f0c989429b8bb7d29955d0b8706e369bfa7658ba0de485eb720656c665c8b0dc

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe
Size

329KB
MD5

7239d539104cbe63c5a210cdeb78aecc
SHA1

8b094d68d17a1026e24b1d83a0f70bbd6d32a3ba
SHA256

f0c989429b8bb7d29955d0b8706e369bfa7658ba0de485eb720656c665c8b0dc
SHA512

b11e58fe5a0e0090bef46387932a53ce8240552a860f885b013cc3f9607e24faa1cc957ca97461363198d0403a96a4d72217c8fde34ad859f31b779014ebcb29
SSDEEP

6144:4YwaU+TjJN6Qy/VNoUKIVflNiLoWtMa9QJTPPWZYbYZ:PwP+P6QENooiX+a9Q1nWZ5

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1644	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	nuisvu.exe

Loads dropped DLL 2 IoCs

pid	Process
1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe
1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\{36F482E8-6FE9-AD4F-5F98-37194FCB1404} = "C:\\Users\\Admin\\AppData\\Roaming\\Ihygoh\\nuisvu.exe"	nuisvu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1824 set thread context of 1644	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nuisvu.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe
2816	nuisvu.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe
2816	nuisvu.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2816	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	30
PID 1824 wrote to memory of 2816	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	30
PID 1824 wrote to memory of 2816	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	30
PID 1824 wrote to memory of 2816	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	30
PID 2816 wrote to memory of 1116	2816	nuisvu.exe	19
PID 2816 wrote to memory of 1116	2816	nuisvu.exe	19
PID 2816 wrote to memory of 1116	2816	nuisvu.exe	19
PID 2816 wrote to memory of 1116	2816	nuisvu.exe	19
PID 2816 wrote to memory of 1116	2816	nuisvu.exe	19
PID 2816 wrote to memory of 1180	2816	nuisvu.exe	20
PID 2816 wrote to memory of 1180	2816	nuisvu.exe	20
PID 2816 wrote to memory of 1180	2816	nuisvu.exe	20
PID 2816 wrote to memory of 1180	2816	nuisvu.exe	20
PID 2816 wrote to memory of 1180	2816	nuisvu.exe	20
PID 2816 wrote to memory of 1208	2816	nuisvu.exe	21
PID 2816 wrote to memory of 1208	2816	nuisvu.exe	21
PID 2816 wrote to memory of 1208	2816	nuisvu.exe	21
PID 2816 wrote to memory of 1208	2816	nuisvu.exe	21
PID 2816 wrote to memory of 1208	2816	nuisvu.exe	21
PID 2816 wrote to memory of 640	2816	nuisvu.exe	25
PID 2816 wrote to memory of 640	2816	nuisvu.exe	25
PID 2816 wrote to memory of 640	2816	nuisvu.exe	25
PID 2816 wrote to memory of 640	2816	nuisvu.exe	25
PID 2816 wrote to memory of 640	2816	nuisvu.exe	25
PID 2816 wrote to memory of 1824	2816	nuisvu.exe	29
PID 2816 wrote to memory of 1824	2816	nuisvu.exe	29
PID 2816 wrote to memory of 1824	2816	nuisvu.exe	29
PID 2816 wrote to memory of 1824	2816	nuisvu.exe	29
PID 2816 wrote to memory of 1824	2816	nuisvu.exe	29
PID 1824 wrote to memory of 1644	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	31
PID 1824 wrote to memory of 1644	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	31
PID 1824 wrote to memory of 1644	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	31
PID 1824 wrote to memory of 1644	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	31
PID 1824 wrote to memory of 1644	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	31
PID 1824 wrote to memory of 1644	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	31
PID 1824 wrote to memory of 1644	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	31
PID 1824 wrote to memory of 1644	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	31
PID 1824 wrote to memory of 1644	1824	7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2452	2816	nuisvu.exe	34
PID 2816 wrote to memory of 2452	2816	nuisvu.exe	34
PID 2816 wrote to memory of 2452	2816	nuisvu.exe	34
PID 2816 wrote to memory of 2452	2816	nuisvu.exe	34
PID 2816 wrote to memory of 2452	2816	nuisvu.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7239d539104cbe63c5a210cdeb78aecc_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Users\Admin\AppData\Roaming\Ihygoh\nuisvu.exe
    "C:\Users\Admin\AppData\Roaming\Ihygoh\nuisvu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp46162b11.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp46162b11.bat

Filesize
271B

MD5
7e7c15a121e50e6653917f43b22c5468

SHA1
c6959597eebf4c02d71a5a6362b662451536d9ef

SHA256
8d720e95eea5337a5dd77e48eda0a3a244561b7c81a381f72fa7401b072573ff

SHA512
2a40f4532a6572b74cb5138a3e4faeafb929f4c7689bd38fdf166749857acd78ad2e837abdade7b0002b3c210e861fe02626bbe6d2451708f9f8f97a98f44f4d

Download Submit
\Users\Admin\AppData\Roaming\Ihygoh\nuisvu.exe

Filesize
329KB

MD5
a50f268850e65b7fc0d863669063b65e

SHA1
6d63e0dc5f76170a7891be42689b840d0afb8166

SHA256
ed77b335329b99a233c8659d2b5773e05354285bf1e57e7bf0ab18ff9c7e1b32

SHA512
3cb11470f6a1d956eda7ebde7afed5a87f326e002f4276c9cb2c7c6a4593279dfe37672c1eb580101ed91332676fef9d33b1f8df86fb0b0e356e4c7aa17af4ec

Download Submit
memory/640-38-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/640-40-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/640-36-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/640-42-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/1116-23-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1116-22-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1116-21-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1116-24-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1116-19-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1180-26-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1180-27-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1180-28-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1180-29-0x0000000001EF0000-0x0000000001F34000-memory.dmp

Filesize
272KB

Download
memory/1208-31-0x0000000002550000-0x0000000002594000-memory.dmp

Filesize
272KB

Download
memory/1208-33-0x0000000002550000-0x0000000002594000-memory.dmp

Filesize
272KB

Download
memory/1208-34-0x0000000002550000-0x0000000002594000-memory.dmp

Filesize
272KB

Download
memory/1208-32-0x0000000002550000-0x0000000002594000-memory.dmp

Filesize
272KB

Download
memory/1824-79-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-71-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-60-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-58-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-56-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-54-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-51-0x0000000001E80000-0x0000000001EC4000-memory.dmp

Filesize
272KB

Download
memory/1824-47-0x0000000001E80000-0x0000000001EC4000-memory.dmp

Filesize
272KB

Download
memory/1824-45-0x0000000001E80000-0x0000000001EC4000-memory.dmp

Filesize
272KB

Download
memory/1824-63-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-65-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-67-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-69-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-75-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-77-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-0-0x0000000000330000-0x0000000000374000-memory.dmp

Filesize
272KB

Download
memory/1824-81-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-62-0x0000000076EC0000-0x0000000076EC1000-memory.dmp

Filesize
4KB

Download
memory/1824-73-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1824-53-0x0000000001E80000-0x0000000001EC4000-memory.dmp

Filesize
272KB

Download
memory/1824-1-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/1824-161-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/1824-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1824-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1824-49-0x0000000001E80000-0x0000000001EC4000-memory.dmp

Filesize
272KB

Download
memory/1824-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1824-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1824-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1824-138-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2816-16-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2816-17-0x0000000000360000-0x00000000003B6000-memory.dmp

Filesize
344KB

Download
memory/2816-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2816-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download