e327ddd071c8efd73a0e07ccd915cd13b8494f957e97f9ae7041cc9551d13c94

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe
Size

353KB
MD5

9620db6f51ba19c5c5766271bace0bd1
SHA1

3b1e5589db8b16040082cb4ded813e30f6cd8f67
SHA256

e327ddd071c8efd73a0e07ccd915cd13b8494f957e97f9ae7041cc9551d13c94
SHA512

d228a08874710ab475ae03a86c9bab30e63731a8a4466d07970f0d9e6673c07219a8658fd0d3f972a9fe0e07f4f7b85cd186bd8b6736d63949b9049c8255a847
SSDEEP

6144:e36wMPKotBBuFq/4W0OQ6iQHWSRpjvpyoWlRlDqDjl4AFyO7QP79VulTweZ5NJ:SEPBB5/4h6ifSRPFWlRl2t4AyiQbA8eH

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2820	epags.exe
2736	epags.exe

Loads dropped DLL 2 IoCs

pid	Process
2308	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe
2308	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\{15320D28-6FEE-AD4F-3AAA-40C7281D63DA} = "C:\\Users\\Admin\\AppData\\Roaming\\Ebbag\\epags.exe"	epags.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2280 set thread context of 2308	2280	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	30
PID 2820 set thread context of 2736	2820	epags.exe	32

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epags.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epags.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe
2736	epags.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2308	2280	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2308	2280	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2308	2280	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2308	2280	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2308	2280	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2308	2280	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2308	2280	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2308	2280	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	30
PID 2280 wrote to memory of 2308	2280	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	30
PID 2308 wrote to memory of 2820	2308	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2820	2308	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2820	2308	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2820	2308	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2736	2820	epags.exe	32
PID 2820 wrote to memory of 2736	2820	epags.exe	32
PID 2820 wrote to memory of 2736	2820	epags.exe	32
PID 2820 wrote to memory of 2736	2820	epags.exe	32
PID 2820 wrote to memory of 2736	2820	epags.exe	32
PID 2820 wrote to memory of 2736	2820	epags.exe	32
PID 2820 wrote to memory of 2736	2820	epags.exe	32
PID 2820 wrote to memory of 2736	2820	epags.exe	32
PID 2820 wrote to memory of 2736	2820	epags.exe	32
PID 2308 wrote to memory of 2660	2308	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2660	2308	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2660	2308	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2660	2308	9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe	33
PID 2736 wrote to memory of 1116	2736	epags.exe	19
PID 2736 wrote to memory of 1116	2736	epags.exe	19
PID 2736 wrote to memory of 1116	2736	epags.exe	19
PID 2736 wrote to memory of 1116	2736	epags.exe	19
PID 2736 wrote to memory of 1116	2736	epags.exe	19
PID 2736 wrote to memory of 1164	2736	epags.exe	20
PID 2736 wrote to memory of 1164	2736	epags.exe	20
PID 2736 wrote to memory of 1164	2736	epags.exe	20
PID 2736 wrote to memory of 1164	2736	epags.exe	20
PID 2736 wrote to memory of 1164	2736	epags.exe	20
PID 2736 wrote to memory of 1196	2736	epags.exe	21
PID 2736 wrote to memory of 1196	2736	epags.exe	21
PID 2736 wrote to memory of 1196	2736	epags.exe	21
PID 2736 wrote to memory of 1196	2736	epags.exe	21
PID 2736 wrote to memory of 1196	2736	epags.exe	21
PID 2736 wrote to memory of 1672	2736	epags.exe	25
PID 2736 wrote to memory of 1672	2736	epags.exe	25
PID 2736 wrote to memory of 1672	2736	epags.exe	25
PID 2736 wrote to memory of 1672	2736	epags.exe	25
PID 2736 wrote to memory of 1672	2736	epags.exe	25
PID 2736 wrote to memory of 2660	2736	epags.exe	33
PID 2736 wrote to memory of 2660	2736	epags.exe	33
PID 2736 wrote to memory of 2660	2736	epags.exe	33
PID 2736 wrote to memory of 2660	2736	epags.exe	33
PID 2736 wrote to memory of 2660	2736	epags.exe	33
PID 2736 wrote to memory of 2392	2736	epags.exe	34
PID 2736 wrote to memory of 2392	2736	epags.exe	34
PID 2736 wrote to memory of 2392	2736	epags.exe	34
PID 2736 wrote to memory of 2392	2736	epags.exe	34
PID 2736 wrote to memory of 2392	2736	epags.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9620db6f51ba19c5c5766271bace0bd1_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Users\Admin\AppData\Roaming\Ebbag\epags.exe
      "C:\Users\Admin\AppData\Roaming\Ebbag\epags.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Users\Admin\AppData\Roaming\Ebbag\epags.exe
        
        "C:\Users\Admin\AppData\Roaming\Ebbag\epags.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1b78ec3c.bat"
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:2660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "706721871209284014-1797682446-987218183552510403416398920294827851-1649894021"
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1b78ec3c.bat

Filesize
271B

MD5
453bda18fdad1c31fca00ab25d30c9b3

SHA1
29d3b1014f09d21898bf577e608d1a16a86fad19

SHA256
5ed523b8bf264902335db59078b00eb39abfbf00a3cc3ece56ac0847ccf398dc

SHA512
f8dcbde4a5df1ae3ee4a449c9789bc55875464681768df6159f6e4479ad0681f6783c1e4bb4017dbd6551d2a467856c35be2cc129a78f0cb32a9ecb7387a8dec

Download Submit
C:\Users\Admin\AppData\Roaming\Ebbag\epags.exe

Filesize
353KB

MD5
63e3c19b49cb91c09fad13c2b3aa5b97

SHA1
ad256b29a921c3f0a249554da5e46cf5fccc6542

SHA256
7c2681b45c0866ada4844202858db060f3082bde75b2e78937363e34c21f9730

SHA512
34aa1f8364229de42d611a961144cbb60f0bb35e5cf971a98aac1c04c61e59daa0d5f9d8165f414c82617eee0c8a26e12dc9946584e240d0edd88d089d91ee3e

Download Submit
memory/1116-57-0x0000000000330000-0x0000000000374000-memory.dmp

Filesize
272KB

Download
memory/1116-55-0x0000000000330000-0x0000000000374000-memory.dmp

Filesize
272KB

Download
memory/1116-56-0x0000000000330000-0x0000000000374000-memory.dmp

Filesize
272KB

Download
memory/1116-54-0x0000000000330000-0x0000000000374000-memory.dmp

Filesize
272KB

Download
memory/1164-60-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1164-59-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1164-61-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1164-62-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1196-65-0x0000000002500000-0x0000000002544000-memory.dmp

Filesize
272KB

Download
memory/1196-67-0x0000000002500000-0x0000000002544000-memory.dmp

Filesize
272KB

Download
memory/1196-69-0x0000000002500000-0x0000000002544000-memory.dmp

Filesize
272KB

Download
memory/1196-71-0x0000000002500000-0x0000000002544000-memory.dmp

Filesize
272KB

Download
memory/1672-75-0x0000000002470000-0x00000000024B4000-memory.dmp

Filesize
272KB

Download
memory/1672-77-0x0000000002470000-0x00000000024B4000-memory.dmp

Filesize
272KB

Download
memory/1672-79-0x0000000002470000-0x00000000024B4000-memory.dmp

Filesize
272KB

Download
memory/1672-81-0x0000000002470000-0x00000000024B4000-memory.dmp

Filesize
272KB

Download
memory/2280-14-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2280-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2308-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-28-0x0000000000450000-0x00000000004AE000-memory.dmp

Filesize
376KB

Download
memory/2308-30-0x0000000000450000-0x00000000004AE000-memory.dmp

Filesize
376KB

Download
memory/2308-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-52-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-84-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/2736-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2736-105-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2820-45-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download