3723c6b7f6b1446da170e055dbbb4c048e07001ab838d16648a6b06f014f439b

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 02:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe
Size

284KB
MD5

829d4a95f2db34c695ac1a5f06bfe050
SHA1

487a0c45611ddc440411ebd931b213fad2bf346a
SHA256

3723c6b7f6b1446da170e055dbbb4c048e07001ab838d16648a6b06f014f439b
SHA512

7743308dd12d36364c9d7a1ef973a60faf82ee6b0fbba5ca7549b6a551fc4a3bb538c17acda3d977e7a878b363934c472dc5070eece736a352feceedc4b544eb
SSDEEP

6144:8jJQFdnwLtxP+jHR8h2Rao9LyFsvNbi/O1Pr/V9P3I5:MQbMxP+jHRzXLyFsFbgOBN

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1308	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2492	sakav.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe
1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F4363D88-6FEF-AD4F-FCEF-4765F9626478} = "C:\\Users\\Admin\\AppData\\Roaming\\Uxar\\sakav.exe"	sakav.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1968 set thread context of 1308	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sakav.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe
2492	sakav.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe
Token: SeSecurityPrivilege	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe
Token: SeSecurityPrivilege	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe
2492	sakav.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2492	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2492	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2492	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2492	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	30
PID 2492 wrote to memory of 1096	2492	sakav.exe	19
PID 2492 wrote to memory of 1096	2492	sakav.exe	19
PID 2492 wrote to memory of 1096	2492	sakav.exe	19
PID 2492 wrote to memory of 1096	2492	sakav.exe	19
PID 2492 wrote to memory of 1096	2492	sakav.exe	19
PID 2492 wrote to memory of 1152	2492	sakav.exe	20
PID 2492 wrote to memory of 1152	2492	sakav.exe	20
PID 2492 wrote to memory of 1152	2492	sakav.exe	20
PID 2492 wrote to memory of 1152	2492	sakav.exe	20
PID 2492 wrote to memory of 1152	2492	sakav.exe	20
PID 2492 wrote to memory of 1196	2492	sakav.exe	21
PID 2492 wrote to memory of 1196	2492	sakav.exe	21
PID 2492 wrote to memory of 1196	2492	sakav.exe	21
PID 2492 wrote to memory of 1196	2492	sakav.exe	21
PID 2492 wrote to memory of 1196	2492	sakav.exe	21
PID 2492 wrote to memory of 1388	2492	sakav.exe	24
PID 2492 wrote to memory of 1388	2492	sakav.exe	24
PID 2492 wrote to memory of 1388	2492	sakav.exe	24
PID 2492 wrote to memory of 1388	2492	sakav.exe	24
PID 2492 wrote to memory of 1388	2492	sakav.exe	24
PID 2492 wrote to memory of 1968	2492	sakav.exe	29
PID 2492 wrote to memory of 1968	2492	sakav.exe	29
PID 2492 wrote to memory of 1968	2492	sakav.exe	29
PID 2492 wrote to memory of 1968	2492	sakav.exe	29
PID 2492 wrote to memory of 1968	2492	sakav.exe	29
PID 1968 wrote to memory of 1308	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	31
PID 1968 wrote to memory of 1308	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	31
PID 1968 wrote to memory of 1308	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	31
PID 1968 wrote to memory of 1308	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	31
PID 1968 wrote to memory of 1308	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	31
PID 1968 wrote to memory of 1308	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	31
PID 1968 wrote to memory of 1308	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	31
PID 1968 wrote to memory of 1308	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	31
PID 1968 wrote to memory of 1308	1968	829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1096

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\829d4a95f2db34c695ac1a5f06bfe050_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Roaming\Uxar\sakav.exe
    "C:\Users\Admin\AppData\Roaming\Uxar\sakav.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp80fdbdfa.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1308

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp80fdbdfa.bat

Filesize
271B

MD5
a8cfbbb969270c8da855b01624181408

SHA1
032772fa28954476138f2b3b6e4e616dcd2524b5

SHA256
b0098a8c369bbd3d6f5d93c265f837613edf983fd092ce6a24242ec7c0fc5296

SHA512
c262d7a22f232c3bd4eddc63faeea5a502106750965e9abd819a74ee90dc2998db7f4346ae01007ff2afee66c02f4c21af0c667a0fa1af0e41325e9a694b8ef2

Download Submit
C:\Users\Admin\AppData\Roaming\Epuzb\epimc.xup

Filesize
380B

MD5
ea9e7625902c123dc9540713a068a3b7

SHA1
15295aad2cfa4379276ffc670e6ce55fee217cae

SHA256
2a85027998f47522e6996e62bc551a016bc6f808d507a376304f02183d53606b

SHA512
f1ca4d606f41d594a4237d743796aca7a07758aff71a095b8f23486ad58bdf52a4cbaa320f7e488309984cc076e791cbf474d74e5f0d52d7bfc047baa3bda351

Download Submit
\Users\Admin\AppData\Roaming\Uxar\sakav.exe

Filesize
284KB

MD5
83bc7131a764bf51b9747a65c7f18bc0

SHA1
dcafe007c7e61bee1546544c095cfb28e223e6e0

SHA256
9ebb56a2c3aebc571cf0f63d53c2c13a8017be310342569b66fa098d43f41d6e

SHA512
a1dfb64440e425c5163a67b01a87fbca9f096d56e95b4ab9b289b0bfc5308bd25662b236bee94ffacafeba2be44d365bcf0e967e8be3e5cf1ebec6a00a2b303d

Download Submit
memory/1096-19-0x00000000022B0000-0x00000000022F1000-memory.dmp

Filesize
260KB

Download
memory/1096-21-0x00000000022B0000-0x00000000022F1000-memory.dmp

Filesize
260KB

Download
memory/1096-23-0x00000000022B0000-0x00000000022F1000-memory.dmp

Filesize
260KB

Download
memory/1096-25-0x00000000022B0000-0x00000000022F1000-memory.dmp

Filesize
260KB

Download
memory/1096-27-0x00000000022B0000-0x00000000022F1000-memory.dmp

Filesize
260KB

Download
memory/1152-33-0x0000000002090000-0x00000000020D1000-memory.dmp

Filesize
260KB

Download
memory/1152-35-0x0000000002090000-0x00000000020D1000-memory.dmp

Filesize
260KB

Download
memory/1152-31-0x0000000002090000-0x00000000020D1000-memory.dmp

Filesize
260KB

Download
memory/1152-37-0x0000000002090000-0x00000000020D1000-memory.dmp

Filesize
260KB

Download
memory/1196-43-0x0000000002DA0000-0x0000000002DE1000-memory.dmp

Filesize
260KB

Download
memory/1196-40-0x0000000002DA0000-0x0000000002DE1000-memory.dmp

Filesize
260KB

Download
memory/1196-41-0x0000000002DA0000-0x0000000002DE1000-memory.dmp

Filesize
260KB

Download
memory/1196-42-0x0000000002DA0000-0x0000000002DE1000-memory.dmp

Filesize
260KB

Download
memory/1388-46-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1388-47-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1388-48-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1388-45-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1968-114-0x0000000076F90000-0x0000000076F91000-memory.dmp

Filesize
4KB

Download
memory/1968-73-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1968-65-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1968-63-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1968-61-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1968-59-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1968-58-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1968-56-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1968-54-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1968-52-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1968-50-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1968-69-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1968-71-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1968-77-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1968-79-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1968-75-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1968-67-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1968-1-0x0000000000370000-0x00000000003BA000-memory.dmp

Filesize
296KB

Download
memory/1968-0-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1968-164-0x0000000000370000-0x00000000003BA000-memory.dmp

Filesize
296KB

Download
memory/1968-165-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1968-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1968-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1968-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1968-139-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1968-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1968-163-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2492-15-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2492-16-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2492-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-283-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2492-285-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2492-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download