80c7cc118b0b0ad39f300126f3ce24f0aece9ef318a92f6f58e137d77a2b6884

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 10:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe
Size

335KB
MD5

89f474a9ec5b54bdbd34d5509bed52b4
SHA1

d92c195c20ffb20a46a419ad11581b6a08823e57
SHA256

80c7cc118b0b0ad39f300126f3ce24f0aece9ef318a92f6f58e137d77a2b6884
SHA512

c3da36b85efc932f73f65e349d64e6d57c3343fdcfb33fd52650d0dacba6f1f1a0b54f6c36645f41942e957f47aa5a30f8e95d980214f2c6fadb45d43638af58
SSDEEP

6144:7DXDt/EzOLSHNypS90GMcWBRBiPo7K03RHxZifv/c4/yhRjpLBnxBZsqcg:7DXDtG8SgGMcyjiA7zBHxZFpZZss

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2596	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2960	pyhoqo.exe
2708	pyhoqo.exe

Loads dropped DLL 2 IoCs

pid	Process
2368	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe
2368	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\{09E0E5E8-6808-AD4F-43B0-714965AC5254} = "C:\\Users\\Admin\\AppData\\Roaming\\Ezqen\\pyhoqo.exe"	pyhoqo.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 2368	1488	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	30
PID 2960 set thread context of 2708	2960	pyhoqo.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyhoqo.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cmd.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe
2708	pyhoqo.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2368	1488	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	30
PID 1488 wrote to memory of 2368	1488	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	30
PID 1488 wrote to memory of 2368	1488	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	30
PID 1488 wrote to memory of 2368	1488	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	30
PID 1488 wrote to memory of 2368	1488	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	30
PID 1488 wrote to memory of 2368	1488	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	30
PID 1488 wrote to memory of 2368	1488	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	30
PID 1488 wrote to memory of 2368	1488	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	30
PID 1488 wrote to memory of 2368	1488	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2960	2368	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	32
PID 2368 wrote to memory of 2960	2368	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	32
PID 2368 wrote to memory of 2960	2368	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	32
PID 2368 wrote to memory of 2960	2368	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	32
PID 2960 wrote to memory of 2708	2960	pyhoqo.exe	33
PID 2960 wrote to memory of 2708	2960	pyhoqo.exe	33
PID 2960 wrote to memory of 2708	2960	pyhoqo.exe	33
PID 2960 wrote to memory of 2708	2960	pyhoqo.exe	33
PID 2960 wrote to memory of 2708	2960	pyhoqo.exe	33
PID 2960 wrote to memory of 2708	2960	pyhoqo.exe	33
PID 2960 wrote to memory of 2708	2960	pyhoqo.exe	33
PID 2960 wrote to memory of 2708	2960	pyhoqo.exe	33
PID 2960 wrote to memory of 2708	2960	pyhoqo.exe	33
PID 2708 wrote to memory of 1100	2708	pyhoqo.exe	19
PID 2708 wrote to memory of 1100	2708	pyhoqo.exe	19
PID 2708 wrote to memory of 1100	2708	pyhoqo.exe	19
PID 2708 wrote to memory of 1100	2708	pyhoqo.exe	19
PID 2708 wrote to memory of 1100	2708	pyhoqo.exe	19
PID 2708 wrote to memory of 1152	2708	pyhoqo.exe	20
PID 2708 wrote to memory of 1152	2708	pyhoqo.exe	20
PID 2708 wrote to memory of 1152	2708	pyhoqo.exe	20
PID 2708 wrote to memory of 1152	2708	pyhoqo.exe	20
PID 2708 wrote to memory of 1152	2708	pyhoqo.exe	20
PID 2708 wrote to memory of 1184	2708	pyhoqo.exe	21
PID 2708 wrote to memory of 1184	2708	pyhoqo.exe	21
PID 2708 wrote to memory of 1184	2708	pyhoqo.exe	21
PID 2708 wrote to memory of 1184	2708	pyhoqo.exe	21
PID 2708 wrote to memory of 1184	2708	pyhoqo.exe	21
PID 2708 wrote to memory of 836	2708	pyhoqo.exe	23
PID 2708 wrote to memory of 836	2708	pyhoqo.exe	23
PID 2708 wrote to memory of 836	2708	pyhoqo.exe	23
PID 2708 wrote to memory of 836	2708	pyhoqo.exe	23
PID 2708 wrote to memory of 836	2708	pyhoqo.exe	23
PID 2708 wrote to memory of 2368	2708	pyhoqo.exe	30
PID 2708 wrote to memory of 2368	2708	pyhoqo.exe	30
PID 2708 wrote to memory of 2368	2708	pyhoqo.exe	30
PID 2708 wrote to memory of 2368	2708	pyhoqo.exe	30
PID 2708 wrote to memory of 2368	2708	pyhoqo.exe	30
PID 2368 wrote to memory of 2596	2368	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	34
PID 2368 wrote to memory of 2596	2368	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	34
PID 2368 wrote to memory of 2596	2368	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	34
PID 2368 wrote to memory of 2596	2368	89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe	34
PID 2708 wrote to memory of 2596	2708	pyhoqo.exe	34
PID 2708 wrote to memory of 2596	2708	pyhoqo.exe	34
PID 2708 wrote to memory of 2596	2708	pyhoqo.exe	34
PID 2708 wrote to memory of 2596	2708	pyhoqo.exe	34
PID 2708 wrote to memory of 2596	2708	pyhoqo.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Users\Admin\AppData\Local\Temp\89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\89f474a9ec5b54bdbd34d5509bed52b4_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Users\Admin\AppData\Roaming\Ezqen\pyhoqo.exe
      "C:\Users\Admin\AppData\Roaming\Ezqen\pyhoqo.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Users\Admin\AppData\Roaming\Ezqen\pyhoqo.exe
        
        "C:\Users\Admin\AppData\Roaming\Ezqen\pyhoqo.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp34005514.bat"
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp34005514.bat

Filesize
271B

MD5
66cb1c16209b9a6b19d55c91d941356f

SHA1
1d170ba8cc303af3cfa71ac641916167ecd09ddf

SHA256
e378538f2b9263e6b8736c708736241dae0752d222a6eb785b6dad5136e93d40

SHA512
1b8a694c68bfe785f32cd7b0c9f8f2e4d7def8c510058d17dc3127bba4fbe5d17865fd776eb8364d4cd80d0780d27f5078920cc4ecbc958fd13ee07b3e22bce7

Download Submit
\Users\Admin\AppData\Roaming\Ezqen\pyhoqo.exe

Filesize
335KB

MD5
2d1914bfbdf9ed35ec5afb4566974a04

SHA1
e57f80ccdbce94bf8d2466d34c3574987cb698f2

SHA256
19eb86c445d1d207183a18ff24fcc229d5845f5e3637f419dd01cf2b7c9576b4

SHA512
bb96d8aa4c290d5720a909a70f86b4039997099d237fa5c91231816acba87008d0db2f387a133e18d6cad3e4f7381e47682d8baf53abb1aec4948257271af168

Download Submit
memory/836-75-0x0000000001F10000-0x0000000001F54000-memory.dmp

Filesize
272KB

Download
memory/836-74-0x0000000001F10000-0x0000000001F54000-memory.dmp

Filesize
272KB

Download
memory/836-73-0x0000000001F10000-0x0000000001F54000-memory.dmp

Filesize
272KB

Download
memory/836-72-0x0000000001F10000-0x0000000001F54000-memory.dmp

Filesize
272KB

Download
memory/1100-53-0x0000000002220000-0x0000000002264000-memory.dmp

Filesize
272KB

Download
memory/1100-55-0x0000000002220000-0x0000000002264000-memory.dmp

Filesize
272KB

Download
memory/1100-57-0x0000000002220000-0x0000000002264000-memory.dmp

Filesize
272KB

Download
memory/1100-59-0x0000000002220000-0x0000000002264000-memory.dmp

Filesize
272KB

Download
memory/1152-65-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1152-64-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1152-63-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1152-62-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1184-67-0x00000000025B0000-0x00000000025F4000-memory.dmp

Filesize
272KB

Download
memory/1184-69-0x00000000025B0000-0x00000000025F4000-memory.dmp

Filesize
272KB

Download
memory/1184-70-0x00000000025B0000-0x00000000025F4000-memory.dmp

Filesize
272KB

Download
memory/1184-68-0x00000000025B0000-0x00000000025F4000-memory.dmp

Filesize
272KB

Download
memory/1488-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1488-12-0x0000000000320000-0x0000000000378000-memory.dmp

Filesize
352KB

Download
memory/1488-14-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2368-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2368-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2368-79-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/2368-78-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/2368-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2368-77-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/2368-81-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/2368-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2368-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2368-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2368-80-0x0000000001F30000-0x0000000001F74000-memory.dmp

Filesize
272KB

Download
memory/2368-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2368-28-0x0000000001F30000-0x0000000001F88000-memory.dmp

Filesize
352KB

Download
memory/2368-29-0x0000000001F30000-0x0000000001F88000-memory.dmp

Filesize
352KB

Download
memory/2368-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2368-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2368-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2368-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2596-110-0x0000000077520000-0x0000000077521000-memory.dmp

Filesize
4KB

Download
memory/2596-93-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/2596-181-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/2708-50-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2708-190-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2960-31-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2960-47-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download