
260KB

Download
memory/2336-13-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2336-14-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2336-15-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2336-274-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2376-78-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-68-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-50-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/2376-49-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/2376-48-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/2376-47-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/2376-54-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-56-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-58-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-60-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-62-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-64-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-66-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-52-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-70-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-72-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-74-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-76-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-0-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2376-80-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2376-136-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2376-12-0x0000000002350000-0x0000000002487000-memory.dmp

Filesize
1.2MB

Download
memory/2376-155-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2376-154-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2376-1-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2376-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download