b6a8967032009064a860d26e06ffdd75e9235aeba64b91861bba0176e2038f19

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe
Size

137KB
MD5

6859a68742eb401177ae4f626a97b913
SHA1

979e13d8f75156484a92804e7ef3947f42513dfb
SHA256

b6a8967032009064a860d26e06ffdd75e9235aeba64b91861bba0176e2038f19
SHA512

febcde2f84317e82ea0f827a8eae48ce583ca777751dff2df059b9a7261676cb35084cc6bcb284e0345ebaa443b49e6231f08154e958c22557e9c52118209b1f
SSDEEP

3072:qUHaLMQT8nBF270/WKnjNafKZNZrvbkDjqU4Jg+DHtHAPfjLnrw9y4M:vHUnT8BsgWKnjNafsZLb8jd4JgkGf3rE

Score

8^/10

discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2996	netsh.exe

Deletes itself 1 IoCs

pid	Process
1924	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2948	geotfiy.exe

Loads dropped DLL 2 IoCs

pid	Process
1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe
1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8F2BC283-76A6-B337-3D91-8273F0F4D92B} = "C:\\Users\\Admin\\AppData\\Roaming\\Vicecy\\geotfiy.exe"	geotfiy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1316 set thread context of 1924	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	36

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\57BF1D80-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe
2948	geotfiy.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe
2948	geotfiy.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe
Token: SeSecurityPrivilege	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe
Token: SeSecurityPrivilege	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1436	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1436	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1436	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1436	WinMail.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2300	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	31
PID 1316 wrote to memory of 2300	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	31
PID 1316 wrote to memory of 2300	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	31
PID 1316 wrote to memory of 2300	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	31
PID 1316 wrote to memory of 2948	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	33
PID 1316 wrote to memory of 2948	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	33
PID 1316 wrote to memory of 2948	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	33
PID 1316 wrote to memory of 2948	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	33
PID 2300 wrote to memory of 2996	2300	cmd.exe	34
PID 2300 wrote to memory of 2996	2300	cmd.exe	34
PID 2300 wrote to memory of 2996	2300	cmd.exe	34
PID 2300 wrote to memory of 2996	2300	cmd.exe	34
PID 2948 wrote to memory of 1044	2948	geotfiy.exe	17
PID 2948 wrote to memory of 1044	2948	geotfiy.exe	17
PID 2948 wrote to memory of 1044	2948	geotfiy.exe	17
PID 2948 wrote to memory of 1044	2948	geotfiy.exe	17
PID 2948 wrote to memory of 1044	2948	geotfiy.exe	17
PID 2948 wrote to memory of 1072	2948	geotfiy.exe	18
PID 2948 wrote to memory of 1072	2948	geotfiy.exe	18
PID 2948 wrote to memory of 1072	2948	geotfiy.exe	18
PID 2948 wrote to memory of 1072	2948	geotfiy.exe	18
PID 2948 wrote to memory of 1072	2948	geotfiy.exe	18
PID 2948 wrote to memory of 1112	2948	geotfiy.exe	20
PID 2948 wrote to memory of 1112	2948	geotfiy.exe	20
PID 2948 wrote to memory of 1112	2948	geotfiy.exe	20
PID 2948 wrote to memory of 1112	2948	geotfiy.exe	20
PID 2948 wrote to memory of 1112	2948	geotfiy.exe	20
PID 2948 wrote to memory of 1864	2948	geotfiy.exe	25
PID 2948 wrote to memory of 1864	2948	geotfiy.exe	25
PID 2948 wrote to memory of 1864	2948	geotfiy.exe	25
PID 2948 wrote to memory of 1864	2948	geotfiy.exe	25
PID 2948 wrote to memory of 1864	2948	geotfiy.exe	25
PID 2948 wrote to memory of 1316	2948	geotfiy.exe	30
PID 2948 wrote to memory of 1316	2948	geotfiy.exe	30
PID 2948 wrote to memory of 1316	2948	geotfiy.exe	30
PID 2948 wrote to memory of 1316	2948	geotfiy.exe	30
PID 2948 wrote to memory of 1316	2948	geotfiy.exe	30
PID 1316 wrote to memory of 1924	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	36
PID 1316 wrote to memory of 1924	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	36
PID 1316 wrote to memory of 1924	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	36
PID 1316 wrote to memory of 1924	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	36
PID 1316 wrote to memory of 1924	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	36
PID 1316 wrote to memory of 1924	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	36
PID 1316 wrote to memory of 1924	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	36
PID 1316 wrote to memory of 1924	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	36
PID 1316 wrote to memory of 1924	1316	6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe	36
PID 2948 wrote to memory of 2728	2948	geotfiy.exe	38
PID 2948 wrote to memory of 2728	2948	geotfiy.exe	38
PID 2948 wrote to memory of 2728	2948	geotfiy.exe	38
PID 2948 wrote to memory of 2728	2948	geotfiy.exe	38
PID 2948 wrote to memory of 2728	2948	geotfiy.exe	38
PID 2948 wrote to memory of 2204	2948	geotfiy.exe	39
PID 2948 wrote to memory of 2204	2948	geotfiy.exe	39
PID 2948 wrote to memory of 2204	2948	geotfiy.exe	39
PID 2948 wrote to memory of 2204	2948	geotfiy.exe	39
PID 2948 wrote to memory of 2204	2948	geotfiy.exe	39

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1044

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1072
- C:\Users\Admin\AppData\Local\Temp\6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6859a68742eb401177ae4f626a97b913_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb03bcaba.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Vicecy\geotfiy.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2996
- - C:\Users\Admin\AppData\Roaming\Vicecy\geotfiy.exe
    "C:\Users\Admin\AppData\Roaming\Vicecy\geotfiy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa9be57a0.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1924

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1864

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2728

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
bcce586d4d81c5da4f005c525d672f7a

SHA1
321f363da5464387e117129e2988886d3a0674c5

SHA256
1d07569dc855fa61af884d8ce84196ed2b9fd314fbd9214ae4c375a3594a02b8

SHA512
63c0d65f57a6c28f2d4585c7ca4bbaad6ac0d318a3c71f27a1127c913bea8b825426160b013c1eb3393a389e1b58c92c078084f68fbea923d94bc2b13fd1e1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpa9be57a0.bat

Filesize
271B

MD5
7b62b6e078b4ce50df9c3db31595a09b

SHA1
fa5ca2f9c92171bc707d1f6c7f897b0bde2566c4

SHA256
ed43e71361b1c52d6375c9819647248ca12013e887a8811982874cd92555ba40

SHA512
c390fabf69539c5ba6ed533d3e958e127dba4a76d8620c1208f95491072833cefac4f17956633b01f27d5e63c56365b8e01e5218ebc582ae150d01487d0135eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpb03bcaba.bat

Filesize
203B

MD5
e9abc9f09ce564dc04a39e08b70e57ca

SHA1
d23389450551c369e036ef870f7f46f678da7b1d

SHA256
b75ed70585a1a99d95e7e85ba8f6d18d11e76fe42a688c0fbe105d8d329e77cd

SHA512
ac87e02f19f162c00ecb7610d69594e272a3568991b875792d29eb905fbbfa6500d6ba1934297f7c49556704ea1b831623cb1311cd7ae570952c8d0803259d16

Download Submit
C:\Users\Admin\AppData\Roaming\Asoheq\citala.nus

Filesize
380B

MD5
db1d8ccd035a9a704793e8abc901627c

SHA1
4890a9dba13d332ffa9958ff70f9383b3b05f5fa

SHA256
12a07a3301ab663f21402cb0682bd6b5b24faec2a58356017827215b814cf81c

SHA512
0d5c57c743c8c9950c390bef6b1936b74be505b6b274970808df9f6838618dfbe55a10e2813da7d58cb0efccd2e9998cb3a389580b6852205b497808997a3c55

Download Submit
\Users\Admin\AppData\Roaming\Vicecy\geotfiy.exe

Filesize
137KB

MD5
fb1d36fe05fc6adc04d75b82b2f87334

SHA1
8ef8b27c53e966115d998c07893ec80d83a74b7d

SHA256
8247b7f532f834f0dcb28e1e591b33dc7ce2aa0a22b038c42ce7008c4edc7d96

SHA512
fbe5191128cbdff2f19d9e6c0efc370c44ba17fe2583ee182556115a80d510a328d818109dcf1a23645237164ff73d9986264d550ceb4fe30cac63af93ca5c9d

Download Submit
memory/1044-18-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1044-21-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1044-22-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1044-20-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1044-19-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1072-24-0x0000000002EA0000-0x0000000002EC7000-memory.dmp

Filesize
156KB

Download
memory/1072-25-0x0000000002EA0000-0x0000000002EC7000-memory.dmp

Filesize
156KB

Download
memory/1072-26-0x0000000002EA0000-0x0000000002EC7000-memory.dmp

Filesize
156KB

Download
memory/1072-27-0x0000000002EA0000-0x0000000002EC7000-memory.dmp

Filesize
156KB

Download
memory/1112-33-0x00000000021C0000-0x00000000021E7000-memory.dmp

Filesize
156KB

Download
memory/1112-32-0x00000000021C0000-0x00000000021E7000-memory.dmp

Filesize
156KB

Download
memory/1112-30-0x00000000021C0000-0x00000000021E7000-memory.dmp

Filesize
156KB

Download
memory/1112-31-0x00000000021C0000-0x00000000021E7000-memory.dmp

Filesize
156KB

Download
memory/1316-52-0x00000000002F0000-0x0000000000317000-memory.dmp

Filesize
156KB

Download
memory/1316-53-0x00000000002F0000-0x0000000000317000-memory.dmp

Filesize
156KB

Download
memory/1316-81-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-79-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-77-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-75-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-73-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-71-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-69-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-67-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-65-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-63-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-61-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-59-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-57-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-55-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1316-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1316-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1316-222-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1316-131-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1316-45-0x00000000002F0000-0x0000000000317000-memory.dmp

Filesize
156KB

Download
memory/1316-47-0x00000000002F0000-0x0000000000317000-memory.dmp

Filesize
156KB

Download
memory/1316-49-0x00000000002F0000-0x0000000000317000-memory.dmp

Filesize
156KB

Download
memory/1316-0-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1316-172-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/1316-3-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1864-40-0x0000000001F30000-0x0000000001F57000-memory.dmp

Filesize
156KB

Download
memory/1864-42-0x0000000001F30000-0x0000000001F57000-memory.dmp

Filesize
156KB

Download
memory/1864-36-0x0000000001F30000-0x0000000001F57000-memory.dmp

Filesize
156KB

Download
memory/1864-38-0x0000000001F30000-0x0000000001F57000-memory.dmp

Filesize
156KB

Download
memory/2948-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2948-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2948-54-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2948-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download