f8542567145e4c94af7605c3d761b115c97df5fa449eaa75eee568d5fba54b20

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe
Size

217KB
MD5

8549c7a67140992ad29caeca6a7b078e
SHA1

64dbec45b5c0bfaae98120907b76b477ef2ef241
SHA256

f8542567145e4c94af7605c3d761b115c97df5fa449eaa75eee568d5fba54b20
SHA512

35f332801cf47562c200f3e99e6054234af48a6f8919a5d8a0a096c5131d0a849e68538127a73b921b00f14188a7f5835061fc3b063c0d9090626a55d917838d
SSDEEP

6144:IGDtFu0Xw+DZs1THlTSZ9iwdyj+1KmWiGroS3M:nIzTHlOZndV0zroS3M

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2240	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	udiz.exe

Loads dropped DLL 2 IoCs

pid	Process
2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe
2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2184-0-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/files/0x003400000001568f-11.dat	upx
behavioral1/memory/2796-20-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CBD0170D-D453-464A-C678-5FA2106ECC40} = "C:\\Users\\Admin\\AppData\\Roaming\\Ureb\\udiz.exe"	udiz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 2240	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	udiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Privacy	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\407B4931-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe
2796	udiz.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe
Token: SeManageVolumePrivilege	492	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
492	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
492	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
492	WinMail.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2796	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2796	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2796	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2796	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	31
PID 2796 wrote to memory of 1088	2796	udiz.exe	19
PID 2796 wrote to memory of 1088	2796	udiz.exe	19
PID 2796 wrote to memory of 1088	2796	udiz.exe	19
PID 2796 wrote to memory of 1088	2796	udiz.exe	19
PID 2796 wrote to memory of 1088	2796	udiz.exe	19
PID 2796 wrote to memory of 1156	2796	udiz.exe	20
PID 2796 wrote to memory of 1156	2796	udiz.exe	20
PID 2796 wrote to memory of 1156	2796	udiz.exe	20
PID 2796 wrote to memory of 1156	2796	udiz.exe	20
PID 2796 wrote to memory of 1156	2796	udiz.exe	20
PID 2796 wrote to memory of 1180	2796	udiz.exe	21
PID 2796 wrote to memory of 1180	2796	udiz.exe	21
PID 2796 wrote to memory of 1180	2796	udiz.exe	21
PID 2796 wrote to memory of 1180	2796	udiz.exe	21
PID 2796 wrote to memory of 1180	2796	udiz.exe	21
PID 2796 wrote to memory of 2040	2796	udiz.exe	23
PID 2796 wrote to memory of 2040	2796	udiz.exe	23
PID 2796 wrote to memory of 2040	2796	udiz.exe	23
PID 2796 wrote to memory of 2040	2796	udiz.exe	23
PID 2796 wrote to memory of 2040	2796	udiz.exe	23
PID 2796 wrote to memory of 2184	2796	udiz.exe	30
PID 2796 wrote to memory of 2184	2796	udiz.exe	30
PID 2796 wrote to memory of 2184	2796	udiz.exe	30
PID 2796 wrote to memory of 2184	2796	udiz.exe	30
PID 2796 wrote to memory of 2184	2796	udiz.exe	30
PID 2184 wrote to memory of 2240	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2240	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2240	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2240	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2240	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2240	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2240	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2240	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	33
PID 2184 wrote to memory of 2240	2184	8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe	33
PID 2796 wrote to memory of 1508	2796	udiz.exe	35
PID 2796 wrote to memory of 1508	2796	udiz.exe	35
PID 2796 wrote to memory of 1508	2796	udiz.exe	35
PID 2796 wrote to memory of 1508	2796	udiz.exe	35
PID 2796 wrote to memory of 1508	2796	udiz.exe	35
PID 2796 wrote to memory of 1640	2796	udiz.exe	36
PID 2796 wrote to memory of 1640	2796	udiz.exe	36
PID 2796 wrote to memory of 1640	2796	udiz.exe	36
PID 2796 wrote to memory of 1640	2796	udiz.exe	36
PID 2796 wrote to memory of 1640	2796	udiz.exe	36
PID 2796 wrote to memory of 2792	2796	udiz.exe	37
PID 2796 wrote to memory of 2792	2796	udiz.exe	37
PID 2796 wrote to memory of 2792	2796	udiz.exe	37
PID 2796 wrote to memory of 2792	2796	udiz.exe	37
PID 2796 wrote to memory of 2792	2796	udiz.exe	37
PID 2796 wrote to memory of 2716	2796	udiz.exe	38
PID 2796 wrote to memory of 2716	2796	udiz.exe	38
PID 2796 wrote to memory of 2716	2796	udiz.exe	38
PID 2796 wrote to memory of 2716	2796	udiz.exe	38
PID 2796 wrote to memory of 2716	2796	udiz.exe	38

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1088

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\8549c7a67140992ad29caeca6a7b078e_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Roaming\Ureb\udiz.exe
    "C:\Users\Admin\AppData\Roaming\Ureb\udiz.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe101ef26.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2240

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2040

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:492

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2792

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
3916da1e20eba6b88ae13cd65605e645

SHA1
fc7b1cf4dddb80c6986578bb2a4c6de6f3769de4

SHA256
b9bb7322b79bc1adb7b4ea33d2cbbd13503711c2271c1ccdabb2aaff2d7abbfc

SHA512
4d62d9b0a1fe50d9571b78bc7a7770bd6195fea3b35dac1ad280a77bb5e85b826721d90ce001eccd6a8322ee5e5333866da571400d9cbb6c86aec0ec144d7d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpe101ef26.bat

Filesize
271B

MD5
e29cd9ccf9365bf0a0463f7bdfbf787b

SHA1
413411fed09e28a59da34b8b05b5b7697b88d962

SHA256
ee044f7949b52d2eee92382f53dbd57d9aa0afa14812f2f50bc5792c84a050d4

SHA512
5e6474a66d5144fec8ece99f8f0a61929c42ab7795070d1fc8603ffd75b829919967ababddd1513d8cbe36f80bd6fec08a4a955d15c00ba6710451be70bca5a1

Download Submit
C:\Users\Admin\AppData\Roaming\Soxe\kixen.egi

Filesize
402B

MD5
482dd0ed3151271fb7296325bbca6036

SHA1
724194c59e404d08b4c1fcf8ed85df8f835630e4

SHA256
e7896f336facc0002d9eb054a9ff78a2be39e4bf62575e1ac17fb6821cf61274

SHA512
530120fe1a04429ca47474d4186677dcd010f0853cd7fea1180dce06babe696cbabb6f01f6b159af8417a27cf4e9fd57e2373812f9d768989d9296e1888aede2

Download Submit
\Users\Admin\AppData\Roaming\Ureb\udiz.exe

Filesize
217KB

MD5
7bb344ed4c2e1ec949eed5e03b200b97

SHA1
1d313aa76774ec5617a459978ec10d6008f16975

SHA256
b42a3c8c43c9f20b80862b8742f56228d64c9d99628108ef2ca973797fef073f

SHA512
2a2a222eba0180ac6c40c967e1ff67e17ba7972841c3ed627ce9ea8a12e67ed6ddff2926e796afbceca15e093800610d382021664cc61a52ddbf9c5758a314e4

Download Submit
memory/1088-33-0x0000000002070000-0x000000000209F000-memory.dmp

Filesize
188KB

Download
memory/1088-31-0x0000000002070000-0x000000000209F000-memory.dmp

Filesize
188KB

Download
memory/1088-32-0x0000000002070000-0x000000000209F000-memory.dmp

Filesize
188KB

Download
memory/1088-30-0x0000000002070000-0x000000000209F000-memory.dmp

Filesize
188KB

Download
memory/1088-29-0x0000000002070000-0x000000000209F000-memory.dmp

Filesize
188KB

Download
memory/1156-40-0x0000000000350000-0x000000000037F000-memory.dmp

Filesize
188KB

Download
memory/1156-35-0x0000000000350000-0x000000000037F000-memory.dmp

Filesize
188KB

Download
memory/1156-36-0x0000000000350000-0x000000000037F000-memory.dmp

Filesize
188KB

Download
memory/1156-38-0x0000000000350000-0x000000000037F000-memory.dmp

Filesize
188KB

Download
memory/1180-45-0x0000000002CF0000-0x0000000002D1F000-memory.dmp

Filesize
188KB

Download
memory/1180-46-0x0000000002CF0000-0x0000000002D1F000-memory.dmp

Filesize
188KB

Download
memory/1180-44-0x0000000002CF0000-0x0000000002D1F000-memory.dmp

Filesize
188KB

Download
memory/1180-43-0x0000000002CF0000-0x0000000002D1F000-memory.dmp

Filesize
188KB

Download
memory/2040-49-0x0000000001E90000-0x0000000001EBF000-memory.dmp

Filesize
188KB

Download
memory/2040-51-0x0000000001E90000-0x0000000001EBF000-memory.dmp

Filesize
188KB

Download
memory/2040-48-0x0000000001E90000-0x0000000001EBF000-memory.dmp

Filesize
188KB

Download
memory/2040-50-0x0000000001E90000-0x0000000001EBF000-memory.dmp

Filesize
188KB

Download
memory/2184-111-0x0000000077640000-0x0000000077641000-memory.dmp

Filesize
4KB

Download
memory/2184-76-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2184-54-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2184-55-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2184-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2184-56-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2184-18-0x00000000006E0000-0x000000000073C000-memory.dmp

Filesize
368KB

Download
memory/2184-19-0x00000000006E0000-0x000000000073C000-memory.dmp

Filesize
368KB

Download
memory/2184-78-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2184-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2184-7-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2184-4-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2184-64-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2184-57-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2184-53-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2184-109-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2184-1-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2184-204-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2184-74-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2184-72-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2184-70-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2184-68-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2184-66-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2184-62-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2184-60-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2184-3-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2184-244-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2184-2-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2184-295-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2184-296-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2796-20-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2796-538-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download