3ff2e25aef40c0ff1b900616d57ee9d60cbf3a41a7545b8165c508d102dff498

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6223595695eacf23d563ee88b0796980_JaffaCakes118.exe
Size

377KB
MD5

6223595695eacf23d563ee88b0796980
SHA1

c8d2090d0e58964d7052ff3fe6a05e10415ee56a
SHA256

3ff2e25aef40c0ff1b900616d57ee9d60cbf3a41a7545b8165c508d102dff498
SHA512

6cefd3d35fe97397d3dcdadd7ca125d7baa7fb121392c41733878ab000f8dcff4fe0c854f2d3b8da247919b4fdd30cc71cc06ce118afc6417f182d0d41784600
SSDEEP

6144:96OwqYp693oxB0clrjrwcZDT+d84MLRpx8nNcJa2db/Slsm1VcEGOfzE/8YG1oA:EOoi4/LLbDsU9/8GPdLSl91VcBjGmA

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
600	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1772	otupz.exe

Loads dropped DLL 2 IoCs

pid	Process
2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe
2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\{3109E6C8-6F84-AD4F-D756-D1AEF6AEF2B3} = "C:\\Users\\Admin\\AppData\\Roaming\\Xain\\otupz.exe"	otupz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 600	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe
1772	otupz.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe
1772	otupz.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1772	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	30
PID 2276 wrote to memory of 1772	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	30
PID 2276 wrote to memory of 1772	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	30
PID 2276 wrote to memory of 1772	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	30
PID 1772 wrote to memory of 1124	1772	otupz.exe	19
PID 1772 wrote to memory of 1124	1772	otupz.exe	19
PID 1772 wrote to memory of 1124	1772	otupz.exe	19
PID 1772 wrote to memory of 1124	1772	otupz.exe	19
PID 1772 wrote to memory of 1124	1772	otupz.exe	19
PID 1772 wrote to memory of 1168	1772	otupz.exe	20
PID 1772 wrote to memory of 1168	1772	otupz.exe	20
PID 1772 wrote to memory of 1168	1772	otupz.exe	20
PID 1772 wrote to memory of 1168	1772	otupz.exe	20
PID 1772 wrote to memory of 1168	1772	otupz.exe	20
PID 1772 wrote to memory of 1196	1772	otupz.exe	21
PID 1772 wrote to memory of 1196	1772	otupz.exe	21
PID 1772 wrote to memory of 1196	1772	otupz.exe	21
PID 1772 wrote to memory of 1196	1772	otupz.exe	21
PID 1772 wrote to memory of 1196	1772	otupz.exe	21
PID 1772 wrote to memory of 636	1772	otupz.exe	23
PID 1772 wrote to memory of 636	1772	otupz.exe	23
PID 1772 wrote to memory of 636	1772	otupz.exe	23
PID 1772 wrote to memory of 636	1772	otupz.exe	23
PID 1772 wrote to memory of 636	1772	otupz.exe	23
PID 1772 wrote to memory of 2276	1772	otupz.exe	29
PID 1772 wrote to memory of 2276	1772	otupz.exe	29
PID 1772 wrote to memory of 2276	1772	otupz.exe	29
PID 1772 wrote to memory of 2276	1772	otupz.exe	29
PID 1772 wrote to memory of 2276	1772	otupz.exe	29
PID 2276 wrote to memory of 600	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	31
PID 2276 wrote to memory of 600	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	31
PID 2276 wrote to memory of 600	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	31
PID 2276 wrote to memory of 600	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	31
PID 2276 wrote to memory of 600	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	31
PID 2276 wrote to memory of 600	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	31
PID 2276 wrote to memory of 600	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	31
PID 2276 wrote to memory of 600	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	31
PID 2276 wrote to memory of 600	2276	6223595695eacf23d563ee88b0796980_JaffaCakes118.exe	31
PID 1772 wrote to memory of 2800	1772	otupz.exe	34
PID 1772 wrote to memory of 2800	1772	otupz.exe	34
PID 1772 wrote to memory of 2800	1772	otupz.exe	34
PID 1772 wrote to memory of 2800	1772	otupz.exe	34
PID 1772 wrote to memory of 2800	1772	otupz.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\6223595695eacf23d563ee88b0796980_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6223595695eacf23d563ee88b0796980_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Roaming\Xain\otupz.exe
    "C:\Users\Admin\AppData\Roaming\Xain\otupz.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6d8e5588.bat"
    3⤵
    - Deletes itself
    PID:600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6d8e5588.bat

Filesize
271B

MD5
132f504e7f26fc9a670e5a375018111f

SHA1
58abda22a17781390a1206775d0f0c8fd04276e0

SHA256
e5712493dd2a7387690b706feded3826a7b9de208beef9e76655d89b72151f46

SHA512
a20922aafff4414663478ac7bf2d88afb75b06b7a5f3a5e0ee61cf4e7e14cbc5f86ccedc537a6c35fc1d5c07792ca7d7b41a434ae629892a5738b73a4378b48c

Download Submit
C:\Users\Admin\AppData\Roaming\Xain\otupz.exe

Filesize
377KB

MD5
d00df890bdd87691539d0037a803ce44

SHA1
07777a23f59a01d9ad45b6aa0017f1f32fe55957

SHA256
82aaf99003c150f2c1dce131ea22293aab8eb7b76d14fa78fd7bb03e9b2523e6

SHA512
c6cee67e0a8604db29d1ba01373d367cd3783aaba86aaa23ba60cf30072b63e71acca7305eac9795945d69e3f34c7c19a1595bb4ba5e372bb20e4093a90982f4

Download Submit
memory/636-44-0x0000000002360000-0x00000000023A4000-memory.dmp

Filesize
272KB

Download
memory/636-42-0x0000000002360000-0x00000000023A4000-memory.dmp

Filesize
272KB

Download
memory/636-40-0x0000000002360000-0x00000000023A4000-memory.dmp

Filesize
272KB

Download
memory/636-38-0x0000000002360000-0x00000000023A4000-memory.dmp

Filesize
272KB

Download
memory/1124-24-0x00000000005E0000-0x0000000000624000-memory.dmp

Filesize
272KB

Download
memory/1124-22-0x00000000005E0000-0x0000000000624000-memory.dmp

Filesize
272KB

Download
memory/1124-19-0x00000000005E0000-0x0000000000624000-memory.dmp

Filesize
272KB

Download
memory/1124-20-0x00000000005E0000-0x0000000000624000-memory.dmp

Filesize
272KB

Download
memory/1124-21-0x00000000005E0000-0x0000000000624000-memory.dmp

Filesize
272KB

Download
memory/1168-30-0x0000000002010000-0x0000000002054000-memory.dmp

Filesize
272KB

Download
memory/1168-29-0x0000000002010000-0x0000000002054000-memory.dmp

Filesize
272KB

Download
memory/1168-27-0x0000000002010000-0x0000000002054000-memory.dmp

Filesize
272KB

Download
memory/1168-28-0x0000000002010000-0x0000000002054000-memory.dmp

Filesize
272KB

Download
memory/1196-32-0x00000000025A0000-0x00000000025E4000-memory.dmp

Filesize
272KB

Download
memory/1196-33-0x00000000025A0000-0x00000000025E4000-memory.dmp

Filesize
272KB

Download
memory/1196-35-0x00000000025A0000-0x00000000025E4000-memory.dmp

Filesize
272KB

Download
memory/1196-34-0x00000000025A0000-0x00000000025E4000-memory.dmp

Filesize
272KB

Download
memory/1772-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1772-17-0x0000000000470000-0x00000000004D8000-memory.dmp

Filesize
416KB

Download
memory/1772-15-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/1772-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2276-50-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/2276-77-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-48-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/2276-49-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/2276-52-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/2276-59-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-67-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-65-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-71-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-69-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-63-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-61-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-81-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-137-0x00000000774F0000-0x00000000774F1000-memory.dmp

Filesize
4KB

Download
memory/2276-79-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-47-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/2276-75-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-73-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-57-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-55-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-53-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-0-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/2276-51-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/2276-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2276-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2276-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2276-138-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-163-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/2276-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2276-161-0x00000000002C0000-0x0000000000328000-memory.dmp

Filesize
416KB

Download
memory/2276-1-0x00000000002C0000-0x0000000000328000-memory.dmp

Filesize
416KB

Download
memory/2276-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download