f706eee356d07bade5c477067e579804ba32f3e28472999a8742d12af45d28a2

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31-07-2024 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe
Size

262KB
MD5

7b64f943dd4c0922baf34d73dc673cb2
SHA1

52f2e206f85e0184f24ae3225bbf9493d6dd5dfc
SHA256

f706eee356d07bade5c477067e579804ba32f3e28472999a8742d12af45d28a2
SHA512

e60fa8ef0933279a2c925c1316c60626d5a8dc8bf3822593277727fa7172f01367bab1331e0f8be19089da0bb9d17054996b0ad1b81fc57480bde2e6247af36a
SSDEEP

6144:/58Gp+df0afmVTRMdbdpn94sLrNXel9Bb98+MAt/:B8YkfXf4TRMl94svNuzBb9Zr

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1784 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

exli.exe

pid process

2840 exli.exe
Loads dropped DLL 1 IoCs

Processes:

7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe

pid process

1620 7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe

pid	process
1784	cmd.exe

pid	process
1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

exli.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\{278F5008-6814-AD4F-E8EF-460FE6556512} = "C:\\Users\\Admin\\AppData\\Roaming\\Gixoaj\\exli.exe"	exli.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe

description pid process target process

PID 1620 set thread context of 1784 1620 7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe cmd.exe

description	pid	process	target process
PID 1620 set thread context of 1784	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

exli.exe

pid	process
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe
2840	exli.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe

description	pid	process
Token: SeSecurityPrivilege	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe
Token: SeSecurityPrivilege	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe
Token: SeSecurityPrivilege	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exeexli.exe

pid process

1620 7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe
2840 exli.exe

pid	process
1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe
2840	exli.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exeexli.exe

description	pid	process	target process
PID 1620 wrote to memory of 2840	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	exli.exe
PID 1620 wrote to memory of 2840	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	exli.exe
PID 1620 wrote to memory of 2840	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	exli.exe
PID 1620 wrote to memory of 2840	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	exli.exe
PID 2840 wrote to memory of 1120	2840	exli.exe	taskhost.exe
PID 2840 wrote to memory of 1120	2840	exli.exe	taskhost.exe
PID 2840 wrote to memory of 1120	2840	exli.exe	taskhost.exe
PID 2840 wrote to memory of 1120	2840	exli.exe	taskhost.exe
PID 2840 wrote to memory of 1120	2840	exli.exe	taskhost.exe
PID 2840 wrote to memory of 1180	2840	exli.exe	Dwm.exe
PID 2840 wrote to memory of 1180	2840	exli.exe	Dwm.exe
PID 2840 wrote to memory of 1180	2840	exli.exe	Dwm.exe
PID 2840 wrote to memory of 1180	2840	exli.exe	Dwm.exe
PID 2840 wrote to memory of 1180	2840	exli.exe	Dwm.exe
PID 2840 wrote to memory of 1208	2840	exli.exe	Explorer.EXE
PID 2840 wrote to memory of 1208	2840	exli.exe	Explorer.EXE
PID 2840 wrote to memory of 1208	2840	exli.exe	Explorer.EXE
PID 2840 wrote to memory of 1208	2840	exli.exe	Explorer.EXE
PID 2840 wrote to memory of 1208	2840	exli.exe	Explorer.EXE
PID 2840 wrote to memory of 1288	2840	exli.exe	DllHost.exe
PID 2840 wrote to memory of 1288	2840	exli.exe	DllHost.exe
PID 2840 wrote to memory of 1288	2840	exli.exe	DllHost.exe
PID 2840 wrote to memory of 1288	2840	exli.exe	DllHost.exe
PID 2840 wrote to memory of 1288	2840	exli.exe	DllHost.exe
PID 2840 wrote to memory of 1620	2840	exli.exe	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe
PID 2840 wrote to memory of 1620	2840	exli.exe	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe
PID 2840 wrote to memory of 1620	2840	exli.exe	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe
PID 2840 wrote to memory of 1620	2840	exli.exe	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe
PID 2840 wrote to memory of 1620	2840	exli.exe	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe
PID 1620 wrote to memory of 1784	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	cmd.exe
PID 1620 wrote to memory of 1784	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	cmd.exe
PID 1620 wrote to memory of 1784	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	cmd.exe
PID 1620 wrote to memory of 1784	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	cmd.exe
PID 1620 wrote to memory of 1784	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	cmd.exe
PID 1620 wrote to memory of 1784	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	cmd.exe
PID 1620 wrote to memory of 1784	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	cmd.exe
PID 1620 wrote to memory of 1784	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	cmd.exe
PID 1620 wrote to memory of 1784	1620	7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b64f943dd4c0922baf34d73dc673cb2_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Roaming\Gixoaj\exli.exe
"C:\Users\Admin\AppData\Roaming\Gixoaj\exli.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp667ad378.bat"
3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1784

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp667ad378.bat

Filesize
271B

MD5
9295e29cd4f297e80243405fe798e57b

SHA1
527726bda37394023cbccda3431661fc184102b4

SHA256
98d1a7f5def17f6f3c9f1e2c3496b45dc10d2de0f73264da28a55b89faaa6abd

SHA512
a8316e8c558ec9099900442803b18586dac24220928906d028351e579801cc7aac018662e1e0c49deae2055203409c7d83718c1470630c6d2058f2563a873d09

Download Submit
C:\Users\Admin\AppData\Roaming\Gixoaj\exli.exe

Filesize
262KB

MD5
5695ab15d3a93a2737b9dc73b2a3e429

SHA1
0d35566c3ccdc58a86784bda10a45495d8c8dcbd

SHA256
b148cf817e394585c1e069a14e7bf7bd248519e84a8fe5c3b80bf587e3e427c3

SHA512
a3ac12dc2474b3dec48399eec57ae151be8f6789c8a9660905d2311460d201e57a06c9e2c80d801d2ae1312517266d3f3d9ed810e3c3b814bef0efe331352798

Download Submit
C:\Users\Admin\AppData\Roaming\Paahes\iccoc.tue

Filesize
380B

MD5
e85718f7da004febff64e5ba9f08653f

SHA1
91e8c9e681b7c0711c0429cbdab57403cdb8b001

SHA256
741f5906aa395ccee32894b6d48e3f3e14c528b51e6961109d189314510d8161

SHA512
420a31a1f8f867a4edb5e02a4b50ee71dc5cc851740f3fc7203201f1daef0e4dab5855420700976e6c77ec3e6381e0fa0e19263504f12c0b4245ce81e6905e60

Download Submit
memory/1120-19-0x0000000002290000-0x00000000022D1000-memory.dmp

Filesize
260KB

Download
memory/1120-16-0x0000000002290000-0x00000000022D1000-memory.dmp

Filesize
260KB

Download
memory/1120-17-0x0000000002290000-0x00000000022D1000-memory.dmp

Filesize
260KB

Download
memory/1120-15-0x0000000002290000-0x00000000022D1000-memory.dmp

Filesize
260KB

Download
memory/1120-18-0x0000000002290000-0x00000000022D1000-memory.dmp

Filesize
260KB

Download
memory/1180-26-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/1180-22-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/1180-24-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/1180-28-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/1208-33-0x0000000002470000-0x00000000024B1000-memory.dmp

Filesize
260KB

Download
memory/1208-31-0x0000000002470000-0x00000000024B1000-memory.dmp

Filesize
260KB

Download
memory/1208-32-0x0000000002470000-0x00000000024B1000-memory.dmp

Filesize
260KB

Download
memory/1208-34-0x0000000002470000-0x00000000024B1000-memory.dmp

Filesize
260KB

Download
memory/1288-39-0x0000000001E40000-0x0000000001E81000-memory.dmp

Filesize
260KB

Download
memory/1288-38-0x0000000001E40000-0x0000000001E81000-memory.dmp

Filesize
260KB

Download
memory/1288-37-0x0000000001E40000-0x0000000001E81000-memory.dmp

Filesize
260KB

Download
memory/1288-36-0x0000000001E40000-0x0000000001E81000-memory.dmp

Filesize
260KB

Download
memory/1620-43-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1620-55-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-44-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1620-45-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1620-46-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1620-1-0x0000000000370000-0x00000000003B5000-memory.dmp

Filesize
276KB

Download
memory/1620-0-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/1620-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-42-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1620-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-53-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-59-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-61-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-63-0x0000000077970000-0x0000000077971000-memory.dmp

Filesize
4KB

Download
memory/1620-66-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-64-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-57-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-41-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1620-51-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-49-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-47-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-78-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-76-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-74-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-72-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-70-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-68-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-130-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1620-156-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1620-155-0x0000000000370000-0x00000000003B5000-memory.dmp

Filesize
276KB

Download
memory/1620-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2840-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2840-274-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2840-275-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2840-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download