27dbb6d35ded4782eee0e70cbc7612cd4f9a9a238203540224de81b4a54a7be3

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe
Size

152KB
MD5

63620652098d1b99cabcbb935a817fee
SHA1

2954a0394587d78d7e219ae54d15f0f52bcbdd03
SHA256

27dbb6d35ded4782eee0e70cbc7612cd4f9a9a238203540224de81b4a54a7be3
SHA512

4e525e43029c6b406d481649178d2bd79770c30b399750695871a82e50bbf8b657b0e8d2ce045d71eb64973a3449a820c30527a5f9b74c9669a6806e2f5f6731
SSDEEP

3072:Q+2NKmnePqtVheazseLa3gl9cm0kgI4FtmOwwH18856iP5PbQnyav7kVtnqDDDUE:QpKmeCtKMHIYum0pmu7511boRytqDDDH

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3020	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2336	ofyv.exe

Loads dropped DLL 2 IoCs

pid	Process
780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe
780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\{5CAEC61C-1E7D-03A4-6FCE-24860E89494F} = "C:\\Users\\Admin\\AppData\\Roaming\\Ojniep\\ofyv.exe"	ofyv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 780 set thread context of 3020	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	32

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe
2336	ofyv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe
Token: SeSecurityPrivilege	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe
Token: SeSecurityPrivilege	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2336	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	31
PID 780 wrote to memory of 2336	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	31
PID 780 wrote to memory of 2336	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	31
PID 780 wrote to memory of 2336	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	31
PID 2336 wrote to memory of 1116	2336	ofyv.exe	19
PID 2336 wrote to memory of 1116	2336	ofyv.exe	19
PID 2336 wrote to memory of 1116	2336	ofyv.exe	19
PID 2336 wrote to memory of 1116	2336	ofyv.exe	19
PID 2336 wrote to memory of 1116	2336	ofyv.exe	19
PID 2336 wrote to memory of 1176	2336	ofyv.exe	20
PID 2336 wrote to memory of 1176	2336	ofyv.exe	20
PID 2336 wrote to memory of 1176	2336	ofyv.exe	20
PID 2336 wrote to memory of 1176	2336	ofyv.exe	20
PID 2336 wrote to memory of 1176	2336	ofyv.exe	20
PID 2336 wrote to memory of 1200	2336	ofyv.exe	21
PID 2336 wrote to memory of 1200	2336	ofyv.exe	21
PID 2336 wrote to memory of 1200	2336	ofyv.exe	21
PID 2336 wrote to memory of 1200	2336	ofyv.exe	21
PID 2336 wrote to memory of 1200	2336	ofyv.exe	21
PID 2336 wrote to memory of 1456	2336	ofyv.exe	25
PID 2336 wrote to memory of 1456	2336	ofyv.exe	25
PID 2336 wrote to memory of 1456	2336	ofyv.exe	25
PID 2336 wrote to memory of 1456	2336	ofyv.exe	25
PID 2336 wrote to memory of 1456	2336	ofyv.exe	25
PID 2336 wrote to memory of 780	2336	ofyv.exe	30
PID 2336 wrote to memory of 780	2336	ofyv.exe	30
PID 2336 wrote to memory of 780	2336	ofyv.exe	30
PID 2336 wrote to memory of 780	2336	ofyv.exe	30
PID 2336 wrote to memory of 780	2336	ofyv.exe	30
PID 780 wrote to memory of 3020	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	32
PID 780 wrote to memory of 3020	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	32
PID 780 wrote to memory of 3020	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	32
PID 780 wrote to memory of 3020	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	32
PID 780 wrote to memory of 3020	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	32
PID 780 wrote to memory of 3020	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	32
PID 780 wrote to memory of 3020	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	32
PID 780 wrote to memory of 3020	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	32
PID 780 wrote to memory of 3020	780	63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe	32
PID 2336 wrote to memory of 2008	2336	ofyv.exe	34
PID 2336 wrote to memory of 2008	2336	ofyv.exe	34
PID 2336 wrote to memory of 2008	2336	ofyv.exe	34
PID 2336 wrote to memory of 2008	2336	ofyv.exe	34
PID 2336 wrote to memory of 2008	2336	ofyv.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\63620652098d1b99cabcbb935a817fee_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Users\Admin\AppData\Roaming\Ojniep\ofyv.exe
    "C:\Users\Admin\AppData\Roaming\Ojniep\ofyv.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3e48e1f4.bat"
    3⤵
    - Deletes itself
    PID:3020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1456

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3e48e1f4.bat

Filesize
271B

MD5
dc5ef3a58f08822ae38c944d5790443f

SHA1
5c7e71af9efd82366f409dcc3bd8dddd9008607d

SHA256
4acd2ec20058cf11490c18d4bf2f70efb76c1373adffe31f3cf05fcad97a01c0

SHA512
826cae6f2ed1552a1535476bd9271cb14a062c79eee59491f20898c0b19ec06c74404f2a4872a14162a1f9e0a6a160192f9c235c389496ed57131f11a8bee81d

Download Submit
C:\Users\Admin\AppData\Roaming\Imkyyd\doju.ecy

Filesize
380B

MD5
40f7a56e4de58896bd5e090230234492

SHA1
d34c6304f06c7ee774596fbe4ef8ba771969f9b2

SHA256
a8c948c6df9ababe13471be908737b001258476bff7f693a2584cd7c5b0dc054

SHA512
6d2d11ed293671c732cd0d5937e367b81230029934f77f1d4dc5a0446518df1081d56fbc317c3cef706e6cde85a5d52f1d10f9bb2d49ca72e558a52b8768e854

Download Submit
\Users\Admin\AppData\Roaming\Ojniep\ofyv.exe

Filesize
152KB

MD5
0fa913b2c3f7b00509faf08ee327f556

SHA1
263a1536b1384635edcdd1de4cb8fde6e558e1fe

SHA256
bb615bae5d1ce533fabd61eee5b26f738ca8ceca4db4d5f4f1a0961e6d954d2e

SHA512
ea7f2bafaf69ebe0485326ea90a6c041dd2adefa3203d5523329f3089c5b3d9ccad2e355cbc1f7164834aa56a93137fbbd3ed4302ff42d37ce78c132efd03cda

Download Submit
memory/780-44-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/780-56-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/780-45-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/780-75-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-73-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-71-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-69-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-66-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/780-64-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-62-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-60-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-58-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-77-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-42-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/780-54-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-52-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-50-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-48-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-46-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/780-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/780-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/780-43-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/780-41-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/1116-14-0x0000000002280000-0x00000000022AE000-memory.dmp

Filesize
184KB

Download
memory/1116-16-0x0000000002280000-0x00000000022AE000-memory.dmp

Filesize
184KB

Download
memory/1116-18-0x0000000002280000-0x00000000022AE000-memory.dmp

Filesize
184KB

Download
memory/1116-17-0x0000000002280000-0x00000000022AE000-memory.dmp

Filesize
184KB

Download
memory/1116-15-0x0000000002280000-0x00000000022AE000-memory.dmp

Filesize
184KB

Download
memory/1176-22-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/1176-23-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/1176-24-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/1176-21-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/1200-27-0x0000000002F70000-0x0000000002F9E000-memory.dmp

Filesize
184KB

Download
memory/1200-26-0x0000000002F70000-0x0000000002F9E000-memory.dmp

Filesize
184KB

Download
memory/1200-28-0x0000000002F70000-0x0000000002F9E000-memory.dmp

Filesize
184KB

Download
memory/1200-29-0x0000000002F70000-0x0000000002F9E000-memory.dmp

Filesize
184KB

Download
memory/1456-36-0x0000000001F40000-0x0000000001F6E000-memory.dmp

Filesize
184KB

Download
memory/1456-38-0x0000000001F40000-0x0000000001F6E000-memory.dmp

Filesize
184KB

Download
memory/1456-32-0x0000000001F40000-0x0000000001F6E000-memory.dmp

Filesize
184KB

Download
memory/1456-34-0x0000000001F40000-0x0000000001F6E000-memory.dmp

Filesize
184KB

Download
memory/2336-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2336-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2336-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2336-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download