5f3c47f1baa95980e6e30bdd98a55c05b53d3cffa055320ccc8683b95b276bf3

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/08/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82245542bb175ce1a563edcd990825df_JaffaCakes118.exe
Size

333KB
MD5

82245542bb175ce1a563edcd990825df
SHA1

ebc0edbc42cea698a7ef1a962bae234b03262059
SHA256

5f3c47f1baa95980e6e30bdd98a55c05b53d3cffa055320ccc8683b95b276bf3
SHA512

8014519d7d14739988417ce9e9d02bed5c4c63e21898919c89f49582e111e02be7debc48c7f7e2dfd8fd2b39c664423201f2ce5694e06be9f780947ed95b888c
SSDEEP

6144:fdddQZbZKxgka/p65VIkgnjBj6aurMeXeUd7uloiIv0B:fnaZKxIw3063MWeUFuG/k

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2268	elyjo.exe
2832	elyjo.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe
2092	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C6C07C68-68EF-AD4F-3837-F372201AD06F} = "C:\\Users\\Admin\\AppData\\Roaming\\Omga\\elyjo.exe"	elyjo.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 2092	2984	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	31
PID 2268 set thread context of 2832	2268	elyjo.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	elyjo.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe
2832	elyjo.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2092	2984	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2092	2984	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2092	2984	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2092	2984	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2092	2984	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2092	2984	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2092	2984	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2092	2984	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	31
PID 2984 wrote to memory of 2092	2984	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2268	2092	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2268	2092	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2268	2092	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2268	2092	82245542bb175ce1a563edcd990825df_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2832	2268	elyjo.exe	33
PID 2268 wrote to memory of 2832	2268	elyjo.exe	33
PID 2268 wrote to memory of 2832	2268	elyjo.exe	33
PID 2268 wrote to memory of 2832	2268	elyjo.exe	33
PID 2268 wrote to memory of 2832	2268	elyjo.exe	33
PID 2268 wrote to memory of 2832	2268	elyjo.exe	33
PID 2268 wrote to memory of 2832	2268	elyjo.exe	33
PID 2268 wrote to memory of 2832	2268	elyjo.exe	33
PID 2268 wrote to memory of 2832	2268	elyjo.exe	33
PID 2832 wrote to memory of 1112	2832	elyjo.exe	19
PID 2832 wrote to memory of 1112	2832	elyjo.exe	19
PID 2832 wrote to memory of 1112	2832	elyjo.exe	19
PID 2832 wrote to memory of 1112	2832	elyjo.exe	19
PID 2832 wrote to memory of 1112	2832	elyjo.exe	19
PID 2832 wrote to memory of 1172	2832	elyjo.exe	20
PID 2832 wrote to memory of 1172	2832	elyjo.exe	20
PID 2832 wrote to memory of 1172	2832	elyjo.exe	20
PID 2832 wrote to memory of 1172	2832	elyjo.exe	20
PID 2832 wrote to memory of 1172	2832	elyjo.exe	20
PID 2832 wrote to memory of 1232	2832	elyjo.exe	21
PID 2832 wrote to memory of 1232	2832	elyjo.exe	21
PID 2832 wrote to memory of 1232	2832	elyjo.exe	21
PID 2832 wrote to memory of 1232	2832	elyjo.exe	21
PID 2832 wrote to memory of 1232	2832	elyjo.exe	21
PID 2832 wrote to memory of 1612	2832	elyjo.exe	25
PID 2832 wrote to memory of 1612	2832	elyjo.exe	25
PID 2832 wrote to memory of 1612	2832	elyjo.exe	25
PID 2832 wrote to memory of 1612	2832	elyjo.exe	25
PID 2832 wrote to memory of 1612	2832	elyjo.exe	25
PID 2832 wrote to memory of 2092	2832	elyjo.exe	31
PID 2832 wrote to memory of 2092	2832	elyjo.exe	31
PID 2832 wrote to memory of 2092	2832	elyjo.exe	31
PID 2832 wrote to memory of 2092	2832	elyjo.exe	31
PID 2832 wrote to memory of 2092	2832	elyjo.exe	31
PID 2832 wrote to memory of 2624	2832	elyjo.exe	34
PID 2832 wrote to memory of 2624	2832	elyjo.exe	34
PID 2832 wrote to memory of 2624	2832	elyjo.exe	34
PID 2832 wrote to memory of 2624	2832	elyjo.exe	34
PID 2832 wrote to memory of 2624	2832	elyjo.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\82245542bb175ce1a563edcd990825df_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\82245542bb175ce1a563edcd990825df_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\82245542bb175ce1a563edcd990825df_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\82245542bb175ce1a563edcd990825df_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Users\Admin\AppData\Roaming\Omga\elyjo.exe
      "C:\Users\Admin\AppData\Roaming\Omga\elyjo.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Users\Admin\AppData\Roaming\Omga\elyjo.exe
        
        "C:\Users\Admin\AppData\Roaming\Omga\elyjo.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9834247d.bat"
      4⤵
      PID:2624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Omga\elyjo.exe

Filesize
333KB

MD5
56de5f1c9209ea2dd3f7ca65349cb10a

SHA1
cd7b48240410f935123cdbf0c0c76ccb4b1159e0

SHA256
f0190c991c6c3b79dc906ad312135a4f863499d9d75f99f4a794164936890128

SHA512
7766e841bd7e795bafa19af79f5b1a28321f7e801b9bf151972785a70e8d79cc605ff52447b27f98de10d4d6875f205f8abc3c1aa55459bd105787e412ff1fcd

Download Submit
memory/1112-50-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/1112-51-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/1112-52-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/1112-53-0x00000000003B0000-0x00000000003F4000-memory.dmp

Filesize
272KB

Download
memory/1172-58-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1172-56-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1172-57-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1172-55-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1232-60-0x0000000002DF0000-0x0000000002E34000-memory.dmp

Filesize
272KB

Download
memory/1232-61-0x0000000002DF0000-0x0000000002E34000-memory.dmp

Filesize
272KB

Download
memory/1232-62-0x0000000002DF0000-0x0000000002E34000-memory.dmp

Filesize
272KB

Download
memory/1232-63-0x0000000002DF0000-0x0000000002E34000-memory.dmp

Filesize
272KB

Download
memory/1612-68-0x0000000001CB0000-0x0000000001CF4000-memory.dmp

Filesize
272KB

Download
memory/1612-65-0x0000000001CB0000-0x0000000001CF4000-memory.dmp

Filesize
272KB

Download
memory/1612-66-0x0000000001CB0000-0x0000000001CF4000-memory.dmp

Filesize
272KB

Download
memory/1612-67-0x0000000001CB0000-0x0000000001CF4000-memory.dmp

Filesize
272KB

Download
memory/2092-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-86-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-72-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2092-71-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2092-70-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2092-76-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2092-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2092-24-0x00000000003A0000-0x00000000003F8000-memory.dmp

Filesize
352KB

Download
memory/2092-74-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2092-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2268-46-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2832-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2832-78-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2832-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2984-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2984-14-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download