ccffc48c6a40f652e8fc85adbc88bc868fea5b7fd0370f25490bf64c19751cc8

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe
Size

364KB
MD5

5f05977fa039dab76e94eae857888ef9
SHA1

e7be6f93d54efa29c51fa17ecb631bfe013d54b3
SHA256

ccffc48c6a40f652e8fc85adbc88bc868fea5b7fd0370f25490bf64c19751cc8
SHA512

4e2e1b82b67d087a86caa684a020ac59108de453d3cac6a185d674108ec3ad003156dafa35f80e3be9fe44bc2585610cc98dfbecfd3775cada21cebfc47a52a6
SSDEEP

6144:nbCdh+yzFFSIX0zE9NKFEWNFfK4CS0NwIx2+fFBFFrki9:nmd0WSIXxcXNkjNxZf1Frh

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1824	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1552	ehrui.exe

Loads dropped DLL 2 IoCs

pid	Process
1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe
1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C6C07C68-68EF-AD4F-3837-F372201AD06F} = "C:\\Users\\Admin\\AppData\\Roaming\\Anuhy\\ehrui.exe"	ehrui.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1472 set thread context of 1824	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Privacy	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe
1552	ehrui.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe
1552	ehrui.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1552	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	30
PID 1472 wrote to memory of 1552	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	30
PID 1472 wrote to memory of 1552	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	30
PID 1472 wrote to memory of 1552	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	30
PID 1552 wrote to memory of 1028	1552	ehrui.exe	17
PID 1552 wrote to memory of 1028	1552	ehrui.exe	17
PID 1552 wrote to memory of 1028	1552	ehrui.exe	17
PID 1552 wrote to memory of 1028	1552	ehrui.exe	17
PID 1552 wrote to memory of 1028	1552	ehrui.exe	17
PID 1552 wrote to memory of 1092	1552	ehrui.exe	19
PID 1552 wrote to memory of 1092	1552	ehrui.exe	19
PID 1552 wrote to memory of 1092	1552	ehrui.exe	19
PID 1552 wrote to memory of 1092	1552	ehrui.exe	19
PID 1552 wrote to memory of 1092	1552	ehrui.exe	19
PID 1552 wrote to memory of 1164	1552	ehrui.exe	21
PID 1552 wrote to memory of 1164	1552	ehrui.exe	21
PID 1552 wrote to memory of 1164	1552	ehrui.exe	21
PID 1552 wrote to memory of 1164	1552	ehrui.exe	21
PID 1552 wrote to memory of 1164	1552	ehrui.exe	21
PID 1552 wrote to memory of 1228	1552	ehrui.exe	25
PID 1552 wrote to memory of 1228	1552	ehrui.exe	25
PID 1552 wrote to memory of 1228	1552	ehrui.exe	25
PID 1552 wrote to memory of 1228	1552	ehrui.exe	25
PID 1552 wrote to memory of 1228	1552	ehrui.exe	25
PID 1552 wrote to memory of 1472	1552	ehrui.exe	29
PID 1552 wrote to memory of 1472	1552	ehrui.exe	29
PID 1552 wrote to memory of 1472	1552	ehrui.exe	29
PID 1552 wrote to memory of 1472	1552	ehrui.exe	29
PID 1552 wrote to memory of 1472	1552	ehrui.exe	29
PID 1472 wrote to memory of 1824	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	31
PID 1472 wrote to memory of 1824	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	31
PID 1472 wrote to memory of 1824	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	31
PID 1472 wrote to memory of 1824	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	31
PID 1472 wrote to memory of 1824	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	31
PID 1472 wrote to memory of 1824	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	31
PID 1472 wrote to memory of 1824	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	31
PID 1472 wrote to memory of 1824	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	31
PID 1472 wrote to memory of 1824	1472	5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1028

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5f05977fa039dab76e94eae857888ef9_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Users\Admin\AppData\Roaming\Anuhy\ehrui.exe
    "C:\Users\Admin\AppData\Roaming\Anuhy\ehrui.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa21f4f51.bat"
    3⤵
    - Deletes itself
    PID:1824

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa21f4f51.bat

Filesize
271B

MD5
95ce620100152db7b2aed212b96fd624

SHA1
9742c922fded65d16c51a4dfcd7b53503d7d7264

SHA256
4bad5d42a19381a6bb79a578aa1c820325157d55eb12a98936244161d78e6e08

SHA512
39819afe2fa7c1a1b2310e4aa5804403671cd7bef5f369ecb8b86918a744b73cdd90175845fb751bb1f6b3b01616259864f401a44b72dad7495d329a45d70a4a

Download Submit
\Users\Admin\AppData\Roaming\Anuhy\ehrui.exe

Filesize
364KB

MD5
bf58f47ba62389673c012d963a3b6d9a

SHA1
725b53264e6b5e48cdb83aa34a09f5e949c69052

SHA256
28b6e11c58384c66753ec2d26578ecc608d7ade4e8d82a986513d3bdcc2be779

SHA512
a6f738a812536dc9f3d76109f210bbf74476ff3a2d62f86f94ffbc384e21324ed6b089c5f2a73981122c9198c9fbee81e188a033eacc6eab72bae7a2171dc058

Download Submit
memory/1028-18-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1028-26-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1028-24-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1028-20-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1028-22-0x0000000002190000-0x00000000021D4000-memory.dmp

Filesize
272KB

Download
memory/1092-32-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1092-31-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1092-29-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1092-30-0x0000000002000000-0x0000000002044000-memory.dmp

Filesize
272KB

Download
memory/1164-34-0x00000000024F0000-0x0000000002534000-memory.dmp

Filesize
272KB

Download
memory/1164-35-0x00000000024F0000-0x0000000002534000-memory.dmp

Filesize
272KB

Download
memory/1164-36-0x00000000024F0000-0x0000000002534000-memory.dmp

Filesize
272KB

Download
memory/1164-37-0x00000000024F0000-0x0000000002534000-memory.dmp

Filesize
272KB

Download
memory/1228-41-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/1228-42-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/1228-39-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/1228-40-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/1472-79-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-65-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-59-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-57-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-136-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-135-0x00000000777D0000-0x00000000777D1000-memory.dmp

Filesize
4KB

Download
memory/1472-55-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-53-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-51-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-50-0x0000000000540000-0x0000000000584000-memory.dmp

Filesize
272KB

Download
memory/1472-48-0x0000000000540000-0x0000000000584000-memory.dmp

Filesize
272KB

Download
memory/1472-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1472-46-0x0000000000540000-0x0000000000584000-memory.dmp

Filesize
272KB

Download
memory/1472-45-0x0000000000540000-0x0000000000584000-memory.dmp

Filesize
272KB

Download
memory/1472-44-0x0000000000540000-0x0000000000584000-memory.dmp

Filesize
272KB

Download
memory/1472-61-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-67-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-69-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-71-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-73-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-75-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-77-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-0-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1472-63-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1472-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1472-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1472-1-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download
memory/1472-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1552-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1552-282-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1552-283-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download