f897eea751b79f2356f1d00a88cdec4b19b31052bbdd881eff3073649c7b1100

Analysis

max time kernel
150s
max time network
51s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

885539e00198ee4f1088d779692221dd_JaffaCakes118.exe
Size

92KB
MD5

885539e00198ee4f1088d779692221dd
SHA1

db0650adfdfc452f9d1aea22203bff45de7dc5aa
SHA256

f897eea751b79f2356f1d00a88cdec4b19b31052bbdd881eff3073649c7b1100
SHA512

5760a75db10667df01f0113b59fd110daf607f3f2876a8729515786d6e66c5e6191595f218e8723f5ec942b92a62e93af42db94ebc3b96bb2f5a65732818c56c
SSDEEP

1536:bKoGLsP+d7P/s4YxRoA+mt9W7XQpF3Ej9GQD9niRIkPMPGLVu+a0jbCew3hQVU2H:bkw6/65+mXQQfUYQxBSMMEMhbLErZi

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
280	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2420	etnir.exe

Loads dropped DLL 2 IoCs

pid	Process
1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe
1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1512-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x0008000000016d28-6.dat	upx
behavioral1/memory/2420-15-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{1DF456E8-E7B1-772F-2BD0-1E5EEE48C9BE} = "C:\\Users\\Admin\\AppData\\Roaming\\Rosiy\\etnir.exe"	etnir.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1512 set thread context of 280	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	etnir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe
2420	etnir.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe
Token: SeSecurityPrivilege	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe
Token: SeSecurityPrivilege	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2420	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2420	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2420	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	30
PID 1512 wrote to memory of 2420	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1160	2420	etnir.exe	19
PID 2420 wrote to memory of 1160	2420	etnir.exe	19
PID 2420 wrote to memory of 1160	2420	etnir.exe	19
PID 2420 wrote to memory of 1160	2420	etnir.exe	19
PID 2420 wrote to memory of 1160	2420	etnir.exe	19
PID 2420 wrote to memory of 1252	2420	etnir.exe	20
PID 2420 wrote to memory of 1252	2420	etnir.exe	20
PID 2420 wrote to memory of 1252	2420	etnir.exe	20
PID 2420 wrote to memory of 1252	2420	etnir.exe	20
PID 2420 wrote to memory of 1252	2420	etnir.exe	20
PID 2420 wrote to memory of 1300	2420	etnir.exe	21
PID 2420 wrote to memory of 1300	2420	etnir.exe	21
PID 2420 wrote to memory of 1300	2420	etnir.exe	21
PID 2420 wrote to memory of 1300	2420	etnir.exe	21
PID 2420 wrote to memory of 1300	2420	etnir.exe	21
PID 2420 wrote to memory of 1660	2420	etnir.exe	25
PID 2420 wrote to memory of 1660	2420	etnir.exe	25
PID 2420 wrote to memory of 1660	2420	etnir.exe	25
PID 2420 wrote to memory of 1660	2420	etnir.exe	25
PID 2420 wrote to memory of 1660	2420	etnir.exe	25
PID 2420 wrote to memory of 1512	2420	etnir.exe	29
PID 2420 wrote to memory of 1512	2420	etnir.exe	29
PID 2420 wrote to memory of 1512	2420	etnir.exe	29
PID 2420 wrote to memory of 1512	2420	etnir.exe	29
PID 2420 wrote to memory of 1512	2420	etnir.exe	29
PID 1512 wrote to memory of 280	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	31
PID 1512 wrote to memory of 280	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	31
PID 1512 wrote to memory of 280	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	31
PID 1512 wrote to memory of 280	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	31
PID 1512 wrote to memory of 280	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	31
PID 1512 wrote to memory of 280	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	31
PID 1512 wrote to memory of 280	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	31
PID 1512 wrote to memory of 280	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	31
PID 1512 wrote to memory of 280	1512	885539e00198ee4f1088d779692221dd_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2880	2420	etnir.exe	33
PID 2420 wrote to memory of 2880	2420	etnir.exe	33
PID 2420 wrote to memory of 2880	2420	etnir.exe	33
PID 2420 wrote to memory of 2880	2420	etnir.exe	33
PID 2420 wrote to memory of 2880	2420	etnir.exe	33
PID 2420 wrote to memory of 2076	2420	etnir.exe	34
PID 2420 wrote to memory of 2076	2420	etnir.exe	34
PID 2420 wrote to memory of 2076	2420	etnir.exe	34
PID 2420 wrote to memory of 2076	2420	etnir.exe	34
PID 2420 wrote to memory of 2076	2420	etnir.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1160

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1252

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1300
- C:\Users\Admin\AppData\Local\Temp\885539e00198ee4f1088d779692221dd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\885539e00198ee4f1088d779692221dd_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\AppData\Roaming\Rosiy\etnir.exe
    "C:\Users\Admin\AppData\Roaming\Rosiy\etnir.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd067d055.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd067d055.bat

Filesize
271B

MD5
63d549be5bd88e99cec2fa762785f175

SHA1
42203d08aa944f729a2da3ba60ab807fdb3c420d

SHA256
0dcf75cb3d2ddc2366b523d785d9ca780c3129f7de622d975262a5543ce8eba9

SHA512
c2a86d06f5c924ea283a01979d5f7d360e08f6e85ad657345fc5e861f7bdf142503053dd99d789d2c30e70c16178d5efa6aa0db1e15194f1470b4b384c922cc3

Download Submit
C:\Users\Admin\AppData\Roaming\Ukon\faynq.uvd

Filesize
380B

MD5
88c9b22298276f7509ed496a2709ae9e

SHA1
386d0628e6083e340cdff767382c8fc1b25538d9

SHA256
f49b50a346454e7cb7d8b7388e5077e5d924760443e2f4ebf5a59cdd0a9da1b1

SHA512
466039c73f74246abe86a6ffb3c2d5ff1a35abb69c246db339777f917ad416c04283bc91c4bd9e1aab55a8941ca28acbd4d6863a9d67287996fb148d8477c8ac

Download Submit
\Users\Admin\AppData\Roaming\Rosiy\etnir.exe

Filesize
92KB

MD5
0eea5b7f7e1766cbfcb821c882b1a4c9

SHA1
7c703dadf969b5f1b9d9b7d33fc362f10daed3ed

SHA256
0a014907e208ea0439864e6aa3a029de81e55eca05451e6bcdc77e905665a652

SHA512
f8e07e4f896ee8c089499b3fc7cb6969982f660b826f4d3846741b8cea1f5b239fb97fe39b63ed6f51adae419109fd051762b8d1b2520abafde235633edd8d02

Download Submit
memory/280-95-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/280-126-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/280-125-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/280-123-0x0000000077D10000-0x0000000077D11000-memory.dmp

Filesize
4KB

Download
memory/1160-19-0x0000000001CA0000-0x0000000001CBA000-memory.dmp

Filesize
104KB

Download
memory/1160-22-0x0000000001CA0000-0x0000000001CBA000-memory.dmp

Filesize
104KB

Download
memory/1160-20-0x0000000001CA0000-0x0000000001CBA000-memory.dmp

Filesize
104KB

Download
memory/1160-23-0x0000000001CA0000-0x0000000001CBA000-memory.dmp

Filesize
104KB

Download
memory/1160-21-0x0000000001CA0000-0x0000000001CBA000-memory.dmp

Filesize
104KB

Download
memory/1252-26-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/1252-27-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/1252-28-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/1252-29-0x00000000002A0000-0x00000000002BA000-memory.dmp

Filesize
104KB

Download
memory/1300-34-0x0000000002A30000-0x0000000002A4A000-memory.dmp

Filesize
104KB

Download
memory/1300-31-0x0000000002A30000-0x0000000002A4A000-memory.dmp

Filesize
104KB

Download
memory/1300-32-0x0000000002A30000-0x0000000002A4A000-memory.dmp

Filesize
104KB

Download
memory/1300-33-0x0000000002A30000-0x0000000002A4A000-memory.dmp

Filesize
104KB

Download
memory/1512-76-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-42-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/1512-84-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/1512-66-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-68-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-70-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-72-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-74-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1512-64-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-62-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-60-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-58-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-56-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-54-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-52-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-45-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/1512-44-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/1512-43-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/1512-94-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1512-41-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/1512-78-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1512-80-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-1-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/1512-2-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1512-8-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/1512-50-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-48-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-46-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1512-14-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/1512-3-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1660-38-0x0000000001CD0000-0x0000000001CEA000-memory.dmp

Filesize
104KB

Download
memory/1660-37-0x0000000001CD0000-0x0000000001CEA000-memory.dmp

Filesize
104KB

Download
memory/1660-36-0x0000000001CD0000-0x0000000001CEA000-memory.dmp

Filesize
104KB

Download
memory/1660-39-0x0000000001CD0000-0x0000000001CEA000-memory.dmp

Filesize
104KB

Download
memory/2420-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2420-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2420-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2420-137-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download