9b88b7a099f6baf08736671da110c0f8818f49b76084d047dde6842719205d1f

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe
Size

294KB
MD5

835fdef0d790de30bd378772b3df274f
SHA1

26c6739a4383fd3c63e9ec824983abce5ee69240
SHA256

9b88b7a099f6baf08736671da110c0f8818f49b76084d047dde6842719205d1f
SHA512

e7a53b2c4072bc9c4ee5bb861d9895f0df0245f1a13fb886359b37f70a18c909ec59e1b4cbfc92cd95cce870b74c0ec17be15eab1e095d223cad45bf5f67a676
SSDEEP

6144:ogOMMB7FAFJh6ydWE5h9wGajkc9Yw++MXZBB8alTRTLsdJ:o8q7FAsyD5kGa7DMJBBj3XsdJ

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3008	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1528	afef.exe

Loads dropped DLL 2 IoCs

pid	Process
2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe
2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{75DA6328-6F30-AD4F-96DD-2BAD86C808B0} = "C:\\Users\\Admin\\AppData\\Roaming\\Awanky\\afef.exe"	afef.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2476 set thread context of 3008	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe
1528	afef.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe
1528	afef.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1528	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	29
PID 2476 wrote to memory of 1528	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	29
PID 2476 wrote to memory of 1528	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	29
PID 2476 wrote to memory of 1528	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	29
PID 1528 wrote to memory of 1120	1528	afef.exe	18
PID 1528 wrote to memory of 1120	1528	afef.exe	18
PID 1528 wrote to memory of 1120	1528	afef.exe	18
PID 1528 wrote to memory of 1120	1528	afef.exe	18
PID 1528 wrote to memory of 1120	1528	afef.exe	18
PID 1528 wrote to memory of 1188	1528	afef.exe	19
PID 1528 wrote to memory of 1188	1528	afef.exe	19
PID 1528 wrote to memory of 1188	1528	afef.exe	19
PID 1528 wrote to memory of 1188	1528	afef.exe	19
PID 1528 wrote to memory of 1188	1528	afef.exe	19
PID 1528 wrote to memory of 1252	1528	afef.exe	20
PID 1528 wrote to memory of 1252	1528	afef.exe	20
PID 1528 wrote to memory of 1252	1528	afef.exe	20
PID 1528 wrote to memory of 1252	1528	afef.exe	20
PID 1528 wrote to memory of 1252	1528	afef.exe	20
PID 1528 wrote to memory of 1464	1528	afef.exe	22
PID 1528 wrote to memory of 1464	1528	afef.exe	22
PID 1528 wrote to memory of 1464	1528	afef.exe	22
PID 1528 wrote to memory of 1464	1528	afef.exe	22
PID 1528 wrote to memory of 1464	1528	afef.exe	22
PID 1528 wrote to memory of 2476	1528	afef.exe	28
PID 1528 wrote to memory of 2476	1528	afef.exe	28
PID 1528 wrote to memory of 2476	1528	afef.exe	28
PID 1528 wrote to memory of 2476	1528	afef.exe	28
PID 1528 wrote to memory of 2476	1528	afef.exe	28
PID 2476 wrote to memory of 3008	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	30
PID 2476 wrote to memory of 3008	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	30
PID 2476 wrote to memory of 3008	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	30
PID 2476 wrote to memory of 3008	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	30
PID 2476 wrote to memory of 3008	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	30
PID 2476 wrote to memory of 3008	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	30
PID 2476 wrote to memory of 3008	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	30
PID 2476 wrote to memory of 3008	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	30
PID 2476 wrote to memory of 3008	2476	835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\835fdef0d790de30bd378772b3df274f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Roaming\Awanky\afef.exe
    "C:\Users\Admin\AppData\Roaming\Awanky\afef.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbbcceea7.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:3008

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbbcceea7.bat

Filesize
271B

MD5
70d65de5bf1db6f7f1d85acbf293e320

SHA1
8bc3a62fd6dfb79df94ec50e37f3a8aed9d4b4ff

SHA256
8e55a04586375f8db3557d62a24bdea70a03768211de50f96dedafe7076553c5

SHA512
6a9183373de82d8a4735da28e0803f7a3b5cb805968f483b77fff546e3168b9b4590e715feebc702fd7780441ca762028f1e65f254e25c20b2fa81d9b8e8edac

Download Submit
C:\Users\Admin\AppData\Roaming\Ilud\ojyn.wyj

Filesize
380B

MD5
38cb02ed45fa2c8ab86decd89ed1dc65

SHA1
3c80a50fbbff6471a55cc32fe261178941dd6493

SHA256
05bc0239717ef717d5a0d256eae67198054ab6a140f6de976389c5955a4ae32f

SHA512
850fb92f2fb8e70223347a29600f90313f2a88a7571b520ff674ba977f4dd3e83d04f16a62657844d6ef2c24594e2fde2749b0b5fbc96405f99922dedc1519bc

Download Submit
\Users\Admin\AppData\Roaming\Awanky\afef.exe

Filesize
294KB

MD5
c694fe61e616e50ee057e89018308af6

SHA1
513d9f2aa302c035a36783f118182624c57b5f27

SHA256
8b3b15b8200710715be47b523277c5abed717312fe541d480014f7d0749921b5

SHA512
16847c4051bf18294289220e51ee8a63b54c6f698e9908631981f6d19f949c0cf9fe9460d70e1bec020de15a3af2b996b2bb78cd0ba41413bc9b7d629f90462a

Download Submit
memory/1120-25-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1120-18-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1120-19-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1120-21-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1120-23-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/1188-31-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/1188-28-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/1188-30-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/1188-29-0x0000000001BB0000-0x0000000001BF1000-memory.dmp

Filesize
260KB

Download
memory/1252-34-0x0000000003E60000-0x0000000003EA1000-memory.dmp

Filesize
260KB

Download
memory/1252-33-0x0000000003E60000-0x0000000003EA1000-memory.dmp

Filesize
260KB

Download
memory/1252-35-0x0000000003E60000-0x0000000003EA1000-memory.dmp

Filesize
260KB

Download
memory/1252-36-0x0000000003E60000-0x0000000003EA1000-memory.dmp

Filesize
260KB

Download
memory/1464-41-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/1464-38-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/1464-39-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/1464-40-0x0000000001DE0000-0x0000000001E21000-memory.dmp

Filesize
260KB

Download
memory/1528-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1528-277-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1528-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1528-279-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1528-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2476-76-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-74-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-58-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-56-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-54-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-52-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-50-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-48-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-46-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2476-45-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2476-44-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2476-62-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-64-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-66-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-68-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-70-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-72-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-60-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-157-0x00000000006C0000-0x000000000070E000-memory.dmp

Filesize
312KB

Download
memory/2476-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2476-159-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2476-1-0x00000000006C0000-0x000000000070E000-memory.dmp

Filesize
312KB

Download
memory/2476-78-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-131-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2476-133-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2476-132-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/2476-47-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2476-43-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2476-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2476-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2476-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2476-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2476-0-0x00000000005F0000-0x0000000000631000-memory.dmp

Filesize
260KB

Download