3f0007bc6c6fda12330075cdb4c83c819ad71e1a9173483a2d0762fbdd400afd

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 13:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe
Size

179KB
MD5

6fae3c9c833f77360acdb4493e80d126
SHA1

cc304ae6d616cf34f5099059e7e84465b6243fce
SHA256

3f0007bc6c6fda12330075cdb4c83c819ad71e1a9173483a2d0762fbdd400afd
SHA512

afd49af4e03a696b818c031d4f393ff55b108ca6c74c017a5b92ae91f7130a50ef8218abe89fe37f8e5fbeffb0309ed886e0970082508d6a784b671e0214a2e2
SSDEEP

3072:iGHjfXCamuMkZqL5Ha9oShQ/n5cJhbtg7hFHWnTVxZOvTeSCSSL7t:n/7muMoqLxMthO2hu7H6TVKbRCS

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
768	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2468	duac.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe
2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016a2e-6.dat	upx
behavioral1/memory/2404-174-0x0000000000400000-0x00000000027F9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\{1B0C4E28-6E66-AD4F-AB1D-A71BBF328406} = "C:\\Users\\Admin\\AppData\\Roaming\\Inab\\duac.exe"	duac.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2404 set thread context of 768	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe
2468	duac.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe
Token: SeSecurityPrivilege	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe
Token: SeSecurityPrivilege	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2468	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2468	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2468	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2468	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	30
PID 2468 wrote to memory of 1076	2468	duac.exe	18
PID 2468 wrote to memory of 1076	2468	duac.exe	18
PID 2468 wrote to memory of 1076	2468	duac.exe	18
PID 2468 wrote to memory of 1076	2468	duac.exe	18
PID 2468 wrote to memory of 1076	2468	duac.exe	18
PID 2468 wrote to memory of 1152	2468	duac.exe	20
PID 2468 wrote to memory of 1152	2468	duac.exe	20
PID 2468 wrote to memory of 1152	2468	duac.exe	20
PID 2468 wrote to memory of 1152	2468	duac.exe	20
PID 2468 wrote to memory of 1152	2468	duac.exe	20
PID 2468 wrote to memory of 1176	2468	duac.exe	21
PID 2468 wrote to memory of 1176	2468	duac.exe	21
PID 2468 wrote to memory of 1176	2468	duac.exe	21
PID 2468 wrote to memory of 1176	2468	duac.exe	21
PID 2468 wrote to memory of 1176	2468	duac.exe	21
PID 2468 wrote to memory of 1560	2468	duac.exe	23
PID 2468 wrote to memory of 1560	2468	duac.exe	23
PID 2468 wrote to memory of 1560	2468	duac.exe	23
PID 2468 wrote to memory of 1560	2468	duac.exe	23
PID 2468 wrote to memory of 1560	2468	duac.exe	23
PID 2468 wrote to memory of 2404	2468	duac.exe	29
PID 2468 wrote to memory of 2404	2468	duac.exe	29
PID 2468 wrote to memory of 2404	2468	duac.exe	29
PID 2468 wrote to memory of 2404	2468	duac.exe	29
PID 2468 wrote to memory of 2404	2468	duac.exe	29
PID 2404 wrote to memory of 768	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	31
PID 2404 wrote to memory of 768	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	31
PID 2404 wrote to memory of 768	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	31
PID 2404 wrote to memory of 768	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	31
PID 2404 wrote to memory of 768	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	31
PID 2404 wrote to memory of 768	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	31
PID 2404 wrote to memory of 768	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	31
PID 2404 wrote to memory of 768	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	31
PID 2404 wrote to memory of 768	2404	6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1076

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6fae3c9c833f77360acdb4493e80d126_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Roaming\Inab\duac.exe
    "C:\Users\Admin\AppData\Roaming\Inab\duac.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp147a4109.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:768

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp147a4109.bat

Filesize
271B

MD5
14d366ddfbfde881ef42236e2a5eaad1

SHA1
6a414276298eaa3969e7908d94ef8854e19ac263

SHA256
2040cc6f41685625d08a7629c1cde077858229d829e4a10e5bb0bb1eb2cde53b

SHA512
00c442d4863b26b935ae49e7b30dcb8a3068298f908e0f2884e975eb0344d256b3c799f790791aad0d92f328784adab45ab42cb9c46ef1a16ea0a99c8a3bdd12

Download Submit
C:\Users\Admin\AppData\Roaming\Inab\duac.exe

Filesize
179KB

MD5
84d5b62b462e08a86dbb11de92f0820e

SHA1
7e09f4069b105cc15b280b8e1fb62bd0863b8c21

SHA256
5fe7a459caeb3b48127ae46efd5b9270626d656d49b225c275db97e1eba38232

SHA512
9726d857f10accddd88cb6f228d45748600e5010cf0c0e260df93c484144f9afc54da71e54ae248f523df74f167c89e785744721b7c06b4a0fb6920d35f19bec

Download Submit
C:\Users\Admin\AppData\Roaming\Jujy\ukvyc.amo

Filesize
380B

MD5
b6a4f0f8af0c85a971fbc60fd1e19123

SHA1
5dccd1f3f2df97e175a0ebc10f723756071c61d6

SHA256
a604ac4f76ccca2851f1b92a6a669eafb224910337ec72175fd817b91f3b038c

SHA512
32d1362dac61e15886ecd5003d037c71025003ec4d47dea2982417525137213ea48d03c95dabb61bee262323d2f0bb9bc8ecb98da5161f4e4d243b6ff395f249

Download Submit
memory/1076-14-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1076-10-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1076-12-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1076-16-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1076-18-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1152-28-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download
memory/1152-24-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download
memory/1152-26-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download
memory/1152-22-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download
memory/1176-34-0x00000000025B0000-0x00000000025E5000-memory.dmp

Filesize
212KB

Download
memory/1176-32-0x00000000025B0000-0x00000000025E5000-memory.dmp

Filesize
212KB

Download
memory/1176-36-0x00000000025B0000-0x00000000025E5000-memory.dmp

Filesize
212KB

Download
memory/1176-38-0x00000000025B0000-0x00000000025E5000-memory.dmp

Filesize
212KB

Download
memory/1560-46-0x0000000001DB0000-0x0000000001DE5000-memory.dmp

Filesize
212KB

Download
memory/1560-42-0x0000000001DB0000-0x0000000001DE5000-memory.dmp

Filesize
212KB

Download
memory/1560-48-0x0000000001DB0000-0x0000000001DE5000-memory.dmp

Filesize
212KB

Download
memory/1560-44-0x0000000001DB0000-0x0000000001DE5000-memory.dmp

Filesize
212KB

Download
memory/2404-175-0x0000000000400000-0x00000000027F9000-memory.dmp

Filesize
36.0MB

Download
memory/2404-61-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/2404-56-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/2404-58-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/2404-60-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/2404-52-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/2404-174-0x0000000000400000-0x00000000027F9000-memory.dmp

Filesize
36.0MB

Download
memory/2404-54-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/2404-63-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/2404-65-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/2404-67-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/2404-69-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/2404-71-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/2404-193-0x0000000000400000-0x00000000027A6000-memory.dmp

Filesize
35.6MB

Download
memory/2404-194-0x0000000000400000-0x00000000027F9000-memory.dmp

Filesize
36.0MB

Download
memory/2404-73-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download