Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 02:19
Static task
static1
Behavioral task
behavioral1
Sample
7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe
-
Size
329KB
-
MD5
7239d539104cbe63c5a210cdeb78aecc
-
SHA1
8b094d68d17a1026e24b1d83a0f70bbd6d32a3ba
-
SHA256
f0c989429b8bb7d29955d0b8706e369bfa7658ba0de485eb720656c665c8b0dc
-
SHA512
b11e58fe5a0e0090bef46387932a53ce8240552a860f885b013cc3f9607e24faa1cc957ca97461363198d0403a96a4d72217c8fde34ad859f31b779014ebcb29
-
SSDEEP
6144:4YwaU+TjJN6Qy/VNoUKIVflNiLoWtMa9QJTPPWZYbYZ:PwP+P6QENooiX+a9Q1nWZ5
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1644 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2816 nuisvu.exe -
Loads dropped DLL 2 IoCs
pid Process 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\{36F482E8-6FE9-AD4F-5F98-37194FCB1404} = "C:\\Users\\Admin\\AppData\\Roaming\\Ihygoh\\nuisvu.exe" nuisvu.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1824 set thread context of 1644 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nuisvu.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe 2816 nuisvu.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 2816 nuisvu.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1824 wrote to memory of 2816 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 30 PID 1824 wrote to memory of 2816 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 30 PID 1824 wrote to memory of 2816 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 30 PID 1824 wrote to memory of 2816 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 30 PID 2816 wrote to memory of 1116 2816 nuisvu.exe 19 PID 2816 wrote to memory of 1116 2816 nuisvu.exe 19 PID 2816 wrote to memory of 1116 2816 nuisvu.exe 19 PID 2816 wrote to memory of 1116 2816 nuisvu.exe 19 PID 2816 wrote to memory of 1116 2816 nuisvu.exe 19 PID 2816 wrote to memory of 1180 2816 nuisvu.exe 20 PID 2816 wrote to memory of 1180 2816 nuisvu.exe 20 PID 2816 wrote to memory of 1180 2816 nuisvu.exe 20 PID 2816 wrote to memory of 1180 2816 nuisvu.exe 20 PID 2816 wrote to memory of 1180 2816 nuisvu.exe 20 PID 2816 wrote to memory of 1208 2816 nuisvu.exe 21 PID 2816 wrote to memory of 1208 2816 nuisvu.exe 21 PID 2816 wrote to memory of 1208 2816 nuisvu.exe 21 PID 2816 wrote to memory of 1208 2816 nuisvu.exe 21 PID 2816 wrote to memory of 1208 2816 nuisvu.exe 21 PID 2816 wrote to memory of 640 2816 nuisvu.exe 25 PID 2816 wrote to memory of 640 2816 nuisvu.exe 25 PID 2816 wrote to memory of 640 2816 nuisvu.exe 25 PID 2816 wrote to memory of 640 2816 nuisvu.exe 25 PID 2816 wrote to memory of 640 2816 nuisvu.exe 25 PID 2816 wrote to memory of 1824 2816 nuisvu.exe 29 PID 2816 wrote to memory of 1824 2816 nuisvu.exe 29 PID 2816 wrote to memory of 1824 2816 nuisvu.exe 29 PID 2816 wrote to memory of 1824 2816 nuisvu.exe 29 PID 2816 wrote to memory of 1824 2816 nuisvu.exe 29 PID 1824 wrote to memory of 1644 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 31 PID 1824 wrote to memory of 1644 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 31 PID 1824 wrote to memory of 1644 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 31 PID 1824 wrote to memory of 1644 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 31 PID 1824 wrote to memory of 1644 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 31 PID 1824 wrote to memory of 1644 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 31 PID 1824 wrote to memory of 1644 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 31 PID 1824 wrote to memory of 1644 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 31 PID 1824 wrote to memory of 1644 1824 7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe 31 PID 2816 wrote to memory of 2452 2816 nuisvu.exe 34 PID 2816 wrote to memory of 2452 2816 nuisvu.exe 34 PID 2816 wrote to memory of 2452 2816 nuisvu.exe 34 PID 2816 wrote to memory of 2452 2816 nuisvu.exe 34 PID 2816 wrote to memory of 2452 2816 nuisvu.exe 34
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1180
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Roaming\Ihygoh\nuisvu.exe"C:\Users\Admin\AppData\Roaming\Ihygoh\nuisvu.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2816
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp46162b11.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1644
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271B
MD57e7c15a121e50e6653917f43b22c5468
SHA1c6959597eebf4c02d71a5a6362b662451536d9ef
SHA2568d720e95eea5337a5dd77e48eda0a3a244561b7c81a381f72fa7401b072573ff
SHA5122a40f4532a6572b74cb5138a3e4faeafb929f4c7689bd38fdf166749857acd78ad2e837abdade7b0002b3c210e861fe02626bbe6d2451708f9f8f97a98f44f4d
-
Filesize
329KB
MD5a50f268850e65b7fc0d863669063b65e
SHA16d63e0dc5f76170a7891be42689b840d0afb8166
SHA256ed77b335329b99a233c8659d2b5773e05354285bf1e57e7bf0ab18ff9c7e1b32
SHA5123cb11470f6a1d956eda7ebde7afed5a87f326e002f4276c9cb2c7c6a4593279dfe37672c1eb580101ed91332676fef9d33b1f8df86fb0b0e356e4c7aa17af4ec