95d8bbaf14c46100684f502055399d5ed5d4fc34986f1660386d68fe5001e0cc

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 11:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe
Size

321KB
MD5

85f60708ffbbec97aa71eebb00dcd0e2
SHA1

b34671c1e34184a31b734acb61b6131736208bb5
SHA256

95d8bbaf14c46100684f502055399d5ed5d4fc34986f1660386d68fe5001e0cc
SHA512

920b5e8cdc774cd48585644026135b25030b299899e3ac4930617446c513d2b28ada435002b76a9184faa935bf4a41290c3539f67640b14f2b3faf32ee12a739
SSDEEP

6144:iwTTu7g4DQC6ziRo0sYXkADm5TsCQIaNEN4xxgB3ixuqFsE6aMhZDw:nopF6K1dzUIIaNniB3nq+nah

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2960	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1712	foofy.exe

Loads dropped DLL 2 IoCs

pid	Process
1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe
1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7D4B5FC8-1892-AD4F-C2C5-7543D4B4565E} = "C:\\Users\\Admin\\AppData\\Roaming\\Ocot\\foofy.exe"	foofy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 2960	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Privacy	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe
1712	foofy.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe
Token: SeSecurityPrivilege	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe
Token: SeSecurityPrivilege	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe
1712	foofy.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 1712	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	29
PID 1344 wrote to memory of 1712	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	29
PID 1344 wrote to memory of 1712	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	29
PID 1344 wrote to memory of 1712	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	29
PID 1712 wrote to memory of 1320	1712	foofy.exe	18
PID 1712 wrote to memory of 1320	1712	foofy.exe	18
PID 1712 wrote to memory of 1320	1712	foofy.exe	18
PID 1712 wrote to memory of 1320	1712	foofy.exe	18
PID 1712 wrote to memory of 1320	1712	foofy.exe	18
PID 1712 wrote to memory of 1372	1712	foofy.exe	19
PID 1712 wrote to memory of 1372	1712	foofy.exe	19
PID 1712 wrote to memory of 1372	1712	foofy.exe	19
PID 1712 wrote to memory of 1372	1712	foofy.exe	19
PID 1712 wrote to memory of 1372	1712	foofy.exe	19
PID 1712 wrote to memory of 1428	1712	foofy.exe	20
PID 1712 wrote to memory of 1428	1712	foofy.exe	20
PID 1712 wrote to memory of 1428	1712	foofy.exe	20
PID 1712 wrote to memory of 1428	1712	foofy.exe	20
PID 1712 wrote to memory of 1428	1712	foofy.exe	20
PID 1712 wrote to memory of 1500	1712	foofy.exe	24
PID 1712 wrote to memory of 1500	1712	foofy.exe	24
PID 1712 wrote to memory of 1500	1712	foofy.exe	24
PID 1712 wrote to memory of 1500	1712	foofy.exe	24
PID 1712 wrote to memory of 1500	1712	foofy.exe	24
PID 1712 wrote to memory of 1344	1712	foofy.exe	28
PID 1712 wrote to memory of 1344	1712	foofy.exe	28
PID 1712 wrote to memory of 1344	1712	foofy.exe	28
PID 1712 wrote to memory of 1344	1712	foofy.exe	28
PID 1712 wrote to memory of 1344	1712	foofy.exe	28
PID 1344 wrote to memory of 2960	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	30
PID 1344 wrote to memory of 2960	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	30
PID 1344 wrote to memory of 2960	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	30
PID 1344 wrote to memory of 2960	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	30
PID 1344 wrote to memory of 2960	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	30
PID 1344 wrote to memory of 2960	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	30
PID 1344 wrote to memory of 2960	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	30
PID 1344 wrote to memory of 2960	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	30
PID 1344 wrote to memory of 2960	1344	85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1320

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1372

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1428
- C:\Users\Admin\AppData\Local\Temp\85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\85f60708ffbbec97aa71eebb00dcd0e2_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Users\Admin\AppData\Roaming\Ocot\foofy.exe
    "C:\Users\Admin\AppData\Roaming\Ocot\foofy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0efabb88.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2960

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp0efabb88.bat

Filesize
271B

MD5
a3f8a95d0f8c2a60ba8bad074f64c6e2

SHA1
cefaddd0ac1b8a9d36ef158803c83ef666adb7ec

SHA256
36eea204e19a47a797a6e0be5f59e77757717aca5c44a549d5a702aa4f563126

SHA512
681543f815420665b79f44aa91d2aead36b1a11dff06c51afe3b75d7c6dfb4c8fad1e684000c3d4a095c82effb40b5ee5be5330c488ded415aa76a6394c49e45

Download Submit
C:\Users\Admin\AppData\Roaming\Etypuj\aqev.das

Filesize
380B

MD5
c2129c6c7d7eaca8c363af5db0911ba7

SHA1
6142fc6f35cb3152bd1893fad323709ceee0712c

SHA256
7f654dc16bc585fe69e12b58d203bf3c4597f4f57ab0664ca234d93e72e67ec4

SHA512
18cae9ade735a31b7fdbbc42f6f2283df499ef10f3dfe18b44c30084cdf4e8e9893ca6d86b7cd8870a76a0bd15cbe8b0de31fd6ad48f0384f8520790f9c8e279

Download Submit
C:\Users\Admin\AppData\Roaming\Ocot\foofy.exe

Filesize
321KB

MD5
6619c80867ef4a96f5c7f166393c5399

SHA1
777ccdf6ba1bf7cfeaaf12c75bce89aea397ebfc

SHA256
9dba324f02ec311b904b88dba1f8049f3b25358f02492c0918b7aa8fb1c1bc00

SHA512
2e04143b044c4f495b917896bc61edbf60d253ddad1aba61032fdf71c9a90f6e7e77f0149ed1ce1e6639f3ae5b979b4152450f8c85e972fe6e5f7cadc1abb6a8

Download Submit
memory/1320-19-0x0000000002300000-0x0000000002341000-memory.dmp

Filesize
260KB

Download
memory/1320-27-0x0000000002300000-0x0000000002341000-memory.dmp

Filesize
260KB

Download
memory/1320-21-0x0000000002300000-0x0000000002341000-memory.dmp

Filesize
260KB

Download
memory/1320-23-0x0000000002300000-0x0000000002341000-memory.dmp

Filesize
260KB

Download
memory/1320-25-0x0000000002300000-0x0000000002341000-memory.dmp

Filesize
260KB

Download
memory/1344-53-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1344-0-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/1344-54-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1344-81-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-79-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-77-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-76-0x0000000077980000-0x0000000077981000-memory.dmp

Filesize
4KB

Download
memory/1344-75-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1344-73-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-71-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-69-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-67-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-65-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-63-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-61-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-59-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-57-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-55-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1344-52-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1344-50-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1344-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1344-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1344-163-0x0000000000390000-0x00000000003E3000-memory.dmp

Filesize
332KB

Download
memory/1344-164-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1344-1-0x0000000000390000-0x00000000003E3000-memory.dmp

Filesize
332KB

Download
memory/1344-138-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1344-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1344-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1344-51-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1372-31-0x0000000002180000-0x00000000021C1000-memory.dmp

Filesize
260KB

Download
memory/1372-37-0x0000000002180000-0x00000000021C1000-memory.dmp

Filesize
260KB

Download
memory/1372-35-0x0000000002180000-0x00000000021C1000-memory.dmp

Filesize
260KB

Download
memory/1372-33-0x0000000002180000-0x00000000021C1000-memory.dmp

Filesize
260KB

Download
memory/1428-41-0x0000000002920000-0x0000000002961000-memory.dmp

Filesize
260KB

Download
memory/1428-40-0x0000000002920000-0x0000000002961000-memory.dmp

Filesize
260KB

Download
memory/1428-43-0x0000000002920000-0x0000000002961000-memory.dmp

Filesize
260KB

Download
memory/1428-42-0x0000000002920000-0x0000000002961000-memory.dmp

Filesize
260KB

Download
memory/1500-47-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1500-45-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1500-46-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1500-48-0x0000000001DA0000-0x0000000001DE1000-memory.dmp

Filesize
260KB

Download
memory/1712-15-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/1712-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-16-0x0000000000370000-0x00000000003C3000-memory.dmp

Filesize
332KB

Download
memory/1712-283-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download