ddc9637f1f74a8c1224e3ca2dd854e18154d3c74693fdaab9872a9bef3e60cdb

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe
Size

290KB
MD5

642ef37f7493e5695f20d8cf2574f705
SHA1

08fbd79b90d76126b535b36e7fefb4716c95c310
SHA256

ddc9637f1f74a8c1224e3ca2dd854e18154d3c74693fdaab9872a9bef3e60cdb
SHA512

505e8eb33230efcbfa3856d2429b9d589d9de3394ff7b42da03b9a110a6c5e13712ccd753de05ec2aac5c3bef0a983b6b8e9ba5a2d804824a75c202f33ae94ba
SSDEEP

6144:KfsVV09Du+Rc9DMQtc9LMojzmx1i68Nb/67pkkDvarYdYLx3IhpD:Os2C9DGh1wi6A/ephDvRY13QpD

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2020	izjo.exe

Loads dropped DLL 2 IoCs

pid	Process
2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe
2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4A4DE868-6E67-AD4F-A8F7-B67989399564} = "C:\\Users\\Admin\\AppData\\Roaming\\Gyinlu\\izjo.exe"	izjo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 2836	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	32

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Privacy	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe
2020	izjo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe
Token: SeSecurityPrivilege	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe
Token: SeSecurityPrivilege	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe
2020	izjo.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2020	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	31
PID 2576 wrote to memory of 2020	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	31
PID 2576 wrote to memory of 2020	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	31
PID 2576 wrote to memory of 2020	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	31
PID 2020 wrote to memory of 1104	2020	izjo.exe	19
PID 2020 wrote to memory of 1104	2020	izjo.exe	19
PID 2020 wrote to memory of 1104	2020	izjo.exe	19
PID 2020 wrote to memory of 1104	2020	izjo.exe	19
PID 2020 wrote to memory of 1104	2020	izjo.exe	19
PID 2020 wrote to memory of 1168	2020	izjo.exe	20
PID 2020 wrote to memory of 1168	2020	izjo.exe	20
PID 2020 wrote to memory of 1168	2020	izjo.exe	20
PID 2020 wrote to memory of 1168	2020	izjo.exe	20
PID 2020 wrote to memory of 1168	2020	izjo.exe	20
PID 2020 wrote to memory of 1216	2020	izjo.exe	21
PID 2020 wrote to memory of 1216	2020	izjo.exe	21
PID 2020 wrote to memory of 1216	2020	izjo.exe	21
PID 2020 wrote to memory of 1216	2020	izjo.exe	21
PID 2020 wrote to memory of 1216	2020	izjo.exe	21
PID 2020 wrote to memory of 496	2020	izjo.exe	25
PID 2020 wrote to memory of 496	2020	izjo.exe	25
PID 2020 wrote to memory of 496	2020	izjo.exe	25
PID 2020 wrote to memory of 496	2020	izjo.exe	25
PID 2020 wrote to memory of 496	2020	izjo.exe	25
PID 2020 wrote to memory of 2576	2020	izjo.exe	30
PID 2020 wrote to memory of 2576	2020	izjo.exe	30
PID 2020 wrote to memory of 2576	2020	izjo.exe	30
PID 2020 wrote to memory of 2576	2020	izjo.exe	30
PID 2020 wrote to memory of 2576	2020	izjo.exe	30
PID 2576 wrote to memory of 2836	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	32
PID 2576 wrote to memory of 2836	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	32
PID 2576 wrote to memory of 2836	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	32
PID 2576 wrote to memory of 2836	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	32
PID 2576 wrote to memory of 2836	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	32
PID 2576 wrote to memory of 2836	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	32
PID 2576 wrote to memory of 2836	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	32
PID 2576 wrote to memory of 2836	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	32
PID 2576 wrote to memory of 2836	2576	642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\642ef37f7493e5695f20d8cf2574f705_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Roaming\Gyinlu\izjo.exe
    "C:\Users\Admin\AppData\Roaming\Gyinlu\izjo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp24e3125e.bat"
    3⤵
    - Deletes itself
    PID:2836

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp24e3125e.bat

Filesize
271B

MD5
cd913fc24889458d1d528a761b067ae5

SHA1
6f2265a9d54ea2f067b0b270d8bcf5cf894e4a84

SHA256
72f587324e5e8c3ab43d2d70aa98f8528cbd1107354cb64567f5a56cb7524f80

SHA512
02921ed0262d4792076cf43e85908a3227709c6f22037841ef2feb4e64bdb81125857f66537f5639a525bd5afb8629e604c3f01412f41324b52c9acffb3be397

Download Submit
C:\Users\Admin\AppData\Roaming\Ukhity\gyti.obg

Filesize
380B

MD5
a66093435bc6ae9aacd6399a7dfe8780

SHA1
5fd967378925a7013a6ae2827669c27877201fa5

SHA256
238c41d75ca18e70c3bcbc5f9ede9b3562433794a1ac4136ed1d79a235b4b060

SHA512
621f398f63d7de72465a9d33a4eff0d4e31f4d3f797d1392485113188055d12b40bce01dd9e7296165ab9978dd06bac4c6e07a2fc7296ae219fe54f34ea35134

Download Submit
\Users\Admin\AppData\Roaming\Gyinlu\izjo.exe

Filesize
290KB

MD5
0e45b9d3518da02561d02b1a7a0a97eb

SHA1
e33894447fa9a4ef0613a6626893b79d0300db5f

SHA256
b804fdee30227686002866946d13d96ed72b2adb914863dc34362721b326561f

SHA512
0cbf542777087e567b5288281ce9462cd2c6b4c9f367a295bfb8f2e5805d53a26a72153e63edb3c33f1e00ef5b8c74b18d8a7c2d7a00b19975b2c7c927aab6f7

Download Submit
memory/496-40-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/496-43-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/496-42-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/496-41-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/1104-19-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1104-20-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1104-21-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1104-22-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1104-23-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1168-32-0x00000000001D0000-0x0000000000211000-memory.dmp

Filesize
260KB

Download
memory/1168-26-0x00000000001D0000-0x0000000000211000-memory.dmp

Filesize
260KB

Download
memory/1168-28-0x00000000001D0000-0x0000000000211000-memory.dmp

Filesize
260KB

Download
memory/1168-30-0x00000000001D0000-0x0000000000211000-memory.dmp

Filesize
260KB

Download
memory/1216-36-0x0000000002A40000-0x0000000002A81000-memory.dmp

Filesize
260KB

Download
memory/1216-35-0x0000000002A40000-0x0000000002A81000-memory.dmp

Filesize
260KB

Download
memory/1216-38-0x0000000002A40000-0x0000000002A81000-memory.dmp

Filesize
260KB

Download
memory/1216-37-0x0000000002A40000-0x0000000002A81000-memory.dmp

Filesize
260KB

Download
memory/2020-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-17-0x0000000000360000-0x00000000003B0000-memory.dmp

Filesize
320KB

Download
memory/2020-15-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2020-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-68-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-60-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-158-0x00000000003A0000-0x00000000003F0000-memory.dmp

Filesize
320KB

Download
memory/2576-160-0x0000000001F40000-0x0000000001F81000-memory.dmp

Filesize
260KB

Download
memory/2576-134-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-58-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-54-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-52-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-50-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-47-0x0000000001F40000-0x0000000001F81000-memory.dmp

Filesize
260KB

Download
memory/2576-46-0x0000000001F40000-0x0000000001F81000-memory.dmp

Filesize
260KB

Download
memory/2576-45-0x0000000001F40000-0x0000000001F81000-memory.dmp

Filesize
260KB

Download
memory/2576-62-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-66-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-70-0x0000000001F40000-0x0000000001F81000-memory.dmp

Filesize
260KB

Download
memory/2576-71-0x0000000077B70000-0x0000000077B71000-memory.dmp

Filesize
4KB

Download
memory/2576-72-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-74-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-76-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-1-0x00000000003A0000-0x00000000003F0000-memory.dmp

Filesize
320KB

Download
memory/2576-80-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-82-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-64-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-56-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2576-48-0x0000000001F40000-0x0000000001F81000-memory.dmp

Filesize
260KB

Download
memory/2576-49-0x0000000001F40000-0x0000000001F81000-memory.dmp

Filesize
260KB

Download
memory/2576-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-0-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download