a8fddb1efbbc9c127af0ebd7d11191c79ffaeb977dc00a1da535477cfcb6e9a8

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe
Size

355KB
MD5

689470c1b55d31a0293aa4b37272cf6c
SHA1

2ea05d45d4c697da48891084af704fce9dc9641a
SHA256

a8fddb1efbbc9c127af0ebd7d11191c79ffaeb977dc00a1da535477cfcb6e9a8
SHA512

a8ec797164e5718d1670d5173a72b80398f80e4bb1addb8b3a4956e01992b5097cbb92d861a04dc22d56dcf41cf7fbdd494cb93180c6cd5a4d6193da6b1bbf16
SSDEEP

6144:/Ol1STtqI+Giw78knnSSwYnn1SZ3DAUNPtYZ4d2agBcVWYjDnpK+YYyN1pOpVeEL:1Tdiw782SSrnaD13u2PVFDpK+YRSUF8S

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1804	reaha.exe

Loads dropped DLL 2 IoCs

pid	Process
1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe
1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016c7d-6.dat	upx
behavioral1/memory/1804-14-0x0000000000400000-0x0000000000534000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\{3109E6C8-6F84-AD4F-D756-D1AEF6AEF2B3} = "C:\\Users\\Admin\\AppData\\Roaming\\Ysoh\\reaha.exe"	reaha.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 2684	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe
1804	reaha.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe
Token: SeSecurityPrivilege	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe
Token: SeSecurityPrivilege	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1804	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1804	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1804	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1804	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	30
PID 1804 wrote to memory of 1124	1804	reaha.exe	19
PID 1804 wrote to memory of 1124	1804	reaha.exe	19
PID 1804 wrote to memory of 1124	1804	reaha.exe	19
PID 1804 wrote to memory of 1124	1804	reaha.exe	19
PID 1804 wrote to memory of 1124	1804	reaha.exe	19
PID 1804 wrote to memory of 1168	1804	reaha.exe	20
PID 1804 wrote to memory of 1168	1804	reaha.exe	20
PID 1804 wrote to memory of 1168	1804	reaha.exe	20
PID 1804 wrote to memory of 1168	1804	reaha.exe	20
PID 1804 wrote to memory of 1168	1804	reaha.exe	20
PID 1804 wrote to memory of 1196	1804	reaha.exe	21
PID 1804 wrote to memory of 1196	1804	reaha.exe	21
PID 1804 wrote to memory of 1196	1804	reaha.exe	21
PID 1804 wrote to memory of 1196	1804	reaha.exe	21
PID 1804 wrote to memory of 1196	1804	reaha.exe	21
PID 1804 wrote to memory of 636	1804	reaha.exe	23
PID 1804 wrote to memory of 636	1804	reaha.exe	23
PID 1804 wrote to memory of 636	1804	reaha.exe	23
PID 1804 wrote to memory of 636	1804	reaha.exe	23
PID 1804 wrote to memory of 636	1804	reaha.exe	23
PID 1804 wrote to memory of 1984	1804	reaha.exe	29
PID 1804 wrote to memory of 1984	1804	reaha.exe	29
PID 1804 wrote to memory of 1984	1804	reaha.exe	29
PID 1804 wrote to memory of 1984	1804	reaha.exe	29
PID 1804 wrote to memory of 1984	1804	reaha.exe	29
PID 1984 wrote to memory of 2684	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	31
PID 1984 wrote to memory of 2684	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	31
PID 1984 wrote to memory of 2684	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	31
PID 1984 wrote to memory of 2684	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	31
PID 1984 wrote to memory of 2684	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	31
PID 1984 wrote to memory of 2684	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	31
PID 1984 wrote to memory of 2684	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	31
PID 1984 wrote to memory of 2684	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	31
PID 1984 wrote to memory of 2684	1984	689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\689470c1b55d31a0293aa4b37272cf6c_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Roaming\Ysoh\reaha.exe
    "C:\Users\Admin\AppData\Roaming\Ysoh\reaha.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9c7a107b.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2684

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9c7a107b.bat

Filesize
271B

MD5
6a473fbb5fa9e7c5e40012178332d2cc

SHA1
bd61b95ec81260d37c89f3268da7b630c1b1ec82

SHA256
4613a17557132f12a3a18db6e346070f3e206dc52394e8c07b181e456954833c

SHA512
6dc32ace24c8fc309f62f8497241cf801a51dcd248fe1b02bd069fb7f706852a45082b221bf7f1609741a737a2bd859a4416ab2c4e31d104c9738b5a76f96764

Download Submit
C:\Users\Admin\AppData\Roaming\Inly\fopu.ofs

Filesize
380B

MD5
bc3daa1784f6af0657f29505b08fd4c7

SHA1
fff270926deddbc6fdd2a0d684e7ca0654408bf8

SHA256
a072f8d1355019b5b075598ca4fc2e020f9c47f6b5a8c6539fb9388de7689675

SHA512
2b40cd456a64089ff783d9c143f4b7f77f060a4cd4feac4f2b00c8a81b5c132582c3ebe5464abcf4e84243b8164372f72da6b376f89f27d6fcdd20db16286416

Download Submit
\Users\Admin\AppData\Roaming\Ysoh\reaha.exe

Filesize
355KB

MD5
0d6a91362060250c213057ec84aced81

SHA1
3364a17bf8b66d1f72036c186df188d13f3e1c54

SHA256
89889d0608e738b7b94f29ef79733ee04f13ebc6ddf8a2446f37d79510bfb49e

SHA512
0c7395a26520ee0d949eb325269dc0eeb0db6bed9fbbd9bca99382f0dfc7531e42f5b731e47df2b39992911845fd9424fe238dee073cc805c0fe58b0e5b2f347

Download Submit
memory/636-42-0x00000000021A0000-0x00000000021DD000-memory.dmp

Filesize
244KB

Download
memory/636-41-0x00000000021A0000-0x00000000021DD000-memory.dmp

Filesize
244KB

Download
memory/636-40-0x00000000021A0000-0x00000000021DD000-memory.dmp

Filesize
244KB

Download
memory/636-39-0x00000000021A0000-0x00000000021DD000-memory.dmp

Filesize
244KB

Download
memory/1124-21-0x00000000005E0000-0x000000000061D000-memory.dmp

Filesize
244KB

Download
memory/1124-17-0x00000000005E0000-0x000000000061D000-memory.dmp

Filesize
244KB

Download
memory/1124-18-0x00000000005E0000-0x000000000061D000-memory.dmp

Filesize
244KB

Download
memory/1124-19-0x00000000005E0000-0x000000000061D000-memory.dmp

Filesize
244KB

Download
memory/1124-20-0x00000000005E0000-0x000000000061D000-memory.dmp

Filesize
244KB

Download
memory/1168-26-0x0000000002010000-0x000000000204D000-memory.dmp

Filesize
244KB

Download
memory/1168-30-0x0000000002010000-0x000000000204D000-memory.dmp

Filesize
244KB

Download
memory/1168-28-0x0000000002010000-0x000000000204D000-memory.dmp

Filesize
244KB

Download
memory/1168-24-0x0000000002010000-0x000000000204D000-memory.dmp

Filesize
244KB

Download
memory/1196-33-0x00000000025A0000-0x00000000025DD000-memory.dmp

Filesize
244KB

Download
memory/1196-36-0x00000000025A0000-0x00000000025DD000-memory.dmp

Filesize
244KB

Download
memory/1196-34-0x00000000025A0000-0x00000000025DD000-memory.dmp

Filesize
244KB

Download
memory/1196-35-0x00000000025A0000-0x00000000025DD000-memory.dmp

Filesize
244KB

Download
memory/1804-14-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1804-15-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1804-272-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1804-273-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1984-79-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-71-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-51-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-49-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-46-0x0000000000320000-0x000000000035D000-memory.dmp

Filesize
244KB

Download
memory/1984-45-0x0000000000320000-0x000000000035D000-memory.dmp

Filesize
244KB

Download
memory/1984-44-0x0000000000320000-0x000000000035D000-memory.dmp

Filesize
244KB

Download
memory/1984-55-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-57-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-59-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-61-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-63-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-65-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-69-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-47-0x0000000000320000-0x000000000035D000-memory.dmp

Filesize
244KB

Download
memory/1984-53-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-73-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-75-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-77-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-1-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1984-81-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-134-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1984-67-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1984-8-0x0000000002480000-0x00000000025B4000-memory.dmp

Filesize
1.2MB

Download
memory/1984-152-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1984-153-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1984-5-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1984-0-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1984-2-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download