ae373b378063f1d0e59123fd92f9029344bc6d9b22236df1f2690ff7eed9a40a

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe
Size

192KB
MD5

85e4226c55c3d20d641927d0d4a2bc60
SHA1

bfc25a3fa15dda2d564f96ba99b97d5a938dd704
SHA256

ae373b378063f1d0e59123fd92f9029344bc6d9b22236df1f2690ff7eed9a40a
SHA512

4a8da169dbb22ed7e01ca6ee522e2a87e70f815602956a4eecd2f0852ac991bbb7d741c93a434d79205269448f879cea069539c3ef66beea397c100cca6b4e5c
SSDEEP

3072:k9bFmrdOi6i1C4wMpSgb6LKveD/NA45TCBvOXGfkTfhOoTsAhQ/N0l+7:GZmgidLpSdLKveTNA+TCBnkT5OWp+/Nv

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1096	rauxq.exe

Loads dropped DLL 2 IoCs

pid	Process
2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe
2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E580D03F-4FCF-F843-A3CB-EC2B13A3F5DE} = "C:\\Users\\Admin\\AppData\\Roaming\\Ribo\\rauxq.exe"	rauxq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2292 set thread context of 2880	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe
1096	rauxq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1096	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	30
PID 2292 wrote to memory of 1096	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	30
PID 2292 wrote to memory of 1096	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	30
PID 2292 wrote to memory of 1096	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	30
PID 1096 wrote to memory of 1136	1096	rauxq.exe	19
PID 1096 wrote to memory of 1136	1096	rauxq.exe	19
PID 1096 wrote to memory of 1136	1096	rauxq.exe	19
PID 1096 wrote to memory of 1136	1096	rauxq.exe	19
PID 1096 wrote to memory of 1136	1096	rauxq.exe	19
PID 1096 wrote to memory of 1248	1096	rauxq.exe	20
PID 1096 wrote to memory of 1248	1096	rauxq.exe	20
PID 1096 wrote to memory of 1248	1096	rauxq.exe	20
PID 1096 wrote to memory of 1248	1096	rauxq.exe	20
PID 1096 wrote to memory of 1248	1096	rauxq.exe	20
PID 1096 wrote to memory of 1300	1096	rauxq.exe	21
PID 1096 wrote to memory of 1300	1096	rauxq.exe	21
PID 1096 wrote to memory of 1300	1096	rauxq.exe	21
PID 1096 wrote to memory of 1300	1096	rauxq.exe	21
PID 1096 wrote to memory of 1300	1096	rauxq.exe	21
PID 1096 wrote to memory of 1776	1096	rauxq.exe	23
PID 1096 wrote to memory of 1776	1096	rauxq.exe	23
PID 1096 wrote to memory of 1776	1096	rauxq.exe	23
PID 1096 wrote to memory of 1776	1096	rauxq.exe	23
PID 1096 wrote to memory of 1776	1096	rauxq.exe	23
PID 1096 wrote to memory of 2292	1096	rauxq.exe	29
PID 1096 wrote to memory of 2292	1096	rauxq.exe	29
PID 1096 wrote to memory of 2292	1096	rauxq.exe	29
PID 1096 wrote to memory of 2292	1096	rauxq.exe	29
PID 1096 wrote to memory of 2292	1096	rauxq.exe	29
PID 2292 wrote to memory of 2880	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2880	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2880	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2880	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2880	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2880	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2880	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2880	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2880	2292	85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe	31
PID 1096 wrote to memory of 2848	1096	rauxq.exe	32
PID 1096 wrote to memory of 2848	1096	rauxq.exe	32
PID 1096 wrote to memory of 2848	1096	rauxq.exe	32
PID 1096 wrote to memory of 2848	1096	rauxq.exe	32
PID 1096 wrote to memory of 2848	1096	rauxq.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1248

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1300
- C:\Users\Admin\AppData\Local\Temp\85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\85e4226c55c3d20d641927d0d4a2bc60_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Roaming\Ribo\rauxq.exe
    "C:\Users\Admin\AppData\Roaming\Ribo\rauxq.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp89fa7c7a.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "507813030-2065412326979443706-1246955892-54772764138652928-242012442-163041937"
1⤵
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp89fa7c7a.bat

Filesize
271B

MD5
ce4ea7ae7cac7e54928cf54eeaa2dc7d

SHA1
55ae3d8bb176afee4460b410a6667460a7faf1ce

SHA256
e20231ca9dc50ad215dbb278d690d5953d7cddf0d94428b2febebc238c26057f

SHA512
cad85eb6f5cdef2df8bd40179320f40da9d0b4d39f2955ba7a9f3af185ede69794b329132f9e5caffcd8fbf05ecfd6d0fc5166e89a02dc592710c9f0caccede3

Download Submit
\Users\Admin\AppData\Roaming\Ribo\rauxq.exe

Filesize
192KB

MD5
95b81d7d20441b79559f10899c98317d

SHA1
140a768283e6ca44d08f11a4f6c9d1551a250313

SHA256
77115d0306bca49486ec33d1e12daa5eda37ee4c903b76ea8617b1e0ea982cfe

SHA512
18dd8bef03ee5f6a5d063c8ca050fcd77745b46d99326eb76ec66d41732d66fe0474ef129cd9c845204c10c51771a5ac699c5c7de27eae311cbe5aaee2b5309d

Download Submit
memory/1096-267-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1096-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1096-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1096-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1136-19-0x0000000000410000-0x0000000000438000-memory.dmp

Filesize
160KB

Download
memory/1136-23-0x0000000000410000-0x0000000000438000-memory.dmp

Filesize
160KB

Download
memory/1136-17-0x0000000000410000-0x0000000000438000-memory.dmp

Filesize
160KB

Download
memory/1136-25-0x0000000000410000-0x0000000000438000-memory.dmp

Filesize
160KB

Download
memory/1136-21-0x0000000000410000-0x0000000000438000-memory.dmp

Filesize
160KB

Download
memory/1248-31-0x00000000001A0000-0x00000000001C8000-memory.dmp

Filesize
160KB

Download
memory/1248-35-0x00000000001A0000-0x00000000001C8000-memory.dmp

Filesize
160KB

Download
memory/1248-30-0x00000000001A0000-0x00000000001C8000-memory.dmp

Filesize
160KB

Download
memory/1248-33-0x00000000001A0000-0x00000000001C8000-memory.dmp

Filesize
160KB

Download
memory/1300-41-0x0000000002A90000-0x0000000002AB8000-memory.dmp

Filesize
160KB

Download
memory/1300-39-0x0000000002A90000-0x0000000002AB8000-memory.dmp

Filesize
160KB

Download
memory/1300-38-0x0000000002A90000-0x0000000002AB8000-memory.dmp

Filesize
160KB

Download
memory/1300-40-0x0000000002A90000-0x0000000002AB8000-memory.dmp

Filesize
160KB

Download
memory/1776-46-0x0000000001C50000-0x0000000001C78000-memory.dmp

Filesize
160KB

Download
memory/1776-45-0x0000000001C50000-0x0000000001C78000-memory.dmp

Filesize
160KB

Download
memory/1776-44-0x0000000001C50000-0x0000000001C78000-memory.dmp

Filesize
160KB

Download
memory/1776-43-0x0000000001C50000-0x0000000001C78000-memory.dmp

Filesize
160KB

Download
memory/2292-51-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/2292-57-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-49-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/2292-50-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/2292-53-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/2292-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-0-0x000000000042A000-0x000000000042C000-memory.dmp

Filesize
8KB

Download
memory/2292-52-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/2292-3-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-55-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-63-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-61-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-59-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-48-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/2292-67-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-71-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-69-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-81-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-79-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-77-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-75-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-73-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-65-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2292-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2292-1-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download