856cb94672286d55c3a80cc715bc0cc70bcf6048e8e866bb2d06d57a86e03061

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe
Size

254KB
MD5

6315b3bde2f9c4f4f20c43ce0c9100c7
SHA1

362c5f747b32631834fa284f0972211cb22101a4
SHA256

856cb94672286d55c3a80cc715bc0cc70bcf6048e8e866bb2d06d57a86e03061
SHA512

583eb22ced77b19b6ba48c50badb794de5c64268ab29dfe192f0d99861cb2a5fb34f701ba3b2216b0e9d62f7997ff4b6b5f9449ab40ff8e95793824f92f9f29b
SSDEEP

6144:kR3S2aGoaW84vazVVYC0caMEL1wM1VHKa/vz:kRiUoaHfIhwqVfL

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
996	hiuqj.exe

Loads dropped DLL 2 IoCs

pid	Process
1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe
1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\{09E0E5E8-6808-AD4F-43B0-714965AC5254} = "C:\\Users\\Admin\\AppData\\Roaming\\Qioc\\hiuqj.exe"	hiuqj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 2640	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe
996	hiuqj.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe
996	hiuqj.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 996	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	29
PID 1048 wrote to memory of 996	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	29
PID 1048 wrote to memory of 996	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	29
PID 1048 wrote to memory of 996	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	29
PID 996 wrote to memory of 1112	996	hiuqj.exe	18
PID 996 wrote to memory of 1112	996	hiuqj.exe	18
PID 996 wrote to memory of 1112	996	hiuqj.exe	18
PID 996 wrote to memory of 1112	996	hiuqj.exe	18
PID 996 wrote to memory of 1112	996	hiuqj.exe	18
PID 996 wrote to memory of 1180	996	hiuqj.exe	19
PID 996 wrote to memory of 1180	996	hiuqj.exe	19
PID 996 wrote to memory of 1180	996	hiuqj.exe	19
PID 996 wrote to memory of 1180	996	hiuqj.exe	19
PID 996 wrote to memory of 1180	996	hiuqj.exe	19
PID 996 wrote to memory of 1208	996	hiuqj.exe	20
PID 996 wrote to memory of 1208	996	hiuqj.exe	20
PID 996 wrote to memory of 1208	996	hiuqj.exe	20
PID 996 wrote to memory of 1208	996	hiuqj.exe	20
PID 996 wrote to memory of 1208	996	hiuqj.exe	20
PID 996 wrote to memory of 1688	996	hiuqj.exe	24
PID 996 wrote to memory of 1688	996	hiuqj.exe	24
PID 996 wrote to memory of 1688	996	hiuqj.exe	24
PID 996 wrote to memory of 1688	996	hiuqj.exe	24
PID 996 wrote to memory of 1688	996	hiuqj.exe	24
PID 996 wrote to memory of 1048	996	hiuqj.exe	28
PID 996 wrote to memory of 1048	996	hiuqj.exe	28
PID 996 wrote to memory of 1048	996	hiuqj.exe	28
PID 996 wrote to memory of 1048	996	hiuqj.exe	28
PID 996 wrote to memory of 1048	996	hiuqj.exe	28
PID 1048 wrote to memory of 2640	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	30
PID 1048 wrote to memory of 2640	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	30
PID 1048 wrote to memory of 2640	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	30
PID 1048 wrote to memory of 2640	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	30
PID 1048 wrote to memory of 2640	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	30
PID 1048 wrote to memory of 2640	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	30
PID 1048 wrote to memory of 2640	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	30
PID 1048 wrote to memory of 2640	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	30
PID 1048 wrote to memory of 2640	1048	6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6315b3bde2f9c4f4f20c43ce0c9100c7_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Users\Admin\AppData\Roaming\Qioc\hiuqj.exe
    "C:\Users\Admin\AppData\Roaming\Qioc\hiuqj.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp29878517.bat"
    3⤵
    - Deletes itself
    PID:2640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp29878517.bat

Filesize
271B

MD5
186dedcf8f0d271df7429e782e524853

SHA1
8ccdbdb7c69099a061b0197eebb1935f6b485b1f

SHA256
0edd5ee47e50540a9659fc3ecc599fe56ecc6ac714408a09d3b3621e8b1f8b37

SHA512
6fee5d0666a36949c9d2255608f878e89204d2765b450da9b95c198b08ae1c87bc51ceade0c9edf53b8318d70b64fd226e97a0c0b5a20c2ae22e4b9c15c6722c

Download Submit
\Users\Admin\AppData\Roaming\Qioc\hiuqj.exe

Filesize
254KB

MD5
3ee0a2dd9ecd3ef9e856066eab322997

SHA1
529eb748d59315484fc34f98aa40aad346618631

SHA256
094a1ed73ec34a34384ab4399281f233bdbe829e641080387f2e033863cb2565

SHA512
63341aae9891565579db57c625a86199e2434edf26ec06e4a3eafcd80a5898c28d545a64f6fe041490ef11c59861bc4cba73af88bda3e4e70624bdae12b7fdf2

Download Submit
memory/996-15-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/996-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/996-17-0x00000000002A0000-0x00000000002E3000-memory.dmp

Filesize
268KB

Download
memory/996-282-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-55-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-51-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/1048-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-5-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-54-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/1048-1-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/1048-67-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-73-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-79-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-135-0x0000000077960000-0x0000000077961000-memory.dmp

Filesize
4KB

Download
memory/1048-134-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/1048-77-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-75-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-71-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-69-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-65-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-63-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-61-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-59-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-57-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-53-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/1048-52-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/1048-4-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-0-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/1048-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-163-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/1048-161-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/1048-138-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1048-50-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/1112-19-0x0000000002010000-0x000000000204F000-memory.dmp

Filesize
252KB

Download
memory/1112-25-0x0000000002010000-0x000000000204F000-memory.dmp

Filesize
252KB

Download
memory/1112-23-0x0000000002010000-0x000000000204F000-memory.dmp

Filesize
252KB

Download
memory/1112-27-0x0000000002010000-0x000000000204F000-memory.dmp

Filesize
252KB

Download
memory/1112-21-0x0000000002010000-0x000000000204F000-memory.dmp

Filesize
252KB

Download
memory/1180-34-0x0000000001F80000-0x0000000001FBF000-memory.dmp

Filesize
252KB

Download
memory/1180-37-0x0000000001F80000-0x0000000001FBF000-memory.dmp

Filesize
252KB

Download
memory/1180-35-0x0000000001F80000-0x0000000001FBF000-memory.dmp

Filesize
252KB

Download
memory/1180-31-0x0000000001F80000-0x0000000001FBF000-memory.dmp

Filesize
252KB

Download
memory/1208-42-0x0000000002CB0000-0x0000000002CEF000-memory.dmp

Filesize
252KB

Download
memory/1208-41-0x0000000002CB0000-0x0000000002CEF000-memory.dmp

Filesize
252KB

Download
memory/1208-43-0x0000000002CB0000-0x0000000002CEF000-memory.dmp

Filesize
252KB

Download
memory/1208-40-0x0000000002CB0000-0x0000000002CEF000-memory.dmp

Filesize
252KB

Download
memory/1688-45-0x0000000001DA0000-0x0000000001DDF000-memory.dmp

Filesize
252KB

Download
memory/1688-46-0x0000000001DA0000-0x0000000001DDF000-memory.dmp

Filesize
252KB

Download
memory/1688-47-0x0000000001DA0000-0x0000000001DDF000-memory.dmp

Filesize
252KB

Download
memory/1688-48-0x0000000001DA0000-0x0000000001DDF000-memory.dmp

Filesize
252KB

Download