589102099622ea5e39289aee3819242650a5b5f418eb6827c4c60201a09161e2

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 19:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe
Size

262KB
MD5

7580de5edbe07ae539d7021b092d2b29
SHA1

d3839b47e35cc6c14872b164d71d137ef9211f70
SHA256

589102099622ea5e39289aee3819242650a5b5f418eb6827c4c60201a09161e2
SHA512

1b1555631e3f9510d0d1fdf2cabeee33b5408ee738358c3f2bceafd4c02b201d8ac00f21004eab8d56cc39ed4c9be7984e68df66187810dca6382fee8011f15e
SSDEEP

6144:HU8Gp+df0afmVTRMdOdpn94sLrNXel9jb98+MAkC:08YkfXf4TRMS94svNuzjb9ZD

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2416	ojez.exe

Loads dropped DLL 1 IoCs

pid	Process
828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{75DA6328-6F30-AD4F-96DD-2BAD86C808B0} = "C:\\Users\\Admin\\AppData\\Roaming\\Zeuteb\\ojez.exe"	ojez.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 828 set thread context of 2696	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe
2416	ojez.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe
Token: SeSecurityPrivilege	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe
Token: SeSecurityPrivilege	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe
2416	ojez.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 2416	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	30
PID 828 wrote to memory of 2416	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	30
PID 828 wrote to memory of 2416	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	30
PID 828 wrote to memory of 2416	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	30
PID 2416 wrote to memory of 1116	2416	ojez.exe	19
PID 2416 wrote to memory of 1116	2416	ojez.exe	19
PID 2416 wrote to memory of 1116	2416	ojez.exe	19
PID 2416 wrote to memory of 1116	2416	ojez.exe	19
PID 2416 wrote to memory of 1116	2416	ojez.exe	19
PID 2416 wrote to memory of 1204	2416	ojez.exe	20
PID 2416 wrote to memory of 1204	2416	ojez.exe	20
PID 2416 wrote to memory of 1204	2416	ojez.exe	20
PID 2416 wrote to memory of 1204	2416	ojez.exe	20
PID 2416 wrote to memory of 1204	2416	ojez.exe	20
PID 2416 wrote to memory of 1252	2416	ojez.exe	21
PID 2416 wrote to memory of 1252	2416	ojez.exe	21
PID 2416 wrote to memory of 1252	2416	ojez.exe	21
PID 2416 wrote to memory of 1252	2416	ojez.exe	21
PID 2416 wrote to memory of 1252	2416	ojez.exe	21
PID 2416 wrote to memory of 932	2416	ojez.exe	25
PID 2416 wrote to memory of 932	2416	ojez.exe	25
PID 2416 wrote to memory of 932	2416	ojez.exe	25
PID 2416 wrote to memory of 932	2416	ojez.exe	25
PID 2416 wrote to memory of 932	2416	ojez.exe	25
PID 2416 wrote to memory of 828	2416	ojez.exe	29
PID 2416 wrote to memory of 828	2416	ojez.exe	29
PID 2416 wrote to memory of 828	2416	ojez.exe	29
PID 2416 wrote to memory of 828	2416	ojez.exe	29
PID 2416 wrote to memory of 828	2416	ojez.exe	29
PID 828 wrote to memory of 2696	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	31
PID 828 wrote to memory of 2696	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	31
PID 828 wrote to memory of 2696	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	31
PID 828 wrote to memory of 2696	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	31
PID 828 wrote to memory of 2696	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	31
PID 828 wrote to memory of 2696	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	31
PID 828 wrote to memory of 2696	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	31
PID 828 wrote to memory of 2696	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	31
PID 828 wrote to memory of 2696	828	7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7580de5edbe07ae539d7021b092d2b29_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Users\Admin\AppData\Roaming\Zeuteb\ojez.exe
    "C:\Users\Admin\AppData\Roaming\Zeuteb\ojez.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6d524c68.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2696

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6d524c68.bat

Filesize
271B

MD5
57df20a3c82edad588a75c3c850cf963

SHA1
007a281cc9217b4468e3446d02ef702b0adf4e42

SHA256
8c9e32d6709d60e917c397e8765a51fcd83f68f3848721cdf777e7d6f1dff559

SHA512
1829625be9546a17e138a532f092debcbfae8a0dd843bc86754e2b261abdd9efddc3710c1e35199000981667e881c519764b1d48d2bee39f7fbbfc3f904b82b3

Download Submit
C:\Users\Admin\AppData\Roaming\Emyzo\fywo.joe

Filesize
380B

MD5
1fe97218ebeae753be13306223633d76

SHA1
ac319a33709243b93d98ce76d87e3aee34d28f80

SHA256
a3122b30955fe2ffb5a3af3eb42daa2bdc3b7d4e61f4e032b9dc83a3a37c26a7

SHA512
37be4e489ac42f7808a46365dc9d2723447ac2373d4ee9c198b327b6b8191a7e705aee4e734834006b0d560fc43ef156cdc84f088e93ca04f6161e206b7a6236

Download Submit
\Users\Admin\AppData\Roaming\Zeuteb\ojez.exe

Filesize
262KB

MD5
af71ee673c9728de04ec519891fb6288

SHA1
e4590adf5343ffa875e922a77814b5a1080e9ecd

SHA256
5f5656f87fd60558e52996fffff82ecdc3d7c0776116c41030773f160a306c7d

SHA512
13a1c8f22cc4167c938d4e95b51d8487fad2672e07167691d4cb03b5882b2afecf5add306f10766390520fd63c2ac4741cff8f90885738675fcb9f08f38398a6

Download Submit
memory/828-45-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/828-60-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/828-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/828-1-0x0000000000370000-0x00000000003B5000-memory.dmp

Filesize
276KB

Download
memory/828-157-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/828-49-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/828-68-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-71-0x0000000077BA0000-0x0000000077BA1000-memory.dmp

Filesize
4KB

Download
memory/828-66-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-64-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-62-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/828-58-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-56-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-54-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-52-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-50-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-47-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/828-77-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-75-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-73-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-70-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-0-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/828-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/828-156-0x0000000000370000-0x00000000003B5000-memory.dmp

Filesize
276KB

Download
memory/828-43-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/828-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/828-132-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/828-41-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/932-33-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/932-38-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/932-36-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/932-34-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1116-20-0x0000000001E70000-0x0000000001EB1000-memory.dmp

Filesize
260KB

Download
memory/1116-19-0x0000000001E70000-0x0000000001EB1000-memory.dmp

Filesize
260KB

Download
memory/1116-16-0x0000000001E70000-0x0000000001EB1000-memory.dmp

Filesize
260KB

Download
memory/1116-18-0x0000000001E70000-0x0000000001EB1000-memory.dmp

Filesize
260KB

Download
memory/1116-17-0x0000000001E70000-0x0000000001EB1000-memory.dmp

Filesize
260KB

Download
memory/1204-23-0x0000000001AE0000-0x0000000001B21000-memory.dmp

Filesize
260KB

Download
memory/1204-25-0x0000000001AE0000-0x0000000001B21000-memory.dmp

Filesize
260KB

Download
memory/1204-22-0x0000000001AE0000-0x0000000001B21000-memory.dmp

Filesize
260KB

Download
memory/1204-24-0x0000000001AE0000-0x0000000001B21000-memory.dmp

Filesize
260KB

Download
memory/1252-30-0x0000000002A80000-0x0000000002AC1000-memory.dmp

Filesize
260KB

Download
memory/1252-29-0x0000000002A80000-0x0000000002AC1000-memory.dmp

Filesize
260KB

Download
memory/1252-27-0x0000000002A80000-0x0000000002AC1000-memory.dmp

Filesize
260KB

Download
memory/1252-28-0x0000000002A80000-0x0000000002AC1000-memory.dmp

Filesize
260KB

Download
memory/2416-14-0x0000000000350000-0x0000000000395000-memory.dmp

Filesize
276KB

Download
memory/2416-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2416-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2416-276-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2416-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download