2db88ba99300bf2ac2cb84ee128c30f35b12aa45f8695e01cb17c26d79f3859e

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/08/2024, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe
Size

274KB
MD5

822bd98c92c935788e5494b030f463c1
SHA1

eb75dc52ca7399dc8e3bc0aefc816866ea3aa21f
SHA256

2db88ba99300bf2ac2cb84ee128c30f35b12aa45f8695e01cb17c26d79f3859e
SHA512

956d64846cbcfd96d6883ef04e9e52299a493938a3982bcad22a21c8da18207c46b97d206328e46c6ee0fad040eed8e881d7dda70cf5a40c3685a0d4cb998a02
SSDEEP

6144:ocfAOkuD6XenRzYOINC/vVYBnCiiXet9bdhVKeGA5LbW3Evn:ocWUnRgNgiBviXeXbdhV75LCUvn

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1436	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2280	ebviiq.exe

Loads dropped DLL 2 IoCs

pid	Process
2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe
2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\{36F482E8-6FE9-AD4F-5F98-37194FCB1404} = "C:\\Users\\Admin\\AppData\\Roaming\\Wyre\\ebviiq.exe"	ebviiq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 1436	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe
2280	ebviiq.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe
2280	ebviiq.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2280	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2280	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2280	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	31
PID 2940 wrote to memory of 2280	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	31
PID 2280 wrote to memory of 1044	2280	ebviiq.exe	17
PID 2280 wrote to memory of 1044	2280	ebviiq.exe	17
PID 2280 wrote to memory of 1044	2280	ebviiq.exe	17
PID 2280 wrote to memory of 1044	2280	ebviiq.exe	17
PID 2280 wrote to memory of 1044	2280	ebviiq.exe	17
PID 2280 wrote to memory of 1072	2280	ebviiq.exe	18
PID 2280 wrote to memory of 1072	2280	ebviiq.exe	18
PID 2280 wrote to memory of 1072	2280	ebviiq.exe	18
PID 2280 wrote to memory of 1072	2280	ebviiq.exe	18
PID 2280 wrote to memory of 1072	2280	ebviiq.exe	18
PID 2280 wrote to memory of 1112	2280	ebviiq.exe	20
PID 2280 wrote to memory of 1112	2280	ebviiq.exe	20
PID 2280 wrote to memory of 1112	2280	ebviiq.exe	20
PID 2280 wrote to memory of 1112	2280	ebviiq.exe	20
PID 2280 wrote to memory of 1112	2280	ebviiq.exe	20
PID 2280 wrote to memory of 1864	2280	ebviiq.exe	25
PID 2280 wrote to memory of 1864	2280	ebviiq.exe	25
PID 2280 wrote to memory of 1864	2280	ebviiq.exe	25
PID 2280 wrote to memory of 1864	2280	ebviiq.exe	25
PID 2280 wrote to memory of 1864	2280	ebviiq.exe	25
PID 2280 wrote to memory of 2940	2280	ebviiq.exe	30
PID 2280 wrote to memory of 2940	2280	ebviiq.exe	30
PID 2280 wrote to memory of 2940	2280	ebviiq.exe	30
PID 2280 wrote to memory of 2940	2280	ebviiq.exe	30
PID 2280 wrote to memory of 2940	2280	ebviiq.exe	30
PID 2940 wrote to memory of 1436	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	32
PID 2940 wrote to memory of 1436	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	32
PID 2940 wrote to memory of 1436	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	32
PID 2940 wrote to memory of 1436	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	32
PID 2940 wrote to memory of 1436	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	32
PID 2940 wrote to memory of 1436	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	32
PID 2940 wrote to memory of 1436	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	32
PID 2940 wrote to memory of 1436	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	32
PID 2940 wrote to memory of 1436	2940	822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe	32

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1044

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1072
- C:\Users\Admin\AppData\Local\Temp\822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\822bd98c92c935788e5494b030f463c1_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Roaming\Wyre\ebviiq.exe
    "C:\Users\Admin\AppData\Roaming\Wyre\ebviiq.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd96a6648.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1436

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd96a6648.bat

Filesize
271B

MD5
2dfae7351b4794995ac939c114b1d782

SHA1
20a8eca3b6aa3398c0d98493592e970ff204ff48

SHA256
21146e12e23e1c18cfc71f1420fb5310eb713a2eef1f4d7aeac50567fda34efd

SHA512
cc89000317e95d0ab73ff29c43a42df23fa01a05ab75a72c46d60558d8336551d1b37df3a30496d7772ab338e41ca824b17bb1fb79a50ea1f4742e3e76f21afc

Download Submit
\Users\Admin\AppData\Roaming\Wyre\ebviiq.exe

Filesize
274KB

MD5
0801c5ced079fd0875c04504d94633a9

SHA1
6e667e2f88e8c0b0601f9b07ba24e69425576f48

SHA256
d97ebecc096152fe53db2ddcf00aa427b6e9097541b46eb29f18a0947ad501fa

SHA512
87f2d84812ee7e9eb3ed265c529497a701740c2a168307ac93cbd70b79c4b5b12cb02be9de3453099a57e7d9284e7b599d7da056e07b58ab2ea284ccaf7476d9

Download Submit
memory/1044-18-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1044-20-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1044-19-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1044-17-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1044-21-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1072-26-0x0000000002EA0000-0x0000000002EE4000-memory.dmp

Filesize
272KB

Download
memory/1072-25-0x0000000002EA0000-0x0000000002EE4000-memory.dmp

Filesize
272KB

Download
memory/1072-24-0x0000000002EA0000-0x0000000002EE4000-memory.dmp

Filesize
272KB

Download
memory/1072-23-0x0000000002EA0000-0x0000000002EE4000-memory.dmp

Filesize
272KB

Download
memory/1112-30-0x00000000021C0000-0x0000000002204000-memory.dmp

Filesize
272KB

Download
memory/1112-31-0x00000000021C0000-0x0000000002204000-memory.dmp

Filesize
272KB

Download
memory/1112-34-0x00000000021C0000-0x0000000002204000-memory.dmp

Filesize
272KB

Download
memory/1112-35-0x00000000021C0000-0x0000000002204000-memory.dmp

Filesize
272KB

Download
memory/1864-41-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/1864-40-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/1864-38-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/1864-39-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/2280-14-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2280-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2280-280-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2280-281-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2280-282-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-78-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-69-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-60-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-58-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-56-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-54-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-52-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-50-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-48-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-46-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/2940-45-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/2940-43-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/2940-64-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/2940-65-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-67-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-62-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-71-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-73-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-74-0x0000000077040000-0x0000000077041000-memory.dmp

Filesize
4KB

Download
memory/2940-76-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-157-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-158-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/2940-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-44-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/2940-134-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-80-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2940-47-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/2940-2-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/2940-5-0x0000000000510000-0x0000000000558000-memory.dmp

Filesize
288KB

Download
memory/2940-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2940-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download