f18bd979ea4eb2d374bef76270bc02ac31955bd421b911864ded3b2ccae2fb20

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
Size

262KB
MD5

89753d8050a2a41c24f85dd57b0a5a72
SHA1

8cb52e457c31bd78c157e7305941135c0db4294f
SHA256

f18bd979ea4eb2d374bef76270bc02ac31955bd421b911864ded3b2ccae2fb20
SHA512

dc788a715ba4b0ee4cf8450c7ee1e93d3b8b7cf10bb6968c62f7cce141e3bbe63c18feae29f52e590d3b2c27fdc0fc23544de1785b0bd980c882a4742c885230
SSDEEP

6144:iS8Gp+df0afmVTRMd/dpn94sLrNXel9Ab98+MA7U:F8YkfXf4TRMx94svNuzAb9ZC

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2764 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

kiab.exe

pid process

1112 kiab.exe
Loads dropped DLL 1 IoCs

Processes:

89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe

pid process

1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe

pid	process
2764	cmd.exe

pid	process
1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kiab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7D4B5FC8-1892-AD4F-C2C5-7543D4B4565E} = "C:\\Users\\Admin\\AppData\\Roaming\\Otoro\\kiab.exe"	kiab.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe

description pid process target process

PID 1816 set thread context of 2764 1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe cmd.exe

description	pid	process	target process
PID 1816 set thread context of 2764	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Privacy	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

kiab.exe

pid	process
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe
1112	kiab.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe

description	pid	process
Token: SeSecurityPrivilege	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
Token: SeSecurityPrivilege	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
Token: SeSecurityPrivilege	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exekiab.exe

pid process

1816 89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
1112 kiab.exe

pid	process
1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
1112	kiab.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exekiab.exe

description	pid	process	target process
PID 1816 wrote to memory of 1112	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	kiab.exe
PID 1816 wrote to memory of 1112	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	kiab.exe
PID 1816 wrote to memory of 1112	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	kiab.exe
PID 1816 wrote to memory of 1112	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	kiab.exe
PID 1112 wrote to memory of 1152	1112	kiab.exe	taskhost.exe
PID 1112 wrote to memory of 1152	1112	kiab.exe	taskhost.exe
PID 1112 wrote to memory of 1152	1112	kiab.exe	taskhost.exe
PID 1112 wrote to memory of 1152	1112	kiab.exe	taskhost.exe
PID 1112 wrote to memory of 1152	1112	kiab.exe	taskhost.exe
PID 1112 wrote to memory of 1268	1112	kiab.exe	Dwm.exe
PID 1112 wrote to memory of 1268	1112	kiab.exe	Dwm.exe
PID 1112 wrote to memory of 1268	1112	kiab.exe	Dwm.exe
PID 1112 wrote to memory of 1268	1112	kiab.exe	Dwm.exe
PID 1112 wrote to memory of 1268	1112	kiab.exe	Dwm.exe
PID 1112 wrote to memory of 1296	1112	kiab.exe	Explorer.EXE
PID 1112 wrote to memory of 1296	1112	kiab.exe	Explorer.EXE
PID 1112 wrote to memory of 1296	1112	kiab.exe	Explorer.EXE
PID 1112 wrote to memory of 1296	1112	kiab.exe	Explorer.EXE
PID 1112 wrote to memory of 1296	1112	kiab.exe	Explorer.EXE
PID 1112 wrote to memory of 2040	1112	kiab.exe	DllHost.exe
PID 1112 wrote to memory of 2040	1112	kiab.exe	DllHost.exe
PID 1112 wrote to memory of 2040	1112	kiab.exe	DllHost.exe
PID 1112 wrote to memory of 2040	1112	kiab.exe	DllHost.exe
PID 1112 wrote to memory of 2040	1112	kiab.exe	DllHost.exe
PID 1112 wrote to memory of 1816	1112	kiab.exe	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
PID 1112 wrote to memory of 1816	1112	kiab.exe	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
PID 1112 wrote to memory of 1816	1112	kiab.exe	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
PID 1112 wrote to memory of 1816	1112	kiab.exe	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
PID 1112 wrote to memory of 1816	1112	kiab.exe	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
PID 1816 wrote to memory of 2764	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	cmd.exe
PID 1816 wrote to memory of 2764	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	cmd.exe
PID 1816 wrote to memory of 2764	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	cmd.exe
PID 1816 wrote to memory of 2764	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	cmd.exe
PID 1816 wrote to memory of 2764	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	cmd.exe
PID 1816 wrote to memory of 2764	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	cmd.exe
PID 1816 wrote to memory of 2764	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	cmd.exe
PID 1816 wrote to memory of 2764	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	cmd.exe
PID 1816 wrote to memory of 2764	1816	89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1152

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1268

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89753d8050a2a41c24f85dd57b0a5a72_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Roaming\Otoro\kiab.exe
"C:\Users\Admin\AppData\Roaming\Otoro\kiab.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1c0a8732.bat"
3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2764

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1c0a8732.bat

Filesize
271B

MD5
e6618befc4d6c31e4aebf8f16a07f67e

SHA1
6566be472dadd232e84d11aedb027f860371c8e6

SHA256
88b634375c6b9a90b320f8a4e6a7411f6b41f07058bf008506105e8cd6cf5ac5

SHA512
20684674db0ff769bc0404d466d7ab1e3cd5f4ef6aef2bf5811d0118568021adf7d4002d367c2ae275cdecd2da411da751da7f671cc26b593e8f50bc9b50c9d8

Download Submit
C:\Users\Admin\AppData\Roaming\Wixu\qeusi.foi

Filesize
380B

MD5
8db16aee742605b384936b28c81693b4

SHA1
903418c6721ea33af5469d07aaddb55c40f68112

SHA256
121a02c16b3b40f8970fb7912e9ae7d5b742383ec04ecd87fa0e03aa250cedf6

SHA512
bd7d5bea02f6155b20136c144cb154e4973549fbebadd881edd3ec8873ec86819b467cbb6c7d37ec95d34f77a10d6b0acea6f20a23e0082eb6ea003645f28e87

Download Submit
\Users\Admin\AppData\Roaming\Otoro\kiab.exe

Filesize
262KB

MD5
adf4eb6d72cb2b37111f764a5fd56463

SHA1
370a956cd66aa08f398825b2a5c30449a760d270

SHA256
7e1b1dac037b77ac1f4e575e69ef07a709a186b6392640edd3f4518d725ece78

SHA512
06d9a85912ba4cfb308c63a7d70c670ded0c780d9978d8c7547f2ec2dda9f0959744d866df12cb52582a0bb86b57a47e603d2db4aac417bdbced646eb65b984d

Download Submit
memory/1112-15-0x0000000001BC0000-0x0000000001C01000-memory.dmp

Filesize
260KB

Download
memory/1112-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-284-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1112-16-0x0000000001C10000-0x0000000001C55000-memory.dmp

Filesize
276KB

Download
memory/1112-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1152-19-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1152-22-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1152-24-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1152-26-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1152-17-0x0000000002120000-0x0000000002161000-memory.dmp

Filesize
260KB

Download
memory/1268-32-0x0000000001FB0000-0x0000000001FF1000-memory.dmp

Filesize
260KB

Download
memory/1268-34-0x0000000001FB0000-0x0000000001FF1000-memory.dmp

Filesize
260KB

Download
memory/1268-36-0x0000000001FB0000-0x0000000001FF1000-memory.dmp

Filesize
260KB

Download
memory/1268-30-0x0000000001FB0000-0x0000000001FF1000-memory.dmp

Filesize
260KB

Download
memory/1296-42-0x0000000002B40000-0x0000000002B81000-memory.dmp

Filesize
260KB

Download
memory/1296-39-0x0000000002B40000-0x0000000002B81000-memory.dmp

Filesize
260KB

Download
memory/1296-40-0x0000000002B40000-0x0000000002B81000-memory.dmp

Filesize
260KB

Download
memory/1296-41-0x0000000002B40000-0x0000000002B81000-memory.dmp

Filesize
260KB

Download
memory/1816-78-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1816-72-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1816-68-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1816-67-0x0000000077630000-0x0000000077631000-memory.dmp

Filesize
4KB

Download
memory/1816-65-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1816-63-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1816-61-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1816-59-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1816-56-0x0000000000720000-0x0000000000761000-memory.dmp

Filesize
260KB

Download
memory/1816-54-0x0000000000720000-0x0000000000761000-memory.dmp

Filesize
260KB

Download
memory/1816-52-0x0000000000720000-0x0000000000761000-memory.dmp

Filesize
260KB

Download
memory/1816-50-0x0000000000720000-0x0000000000761000-memory.dmp

Filesize
260KB

Download
memory/1816-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-2-0x0000000000360000-0x00000000003A5000-memory.dmp

Filesize
276KB

Download
memory/1816-1-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/1816-70-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1816-74-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1816-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-164-0x0000000000360000-0x00000000003A5000-memory.dmp

Filesize
276KB

Download
memory/1816-165-0x0000000000720000-0x0000000000761000-memory.dmp

Filesize
260KB

Download
memory/1816-76-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1816-139-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1816-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1816-80-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1816-58-0x0000000000720000-0x0000000000761000-memory.dmp

Filesize
260KB

Download
memory/1816-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1816-6-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2040-45-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/2040-44-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/2040-46-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download
memory/2040-47-0x0000000001F10000-0x0000000001F51000-memory.dmp

Filesize
260KB

Download