2b93f9095e8695ccecddb46f5c79252d226f665d29e781cb53b0b8d237414a29

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
Size

262KB
MD5

7fb15605dccd06a70ae7644062a69114
SHA1

3fa5587c045a0e99f2304828e275776154a30ed1
SHA256

2b93f9095e8695ccecddb46f5c79252d226f665d29e781cb53b0b8d237414a29
SHA512

83dda785e21f940a92ab863839130767e15184c83cd828d1778986092c06934a65ae8f81ea32de8b55c129575b3e4f9a8cbe989462fb69664349ee7c8b4c5654
SSDEEP

6144:wZ8Gp+df0afmVTRMdVdpn94sLrNXel9Qb98+MARI:w8YkfXf4TRMn94svNuzQb9Zw

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2864 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

iwge.exe

pid process

2004 iwge.exe
Loads dropped DLL 1 IoCs

Processes:

7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe

pid process

2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe

pid	process
2864	cmd.exe

pid	process
2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

iwge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4A4DE868-6E67-AD4F-A8F7-B67989399564} = "C:\\Users\\Admin\\AppData\\Roaming\\Giov\\iwge.exe"	iwge.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe

description pid process target process

PID 2452 set thread context of 2864 2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe cmd.exe

description	pid	process	target process
PID 2452 set thread context of 2864	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Privacy	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

iwge.exe

pid	process
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe
2004	iwge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe

description	pid	process
Token: SeSecurityPrivilege	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
Token: SeSecurityPrivilege	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
Token: SeSecurityPrivilege	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exeiwge.exe

pid process

2452 7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
2004 iwge.exe

pid	process
2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
2004	iwge.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exeiwge.exe

description	pid	process	target process
PID 2452 wrote to memory of 2004	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	iwge.exe
PID 2452 wrote to memory of 2004	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	iwge.exe
PID 2452 wrote to memory of 2004	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	iwge.exe
PID 2452 wrote to memory of 2004	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	iwge.exe
PID 2004 wrote to memory of 1104	2004	iwge.exe	taskhost.exe
PID 2004 wrote to memory of 1104	2004	iwge.exe	taskhost.exe
PID 2004 wrote to memory of 1104	2004	iwge.exe	taskhost.exe
PID 2004 wrote to memory of 1104	2004	iwge.exe	taskhost.exe
PID 2004 wrote to memory of 1104	2004	iwge.exe	taskhost.exe
PID 2004 wrote to memory of 1168	2004	iwge.exe	Dwm.exe
PID 2004 wrote to memory of 1168	2004	iwge.exe	Dwm.exe
PID 2004 wrote to memory of 1168	2004	iwge.exe	Dwm.exe
PID 2004 wrote to memory of 1168	2004	iwge.exe	Dwm.exe
PID 2004 wrote to memory of 1168	2004	iwge.exe	Dwm.exe
PID 2004 wrote to memory of 1216	2004	iwge.exe	Explorer.EXE
PID 2004 wrote to memory of 1216	2004	iwge.exe	Explorer.EXE
PID 2004 wrote to memory of 1216	2004	iwge.exe	Explorer.EXE
PID 2004 wrote to memory of 1216	2004	iwge.exe	Explorer.EXE
PID 2004 wrote to memory of 1216	2004	iwge.exe	Explorer.EXE
PID 2004 wrote to memory of 496	2004	iwge.exe	DllHost.exe
PID 2004 wrote to memory of 496	2004	iwge.exe	DllHost.exe
PID 2004 wrote to memory of 496	2004	iwge.exe	DllHost.exe
PID 2004 wrote to memory of 496	2004	iwge.exe	DllHost.exe
PID 2004 wrote to memory of 496	2004	iwge.exe	DllHost.exe
PID 2004 wrote to memory of 2452	2004	iwge.exe	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
PID 2004 wrote to memory of 2452	2004	iwge.exe	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
PID 2004 wrote to memory of 2452	2004	iwge.exe	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
PID 2004 wrote to memory of 2452	2004	iwge.exe	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
PID 2004 wrote to memory of 2452	2004	iwge.exe	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
PID 2452 wrote to memory of 2864	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	cmd.exe
PID 2452 wrote to memory of 2864	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	cmd.exe
PID 2452 wrote to memory of 2864	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	cmd.exe
PID 2452 wrote to memory of 2864	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	cmd.exe
PID 2452 wrote to memory of 2864	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	cmd.exe
PID 2452 wrote to memory of 2864	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	cmd.exe
PID 2452 wrote to memory of 2864	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	cmd.exe
PID 2452 wrote to memory of 2864	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	cmd.exe
PID 2452 wrote to memory of 2864	2452	7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7fb15605dccd06a70ae7644062a69114_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Roaming\Giov\iwge.exe
"C:\Users\Admin\AppData\Roaming\Giov\iwge.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpdb9e4c00.bat"
3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpdb9e4c00.bat

Filesize
271B

MD5
1759b4646c41fed22c089add35ba1492

SHA1
7bf98186e87307716e2f119990b12e074567d042

SHA256
76a9e5028c8f84426bdfb8e505807793b2f7c055753ef9b5677d2b2e0a529327

SHA512
66ea6550a01846d982cb8ed9400bac498def26458bc7f6c3517dffcdf80142f2d76c6b00741d4f3a328d739f7da61585ee343a87eb8d7a55975d258387fa5816

Download Submit
C:\Users\Admin\AppData\Roaming\Caoqy\jazui.nao

Filesize
380B

MD5
6fcc85272fc9b642c190edb841c76be2

SHA1
dc7a7ee5b979b4fe57c252ae1ce226a2b77256a0

SHA256
e2e5666a58e0bd90e4af6387524c9236063dbf8e1a8fbe375dbbbeaf81c2be81

SHA512
190231a231698bd3b4725b60d998614bda679ca8c2e7d94aa1c4cdd171dedfcd78e0a9d112e447ab9c17d427b38af576704d790c9fd5e66149d4deb1349295ac

Download Submit
\Users\Admin\AppData\Roaming\Giov\iwge.exe

Filesize
262KB

MD5
47ef107c1d1a12fff95fdd1c09445932

SHA1
fe684cefb2b06ed2fe9193956c8e267d8aaa1e0b

SHA256
ab61380f0a4933eda688101b4722807a2ccb2e99a6eb0c8c23e869b0d9e2351f

SHA512
9e3c85347deb1abf7d323a23001ab78ff86e96519f4392223af6d9f54e55ec9fe496372c0421669134d2e63cd5c40fc24d67e3c796eda548b30f14fdccdaf716

Download Submit
memory/496-44-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/496-40-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/496-38-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/496-42-0x0000000002040000-0x0000000002081000-memory.dmp

Filesize
260KB

Download
memory/1104-17-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1104-16-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1104-20-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1104-19-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1104-18-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1168-26-0x00000000001D0000-0x0000000000211000-memory.dmp

Filesize
260KB

Download
memory/1168-23-0x00000000001D0000-0x0000000000211000-memory.dmp

Filesize
260KB

Download
memory/1168-27-0x00000000001D0000-0x0000000000211000-memory.dmp

Filesize
260KB

Download
memory/1168-29-0x00000000001D0000-0x0000000000211000-memory.dmp

Filesize
260KB

Download
memory/1216-32-0x0000000002A50000-0x0000000002A91000-memory.dmp

Filesize
260KB

Download
memory/1216-34-0x0000000002A50000-0x0000000002A91000-memory.dmp

Filesize
260KB

Download
memory/1216-35-0x0000000002A50000-0x0000000002A91000-memory.dmp

Filesize
260KB

Download
memory/1216-33-0x0000000002A50000-0x0000000002A91000-memory.dmp

Filesize
260KB

Download
memory/2004-13-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/2004-12-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2004-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2004-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-64-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-74-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-54-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-52-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-50-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2452-48-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2452-47-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2452-49-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2452-58-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-60-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-62-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-68-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-70-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-72-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2452-73-0x0000000077B70000-0x0000000077B71000-memory.dmp

Filesize
4KB

Download
memory/2452-56-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-76-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-78-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-66-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-0-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2452-51-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2452-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-135-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2452-161-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2452-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-159-0x0000000000350000-0x0000000000395000-memory.dmp

Filesize
276KB

Download
memory/2452-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-1-0x0000000000350000-0x0000000000395000-memory.dmp

Filesize
276KB

Download