66c7f9516e0f564e90ac8fa9c783bc29c3a57bd98d76bae797945ee4a4495d71

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe
Size

293KB
MD5

779156930f35c787b6db9d4a3c33cc05
SHA1

171214c93c3fbe11e06480588bd38ef4f5b67981
SHA256

66c7f9516e0f564e90ac8fa9c783bc29c3a57bd98d76bae797945ee4a4495d71
SHA512

65bb46caa2607fc6703a1614227a804aef6749bdaa3b58a379615e971b3f47f4c9cc177c1536498ccc7a1e0d824048c8818c73b4f393dfca1b4b97aeab3f0e8c
SSDEEP

6144:EPdMyMANEVzGlcEDUl4qaRYVQ+CJTGbusJRhgnGXcjD7Xm2BeddhMHpmMDr:mNEh8cSLqdtCsisDhgnGABBedDMJmMX

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
596	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2536	vuoqa.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe
3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\{3109E6C8-6F84-AD4F-D756-D1AEF6AEF2B3} = "C:\\Users\\Admin\\AppData\\Roaming\\Ucygeg\\vuoqa.exe"	vuoqa.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3016 set thread context of 596	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuoqa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe
2536	vuoqa.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe
Token: SeSecurityPrivilege	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe
Token: SeSecurityPrivilege	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe
2536	vuoqa.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2536	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2536	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2536	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2536	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	30
PID 2536 wrote to memory of 1120	2536	vuoqa.exe	19
PID 2536 wrote to memory of 1120	2536	vuoqa.exe	19
PID 2536 wrote to memory of 1120	2536	vuoqa.exe	19
PID 2536 wrote to memory of 1120	2536	vuoqa.exe	19
PID 2536 wrote to memory of 1120	2536	vuoqa.exe	19
PID 2536 wrote to memory of 1168	2536	vuoqa.exe	20
PID 2536 wrote to memory of 1168	2536	vuoqa.exe	20
PID 2536 wrote to memory of 1168	2536	vuoqa.exe	20
PID 2536 wrote to memory of 1168	2536	vuoqa.exe	20
PID 2536 wrote to memory of 1168	2536	vuoqa.exe	20
PID 2536 wrote to memory of 1216	2536	vuoqa.exe	21
PID 2536 wrote to memory of 1216	2536	vuoqa.exe	21
PID 2536 wrote to memory of 1216	2536	vuoqa.exe	21
PID 2536 wrote to memory of 1216	2536	vuoqa.exe	21
PID 2536 wrote to memory of 1216	2536	vuoqa.exe	21
PID 2536 wrote to memory of 1208	2536	vuoqa.exe	23
PID 2536 wrote to memory of 1208	2536	vuoqa.exe	23
PID 2536 wrote to memory of 1208	2536	vuoqa.exe	23
PID 2536 wrote to memory of 1208	2536	vuoqa.exe	23
PID 2536 wrote to memory of 1208	2536	vuoqa.exe	23
PID 2536 wrote to memory of 3016	2536	vuoqa.exe	29
PID 2536 wrote to memory of 3016	2536	vuoqa.exe	29
PID 2536 wrote to memory of 3016	2536	vuoqa.exe	29
PID 2536 wrote to memory of 3016	2536	vuoqa.exe	29
PID 2536 wrote to memory of 3016	2536	vuoqa.exe	29
PID 3016 wrote to memory of 596	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	31
PID 3016 wrote to memory of 596	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	31
PID 3016 wrote to memory of 596	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	31
PID 3016 wrote to memory of 596	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	31
PID 3016 wrote to memory of 596	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	31
PID 3016 wrote to memory of 596	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	31
PID 3016 wrote to memory of 596	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	31
PID 3016 wrote to memory of 596	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	31
PID 3016 wrote to memory of 596	3016	779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\779156930f35c787b6db9d4a3c33cc05_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Roaming\Ucygeg\vuoqa.exe
    "C:\Users\Admin\AppData\Roaming\Ucygeg\vuoqa.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc2892388.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc2892388.bat

Filesize
271B

MD5
f2435e79c1cb5c0caf5403820ef7f510

SHA1
d5eb92169cb10222bd06a16ff35e9b68ec1739d9

SHA256
12842336f819525935bc79b48ca37ffc48a13c11ea1cd9d8aa67c074f51e6c9b

SHA512
db9cd321cc6e88f6fedf328cbaf59ce84957ac0aa48049bafabea5e668b65c6d224691b9b6ea50658ac608e5240772baf56d8b1a49e38073421dca5b5d3b907a

Download Submit
C:\Users\Admin\AppData\Roaming\Ebmuhi\jaoq.zae

Filesize
380B

MD5
cd31cef25f558f2d441dab4061802dcc

SHA1
d6e562fa1dbe2272d47a30dbfb3e9207cd912d58

SHA256
bd3fe583e06a3b7e6eeac330eaddaf8511e39bdf54dc5dbf38406b27f4ae929c

SHA512
9da151a554b0e49080e70c38e07fd2614e3ef0915ab16f82073948d52903b023f33c41d971d988f94041d27d3a1e1e74fee4d2319560fe1fffcef5888b2d6857

Download Submit
\Users\Admin\AppData\Roaming\Ucygeg\vuoqa.exe

Filesize
293KB

MD5
9cc18007cb2eb28bb275289677d2a323

SHA1
350bfbc9ecb6c18daf268b75a7a92dfef1409ad8

SHA256
b791bd8450475d8aa73a84f792a307e9b9fe0336cc0e1cdd627dab4f89e0b630

SHA512
62b0b7ffc2525e59f754610f74c705fdb06d4505f3a67f7943a1eee419dc541c3166d3e08569a6fa251b9075bf8a7b5793515bf864362b052d9172880873c938

Download Submit
memory/1120-15-0x0000000002200000-0x0000000002241000-memory.dmp

Filesize
260KB

Download
memory/1120-16-0x0000000002200000-0x0000000002241000-memory.dmp

Filesize
260KB

Download
memory/1120-19-0x0000000002200000-0x0000000002241000-memory.dmp

Filesize
260KB

Download
memory/1120-17-0x0000000002200000-0x0000000002241000-memory.dmp

Filesize
260KB

Download
memory/1120-18-0x0000000002200000-0x0000000002241000-memory.dmp

Filesize
260KB

Download
memory/1168-29-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/1168-31-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/1168-25-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/1168-27-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/1208-41-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1208-42-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1208-39-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1208-40-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1216-37-0x0000000002E10000-0x0000000002E51000-memory.dmp

Filesize
260KB

Download
memory/1216-36-0x0000000002E10000-0x0000000002E51000-memory.dmp

Filesize
260KB

Download
memory/1216-34-0x0000000002E10000-0x0000000002E51000-memory.dmp

Filesize
260KB

Download
memory/1216-35-0x0000000002E10000-0x0000000002E51000-memory.dmp

Filesize
260KB

Download
memory/2536-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-20-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/2536-21-0x0000000000390000-0x00000000003DB000-memory.dmp

Filesize
300KB

Download
memory/3016-56-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-52-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-46-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/3016-49-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/3016-48-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/3016-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-45-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/3016-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-50-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-44-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/3016-54-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-62-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-60-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-64-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-58-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-47-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/3016-72-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-70-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-68-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-66-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-80-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-132-0x0000000077850000-0x0000000077851000-memory.dmp

Filesize
4KB

Download
memory/3016-76-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-74-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-159-0x0000000001D80000-0x0000000001DC1000-memory.dmp

Filesize
260KB

Download
memory/3016-158-0x0000000000350000-0x000000000039B000-memory.dmp

Filesize
300KB

Download
memory/3016-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-156-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3016-0-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/3016-1-0x0000000000350000-0x000000000039B000-memory.dmp

Filesize
300KB

Download