97a6c7e975ae6462ad73e76846b4fcf66c7fd38a30b51939a6b8f7bf8b0ad6d2

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe
Size

524KB
MD5

890a69bbd3bc119a853ed5202be98d08
SHA1

dce8646a48c3e4c441024b524197017db3efe9c5
SHA256

97a6c7e975ae6462ad73e76846b4fcf66c7fd38a30b51939a6b8f7bf8b0ad6d2
SHA512

543ebadf06caca835ca40882b718dbf99e5190b2a5adecf18c4f319bfbc7b05beaeb41f43b5fa70e261be02d7806a869520fd43b30a806fdc5b3b26bd1b312c8
SSDEEP

6144:atmFCDimSR6YJ7EfX6Rn469n1gVjfOYKvlkZN:YDDeJb4hIg

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2864	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2044	hoko.exe
2700	hoko.exe

Loads dropped DLL 3 IoCs

pid	Process
264	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe
264	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe
2044	hoko.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7878B8C6-EEC3-2E4E-BE50-85FBD2B8C7B4} = "C:\\Users\\Admin\\AppData\\Roaming\\Sybau\\hoko.exe"	hoko.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 2700	2044	hoko.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hoko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Privacy	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cmd.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe
2700	hoko.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	264	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe
Token: SeSecurityPrivilege	2864	cmd.exe
Token: SeSecurityPrivilege	2864	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1188	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe
2044	hoko.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 264	1188	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	31
PID 1188 wrote to memory of 264	1188	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	31
PID 1188 wrote to memory of 264	1188	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	31
PID 1188 wrote to memory of 264	1188	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	31
PID 1188 wrote to memory of 264	1188	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	31
PID 1188 wrote to memory of 264	1188	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	31
PID 1188 wrote to memory of 264	1188	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	31
PID 1188 wrote to memory of 264	1188	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	31
PID 1188 wrote to memory of 264	1188	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	31
PID 264 wrote to memory of 2044	264	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	32
PID 264 wrote to memory of 2044	264	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	32
PID 264 wrote to memory of 2044	264	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	32
PID 264 wrote to memory of 2044	264	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	32
PID 2044 wrote to memory of 2700	2044	hoko.exe	33
PID 2044 wrote to memory of 2700	2044	hoko.exe	33
PID 2044 wrote to memory of 2700	2044	hoko.exe	33
PID 2044 wrote to memory of 2700	2044	hoko.exe	33
PID 2044 wrote to memory of 2700	2044	hoko.exe	33
PID 2044 wrote to memory of 2700	2044	hoko.exe	33
PID 2044 wrote to memory of 2700	2044	hoko.exe	33
PID 2044 wrote to memory of 2700	2044	hoko.exe	33
PID 2044 wrote to memory of 2700	2044	hoko.exe	33
PID 2700 wrote to memory of 1176	2700	hoko.exe	19
PID 2700 wrote to memory of 1176	2700	hoko.exe	19
PID 2700 wrote to memory of 1176	2700	hoko.exe	19
PID 2700 wrote to memory of 1176	2700	hoko.exe	19
PID 2700 wrote to memory of 1176	2700	hoko.exe	19
PID 2700 wrote to memory of 1276	2700	hoko.exe	20
PID 2700 wrote to memory of 1276	2700	hoko.exe	20
PID 2700 wrote to memory of 1276	2700	hoko.exe	20
PID 2700 wrote to memory of 1276	2700	hoko.exe	20
PID 2700 wrote to memory of 1276	2700	hoko.exe	20
PID 2700 wrote to memory of 1336	2700	hoko.exe	21
PID 2700 wrote to memory of 1336	2700	hoko.exe	21
PID 2700 wrote to memory of 1336	2700	hoko.exe	21
PID 2700 wrote to memory of 1336	2700	hoko.exe	21
PID 2700 wrote to memory of 1336	2700	hoko.exe	21
PID 2700 wrote to memory of 1676	2700	hoko.exe	25
PID 2700 wrote to memory of 1676	2700	hoko.exe	25
PID 2700 wrote to memory of 1676	2700	hoko.exe	25
PID 2700 wrote to memory of 1676	2700	hoko.exe	25
PID 2700 wrote to memory of 1676	2700	hoko.exe	25
PID 2700 wrote to memory of 264	2700	hoko.exe	31
PID 2700 wrote to memory of 264	2700	hoko.exe	31
PID 2700 wrote to memory of 264	2700	hoko.exe	31
PID 2700 wrote to memory of 264	2700	hoko.exe	31
PID 2700 wrote to memory of 264	2700	hoko.exe	31
PID 264 wrote to memory of 2864	264	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	34
PID 264 wrote to memory of 2864	264	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	34
PID 264 wrote to memory of 2864	264	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	34
PID 264 wrote to memory of 2864	264	890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe	34
PID 2700 wrote to memory of 2864	2700	hoko.exe	34
PID 2700 wrote to memory of 2864	2700	hoko.exe	34
PID 2700 wrote to memory of 2864	2700	hoko.exe	34
PID 2700 wrote to memory of 2864	2700	hoko.exe	34
PID 2700 wrote to memory of 2864	2700	hoko.exe	34
PID 2700 wrote to memory of 2656	2700	hoko.exe	35
PID 2700 wrote to memory of 2656	2700	hoko.exe	35
PID 2700 wrote to memory of 2656	2700	hoko.exe	35
PID 2700 wrote to memory of 2656	2700	hoko.exe	35
PID 2700 wrote to memory of 2656	2700	hoko.exe	35
PID 2700 wrote to memory of 2588	2700	hoko.exe	36
PID 2700 wrote to memory of 2588	2700	hoko.exe	36
PID 2700 wrote to memory of 2588	2700	hoko.exe	36

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1176

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1276

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336
- C:\Users\Admin\AppData\Local\Temp\890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Users\Admin\AppData\Local\Temp\890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\890a69bbd3bc119a853ed5202be98d08_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Users\Admin\AppData\Roaming\Sybau\hoko.exe
      "C:\Users\Admin\AppData\Roaming\Sybau\hoko.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Users\Admin\AppData\Roaming\Sybau\hoko.exe
        
        C:\Users\Admin\AppData\Roaming\Sybau\hoko.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2700
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6f69683b.bat"
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      PID:2864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1758665851-429427847-6695036975003794251104928712-91798188410662290092107703471"
1⤵
PID:2656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:488

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6f69683b.bat

Filesize
271B

MD5
892371a076afd09513733053ba23f244

SHA1
7d16610e4ddb436cc7847f5d65b906ef65204b39

SHA256
1bccec6ffcf7261f8e07065bc502d112f5511b6c7ecbbecd8241590a69d7d110

SHA512
92898b165e57e5ff1eb83b6efeb3f92a9f24bc12cb5cabfcc54f617f70967bfa5cf1afb4821bd982d92a9e7a881fb2c165bc91ce82f56c3357102349b55a4c0d

Download Submit
C:\Users\Admin\AppData\Roaming\Sybau\hoko.exe

Filesize
524KB

MD5
dd2762c248e0353dbbbd4afce2c91864

SHA1
20c21658375895599a19955563004187e5ed23b9

SHA256
82a904fa6bb8264738638a4a982171dc478eafe1acd46b98475215c133cb6326

SHA512
f028fcf2394cf67ea89de1398a9c795af52759f292516c9c693cb8e8d36f4212ad67a7ed596801f3bd8b353586c4efa2caf7af86f789f9a44bc332b482391961

Download Submit
C:\Users\Admin\AppData\Roaming\Ulevb\iqwy.epe

Filesize
323B

MD5
2ff3161c6d064ffabb5e1a852482971f

SHA1
9167acd93b810674b84eec9a5256537ba17c5a20

SHA256
b6f3970b08e5eb511990c78358e8a871ccbe08f82a61471985f2cb89fc35fee6

SHA512
033e52ae5fabd94167d54831beefdc679d28a1ff0650947192c93c7b8c2ccda237fef61b0a2b702fadeddad848eeeb1967767e8cace13ae6cc402c5fc2ec8990

Download Submit
memory/264-70-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/264-74-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/264-5-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/264-66-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/264-3-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/264-62-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/264-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/264-64-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/264-69-0x0000000000270000-0x0000000000297000-memory.dmp

Filesize
156KB

Download
memory/264-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/264-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1176-28-0x00000000020F0000-0x0000000002117000-memory.dmp

Filesize
156KB

Download
memory/1176-30-0x00000000020F0000-0x0000000002117000-memory.dmp

Filesize
156KB

Download
memory/1176-27-0x00000000020F0000-0x0000000002117000-memory.dmp

Filesize
156KB

Download
memory/1176-34-0x00000000020F0000-0x0000000002117000-memory.dmp

Filesize
156KB

Download
memory/1176-32-0x00000000020F0000-0x0000000002117000-memory.dmp

Filesize
156KB

Download
memory/1276-40-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1276-42-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1276-44-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1276-38-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1336-47-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1336-49-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1336-48-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1336-50-0x0000000002A90000-0x0000000002AB7000-memory.dmp

Filesize
156KB

Download
memory/1676-52-0x0000000001E40000-0x0000000001E67000-memory.dmp

Filesize
156KB

Download
memory/1676-54-0x0000000001E40000-0x0000000001E67000-memory.dmp

Filesize
156KB

Download
memory/1676-56-0x0000000001E40000-0x0000000001E67000-memory.dmp

Filesize
156KB

Download
memory/1676-58-0x0000000001E40000-0x0000000001E67000-memory.dmp

Filesize
156KB

Download
memory/2700-25-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2700-195-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2864-84-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2864-78-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/2864-81-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/2864-77-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/2864-82-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2864-157-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/2864-79-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/2864-160-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2864-182-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/2864-80-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/2864-76-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download