d19d4b32f6ac51533b60bad4ac98da91ffdb50eac3dfc18ac35f71773b43dcf1

Analysis

max time kernel
150s
max time network
56s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe
Size

128KB
MD5

6169dfd8afcb2a8d1f9b113908dbb6cf
SHA1

b48bde311fafed33c10a9e5d1c1a784ceadcf493
SHA256

d19d4b32f6ac51533b60bad4ac98da91ffdb50eac3dfc18ac35f71773b43dcf1
SHA512

0ecdeb6c0b8d498ee86047fac657c5a4ebca7c874dac215a63f5f081c4f26c6124e6c544be6d1feb5cd62904b987598db1e9da6890f43b3b958dfca6ae0c53cc
SSDEEP

3072:/gUt8tl0BWo7qjejQI1MJRTaYXaYLQmH8TDb/m+1:IUtSSMo7qaNyRTaw3oF1

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1724	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2724	uwyv.exe

Loads dropped DLL 2 IoCs

pid	Process
2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe
2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6D4A7724-61FD-61CA-F16D-244D6E75D46C} = "C:\\Users\\Admin\\AppData\\Roaming\\Celyto\\uwyv.exe"	uwyv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 1724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe
2724	uwyv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe
Token: SeSecurityPrivilege	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe
Token: SeSecurityPrivilege	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	29
PID 2304 wrote to memory of 2724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	29
PID 2304 wrote to memory of 2724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	29
PID 2304 wrote to memory of 2724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	29
PID 2724 wrote to memory of 1232	2724	uwyv.exe	18
PID 2724 wrote to memory of 1232	2724	uwyv.exe	18
PID 2724 wrote to memory of 1232	2724	uwyv.exe	18
PID 2724 wrote to memory of 1232	2724	uwyv.exe	18
PID 2724 wrote to memory of 1232	2724	uwyv.exe	18
PID 2724 wrote to memory of 1328	2724	uwyv.exe	19
PID 2724 wrote to memory of 1328	2724	uwyv.exe	19
PID 2724 wrote to memory of 1328	2724	uwyv.exe	19
PID 2724 wrote to memory of 1328	2724	uwyv.exe	19
PID 2724 wrote to memory of 1328	2724	uwyv.exe	19
PID 2724 wrote to memory of 1384	2724	uwyv.exe	20
PID 2724 wrote to memory of 1384	2724	uwyv.exe	20
PID 2724 wrote to memory of 1384	2724	uwyv.exe	20
PID 2724 wrote to memory of 1384	2724	uwyv.exe	20
PID 2724 wrote to memory of 1384	2724	uwyv.exe	20
PID 2724 wrote to memory of 1240	2724	uwyv.exe	22
PID 2724 wrote to memory of 1240	2724	uwyv.exe	22
PID 2724 wrote to memory of 1240	2724	uwyv.exe	22
PID 2724 wrote to memory of 1240	2724	uwyv.exe	22
PID 2724 wrote to memory of 1240	2724	uwyv.exe	22
PID 2724 wrote to memory of 2304	2724	uwyv.exe	28
PID 2724 wrote to memory of 2304	2724	uwyv.exe	28
PID 2724 wrote to memory of 2304	2724	uwyv.exe	28
PID 2724 wrote to memory of 2304	2724	uwyv.exe	28
PID 2724 wrote to memory of 2304	2724	uwyv.exe	28
PID 2304 wrote to memory of 1724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	30
PID 2304 wrote to memory of 1724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	30
PID 2304 wrote to memory of 1724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	30
PID 2304 wrote to memory of 1724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	30
PID 2304 wrote to memory of 1724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	30
PID 2304 wrote to memory of 1724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	30
PID 2304 wrote to memory of 1724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	30
PID 2304 wrote to memory of 1724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	30
PID 2304 wrote to memory of 1724	2304	6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2984	2724	uwyv.exe	32
PID 2724 wrote to memory of 2984	2724	uwyv.exe	32
PID 2724 wrote to memory of 2984	2724	uwyv.exe	32
PID 2724 wrote to memory of 2984	2724	uwyv.exe	32
PID 2724 wrote to memory of 2984	2724	uwyv.exe	32
PID 2724 wrote to memory of 2068	2724	uwyv.exe	33
PID 2724 wrote to memory of 2068	2724	uwyv.exe	33
PID 2724 wrote to memory of 2068	2724	uwyv.exe	33
PID 2724 wrote to memory of 2068	2724	uwyv.exe	33
PID 2724 wrote to memory of 2068	2724	uwyv.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6169dfd8afcb2a8d1f9b113908dbb6cf_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Users\Admin\AppData\Roaming\Celyto\uwyv.exe
    "C:\Users\Admin\AppData\Roaming\Celyto\uwyv.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd6d27009.bat"
    3⤵
    - Deletes itself
    PID:1724

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1240

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2984

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd6d27009.bat

Filesize
271B

MD5
dd8c9268821cab93f82ca78c67ca2cf4

SHA1
d963c7261f82bd59d73e610190bdfb097d8e8a1c

SHA256
20ed0cb4a369346263870a99da2dfe9bb3282c067ea9d8092a7dd92c97fb0f33

SHA512
4b1f49ba289c48eb291b5a1257c10cb03bee55b085382ea50a8ddfb897fa630cfe6d020b06ba6dabcddd02e982343c047b145c3ca94120d537a12d97688b3aa1

Download Submit
C:\Users\Admin\AppData\Roaming\Obype\ympo.omm

Filesize
380B

MD5
1bdeda72cea96d734e1e96533259011f

SHA1
9c2132fc30e253c8cb2937bd0877f15e75e005c1

SHA256
57b0fdea0f903963e4ec970957f83b62c87cded9c15461f6abd43a4d8e5bf268

SHA512
7d412ffbfa1de2ebb8a1ae7d7b1a7609e5c5f1c7b85efdc060a4bc21df9edb5e318f332b7f6291ef31d4797da472645ef82fce5fd60c5ac35a31f93f8ea46322

Download Submit
\Users\Admin\AppData\Roaming\Celyto\uwyv.exe

Filesize
128KB

MD5
63c2a31dcb58eea87b2ca82b9725d646

SHA1
9a809bb5a6a156d5e91a4e889163671ddde360ac

SHA256
4a381009871a587e4c78a5217df3ff26b9079ec334996285e642dbf85aed62cc

SHA512
4b35d6244c41801f1b624babac90e7be661f18256f745cb6e5fb92ad5961b67513abf675d85e3d858394ca72936f3cc2557d259ba13c90924985a4255c07681e

Download Submit
memory/1232-18-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/1232-21-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/1232-20-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/1232-19-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/1232-17-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/1240-38-0x0000000001CA0000-0x0000000001CBF000-memory.dmp

Filesize
124KB

Download
memory/1240-36-0x0000000001CA0000-0x0000000001CBF000-memory.dmp

Filesize
124KB

Download
memory/1240-40-0x0000000001CA0000-0x0000000001CBF000-memory.dmp

Filesize
124KB

Download
memory/1240-34-0x0000000001CA0000-0x0000000001CBF000-memory.dmp

Filesize
124KB

Download
memory/1328-26-0x00000000019C0000-0x00000000019DF000-memory.dmp

Filesize
124KB

Download
memory/1328-25-0x00000000019C0000-0x00000000019DF000-memory.dmp

Filesize
124KB

Download
memory/1328-23-0x00000000019C0000-0x00000000019DF000-memory.dmp

Filesize
124KB

Download
memory/1328-24-0x00000000019C0000-0x00000000019DF000-memory.dmp

Filesize
124KB

Download
memory/1384-31-0x0000000002610000-0x000000000262F000-memory.dmp

Filesize
124KB

Download
memory/1384-30-0x0000000002610000-0x000000000262F000-memory.dmp

Filesize
124KB

Download
memory/1384-29-0x0000000002610000-0x000000000262F000-memory.dmp

Filesize
124KB

Download
memory/1384-28-0x0000000002610000-0x000000000262F000-memory.dmp

Filesize
124KB

Download
memory/1724-102-0x0000000000050000-0x000000000006F000-memory.dmp

Filesize
124KB

Download
memory/1724-129-0x0000000077A90000-0x0000000077A91000-memory.dmp

Filesize
4KB

Download
memory/1724-130-0x0000000000050000-0x000000000006F000-memory.dmp

Filesize
124KB

Download
memory/2304-53-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-73-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-0-0x0000000000419000-0x000000000041A000-memory.dmp

Filesize
4KB

Download
memory/2304-57-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-55-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-44-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/2304-46-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/2304-50-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/2304-48-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/2304-52-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/2304-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2304-77-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2304-79-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-75-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-61-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-71-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-69-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-67-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-65-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-63-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-59-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2304-100-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2304-3-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2304-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-13-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2724-131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download