01d2fb91e7b11597191ceb27e5e0f8396f6bba5cf445e8e978b33a80ea0b97fa

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe
Size

278KB
MD5

61c12ebfe88965721b5332dddd14f403
SHA1

033d9b1fd3a48b47427880ca8ee7331a2e067bed
SHA256

01d2fb91e7b11597191ceb27e5e0f8396f6bba5cf445e8e978b33a80ea0b97fa
SHA512

a67595c9ea0d60d231bfe1764354ed8e53fbd61f1a2438aec5201d4e79760019d8e9c71ad24a10a32a78e5cbb772b139a1982f4d21b844e2d2c579202b39130c
SSDEEP

6144:WYk7RDxF3BEuTP0PvdA8r1eFABpxEJPlLsiJEwpCikSm4krOnb:WYeN0uT8Hq6eFABvuPl5fRksb

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1692	paru.exe

Loads dropped DLL 2 IoCs

pid	Process
620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe
620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\{278F5008-6814-AD4F-E8EF-460FE6556512} = "C:\\Users\\Admin\\AppData\\Roaming\\Qeseic\\paru.exe"	paru.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 620 set thread context of 2660	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe
1692	paru.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe
Token: SeSecurityPrivilege	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe
Token: SeSecurityPrivilege	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe
1692	paru.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1692	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	30
PID 620 wrote to memory of 1692	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	30
PID 620 wrote to memory of 1692	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	30
PID 620 wrote to memory of 1692	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	30
PID 1692 wrote to memory of 1108	1692	paru.exe	19
PID 1692 wrote to memory of 1108	1692	paru.exe	19
PID 1692 wrote to memory of 1108	1692	paru.exe	19
PID 1692 wrote to memory of 1108	1692	paru.exe	19
PID 1692 wrote to memory of 1108	1692	paru.exe	19
PID 1692 wrote to memory of 1168	1692	paru.exe	20
PID 1692 wrote to memory of 1168	1692	paru.exe	20
PID 1692 wrote to memory of 1168	1692	paru.exe	20
PID 1692 wrote to memory of 1168	1692	paru.exe	20
PID 1692 wrote to memory of 1168	1692	paru.exe	20
PID 1692 wrote to memory of 1204	1692	paru.exe	21
PID 1692 wrote to memory of 1204	1692	paru.exe	21
PID 1692 wrote to memory of 1204	1692	paru.exe	21
PID 1692 wrote to memory of 1204	1692	paru.exe	21
PID 1692 wrote to memory of 1204	1692	paru.exe	21
PID 1692 wrote to memory of 376	1692	paru.exe	25
PID 1692 wrote to memory of 376	1692	paru.exe	25
PID 1692 wrote to memory of 376	1692	paru.exe	25
PID 1692 wrote to memory of 376	1692	paru.exe	25
PID 1692 wrote to memory of 376	1692	paru.exe	25
PID 1692 wrote to memory of 620	1692	paru.exe	29
PID 1692 wrote to memory of 620	1692	paru.exe	29
PID 1692 wrote to memory of 620	1692	paru.exe	29
PID 1692 wrote to memory of 620	1692	paru.exe	29
PID 1692 wrote to memory of 620	1692	paru.exe	29
PID 620 wrote to memory of 2660	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	31
PID 620 wrote to memory of 2660	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	31
PID 620 wrote to memory of 2660	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	31
PID 620 wrote to memory of 2660	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	31
PID 620 wrote to memory of 2660	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	31
PID 620 wrote to memory of 2660	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	31
PID 620 wrote to memory of 2660	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	31
PID 620 wrote to memory of 2660	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	31
PID 620 wrote to memory of 2660	620	61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\61c12ebfe88965721b5332dddd14f403_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Users\Admin\AppData\Roaming\Qeseic\paru.exe
    "C:\Users\Admin\AppData\Roaming\Qeseic\paru.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1c804302.bat"
    3⤵
    - Deletes itself
    PID:2660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1c804302.bat

Filesize
271B

MD5
f1ce9b41eaa2f212a397ce37fee107ad

SHA1
3102bda8a78cafbdc450f33439a94bdabd8071e5

SHA256
0ae69924241e3f56cd6254468a8f5ad3a7afc6dc1296a7ca7d5bab99521d5c88

SHA512
5aaa28270ec94127e1af234151ad55f06240c51daa29baa2879cf6d6abf903586dde1d92fce12dd39c57829dba0fbb5eaa6a32282d60efc65a14b36502eebd1f

Download Submit
C:\Users\Admin\AppData\Roaming\Noyz\sufoa.sod

Filesize
380B

MD5
2957896b6f30d4c78de1d3451b1e7428

SHA1
263b4bfe7a726cb4399fd38413f0f990ef2e12af

SHA256
a66d0e3309c39cf9681ec046c9f0bb6b48a6582cf0d8b19be8f54e68ebd68764

SHA512
ae914ecb7ded36ea71b8454b434837817e5c72d9e349b42c0c83d92283865e7130ebc1e720c7805fdc4abeee3eb849d1a21964dca0cec5fb4c72527b59f8dbb3

Download Submit
\Users\Admin\AppData\Roaming\Qeseic\paru.exe

Filesize
278KB

MD5
01dfcb37469d2958af57e7f6357092e7

SHA1
6c1c6cb9761566c8bc759bc9b318077bb4dca77d

SHA256
56306f67ddb8e8293f31b6f48b41b088d3a9fe759d534f04f948756ece1443ed

SHA512
4a0612cd5ce513b0ac7c31aab5a2cd7849c9c98dfe314fc3afd20b6c54023096345cd1066d832195c310fd49466de6ffe70cbadb559e44a01749fe4a852b8b91

Download Submit
memory/376-48-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/376-42-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/376-44-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/376-46-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/620-76-0x0000000077270000-0x0000000077271000-memory.dmp

Filesize
4KB

Download
memory/620-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/620-1-0x0000000000350000-0x000000000039A000-memory.dmp

Filesize
296KB

Download
memory/620-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/620-60-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/620-0-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/620-73-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/620-71-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/620-69-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/620-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/620-65-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/620-63-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/620-61-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/620-59-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/620-56-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/620-54-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/620-52-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/620-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/620-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/620-75-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/620-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/620-141-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/620-80-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/620-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1108-27-0x0000000002050000-0x0000000002091000-memory.dmp

Filesize
260KB

Download
memory/1108-24-0x0000000002050000-0x0000000002091000-memory.dmp

Filesize
260KB

Download
memory/1108-19-0x0000000002050000-0x0000000002091000-memory.dmp

Filesize
260KB

Download
memory/1108-21-0x0000000002050000-0x0000000002091000-memory.dmp

Filesize
260KB

Download
memory/1108-25-0x0000000002050000-0x0000000002091000-memory.dmp

Filesize
260KB

Download
memory/1168-32-0x0000000001EC0000-0x0000000001F01000-memory.dmp

Filesize
260KB

Download
memory/1168-31-0x0000000001EC0000-0x0000000001F01000-memory.dmp

Filesize
260KB

Download
memory/1168-33-0x0000000001EC0000-0x0000000001F01000-memory.dmp

Filesize
260KB

Download
memory/1168-34-0x0000000001EC0000-0x0000000001F01000-memory.dmp

Filesize
260KB

Download
memory/1204-36-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1204-38-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1204-37-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1204-39-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1692-16-0x0000000000360000-0x00000000003AA000-memory.dmp

Filesize
296KB

Download
memory/1692-15-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1692-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download