c179df3235c0e7e820186eb3147e5305ebd0e5399d37c45aa232bb643d3824f2

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe
Size

262KB
MD5

9730e701dad73a9d1e8119c13a721898
SHA1

9c1b9d079cd0dbc82190c44fb401787efb3cff06
SHA256

c179df3235c0e7e820186eb3147e5305ebd0e5399d37c45aa232bb643d3824f2
SHA512

93159cddff7e95a526f270ab16f43b777eec6c957cf73a598623419758fcb32f2a5e94e0b3be105b9b59788634a3767fc6bf9c92c8223bf9a8c5473c2609c25b
SSDEEP

6144:uT8Gp+df0afmVTRMdGdpn94sLrNXel9cXb98+MAUr:I8YkfXf4TRM+94svNuzcb9Z+

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2088	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1820	elxio.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\{1B0C4E28-6E66-AD4F-AB1D-A71BBF328406} = "C:\\Users\\Admin\\AppData\\Roaming\\Oqigid\\elxio.exe"	elxio.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 2088	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe
1820	elxio.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe
Token: SeSecurityPrivilege	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe
Token: SeSecurityPrivilege	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe
1820	elxio.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1820	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	29
PID 1712 wrote to memory of 1820	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	29
PID 1712 wrote to memory of 1820	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	29
PID 1712 wrote to memory of 1820	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	29
PID 1820 wrote to memory of 1312	1820	elxio.exe	18
PID 1820 wrote to memory of 1312	1820	elxio.exe	18
PID 1820 wrote to memory of 1312	1820	elxio.exe	18
PID 1820 wrote to memory of 1312	1820	elxio.exe	18
PID 1820 wrote to memory of 1312	1820	elxio.exe	18
PID 1820 wrote to memory of 1364	1820	elxio.exe	19
PID 1820 wrote to memory of 1364	1820	elxio.exe	19
PID 1820 wrote to memory of 1364	1820	elxio.exe	19
PID 1820 wrote to memory of 1364	1820	elxio.exe	19
PID 1820 wrote to memory of 1364	1820	elxio.exe	19
PID 1820 wrote to memory of 1380	1820	elxio.exe	20
PID 1820 wrote to memory of 1380	1820	elxio.exe	20
PID 1820 wrote to memory of 1380	1820	elxio.exe	20
PID 1820 wrote to memory of 1380	1820	elxio.exe	20
PID 1820 wrote to memory of 1380	1820	elxio.exe	20
PID 1820 wrote to memory of 1196	1820	elxio.exe	22
PID 1820 wrote to memory of 1196	1820	elxio.exe	22
PID 1820 wrote to memory of 1196	1820	elxio.exe	22
PID 1820 wrote to memory of 1196	1820	elxio.exe	22
PID 1820 wrote to memory of 1196	1820	elxio.exe	22
PID 1820 wrote to memory of 1712	1820	elxio.exe	28
PID 1820 wrote to memory of 1712	1820	elxio.exe	28
PID 1820 wrote to memory of 1712	1820	elxio.exe	28
PID 1820 wrote to memory of 1712	1820	elxio.exe	28
PID 1820 wrote to memory of 1712	1820	elxio.exe	28
PID 1712 wrote to memory of 2088	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2088	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2088	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2088	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2088	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2088	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2088	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2088	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2088	1712	9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1312

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1364

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9730e701dad73a9d1e8119c13a721898_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Roaming\Oqigid\elxio.exe
    "C:\Users\Admin\AppData\Roaming\Oqigid\elxio.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc1570fb4.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2088

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc1570fb4.bat

Filesize
271B

MD5
835ed7573c8067a1a7c8b2111b96256b

SHA1
9c169a9976b99a65ee8002743c53e4d45ab227ce

SHA256
7a992cfc0f45257a569ea952c9ef3125200089fec277c31c87cd537de8233fd3

SHA512
bb2aca8057796a57aa7fdfe439298c0c1a7cd3d626af078cd48ea5e06a9e2e8df5d2621d4b2c8547b27c7774b64b49cec12bbe60eb63be0827b420aeb50f2dc6

Download Submit
C:\Users\Admin\AppData\Roaming\Etuzra\opos.rue

Filesize
380B

MD5
56d8ad4e324e852491de5d21ad10209f

SHA1
de6db4f3295b146aeb637f78a27c360cc0e556a5

SHA256
11465655a13f83f9212c2f98503f8e4a97da894f58b2da4350c9f9a70519ecec

SHA512
2cc8a540b8b5f7a29e2843cb6d1e825d4fe6a30db676fa677133a38e29d00581caea5693dedc880ff73cf39bab044a96540550e6cb2b7f3b350244fa03dce483

Download Submit
C:\Users\Admin\AppData\Roaming\Oqigid\elxio.exe

Filesize
262KB

MD5
8493fcec16c0038cd6dc76588d65e0ad

SHA1
6827648ee899617ed8d12bd0bafa284a7c1e8a3c

SHA256
d977c7c8f61eff4259fc5789cf187ea83dedac0d50eceec00db7fb857a7a1742

SHA512
bb5e6aa93bf2e2769bffa94d1f6c21b5b3dd4ce5b74e3cf44764f10c22a4a697ac5df8ae9ef90294595a56ff87c4c478c57e00496b972717c22a7ff1d6829a01

Download Submit
memory/1196-36-0x0000000001EB0000-0x0000000001EF1000-memory.dmp

Filesize
260KB

Download
memory/1196-33-0x0000000001EB0000-0x0000000001EF1000-memory.dmp

Filesize
260KB

Download
memory/1196-35-0x0000000001EB0000-0x0000000001EF1000-memory.dmp

Filesize
260KB

Download
memory/1196-34-0x0000000001EB0000-0x0000000001EF1000-memory.dmp

Filesize
260KB

Download
memory/1312-20-0x0000000000420000-0x0000000000461000-memory.dmp

Filesize
260KB

Download
memory/1312-21-0x0000000000420000-0x0000000000461000-memory.dmp

Filesize
260KB

Download
memory/1312-19-0x0000000000420000-0x0000000000461000-memory.dmp

Filesize
260KB

Download
memory/1312-18-0x0000000000420000-0x0000000000461000-memory.dmp

Filesize
260KB

Download
memory/1312-16-0x0000000000420000-0x0000000000461000-memory.dmp

Filesize
260KB

Download
memory/1364-23-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1364-25-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1364-24-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1364-26-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1380-28-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1380-29-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1380-30-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1380-31-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1712-129-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-42-0x0000000001F60000-0x0000000001FA1000-memory.dmp

Filesize
260KB

Download
memory/1712-147-0x00000000002E0000-0x0000000000325000-memory.dmp

Filesize
276KB

Download
memory/1712-73-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-71-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-69-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-67-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-65-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-63-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-59-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-57-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-55-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-53-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-51-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-49-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-47-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-45-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-43-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-148-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1712-40-0x0000000001F60000-0x0000000001FA1000-memory.dmp

Filesize
260KB

Download
memory/1712-39-0x0000000001F60000-0x0000000001FA1000-memory.dmp

Filesize
260KB

Download
memory/1712-38-0x0000000001F60000-0x0000000001FA1000-memory.dmp

Filesize
260KB

Download
memory/1712-150-0x0000000001F60000-0x0000000001FA1000-memory.dmp

Filesize
260KB

Download
memory/1712-75-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-77-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-1-0x00000000002E0000-0x0000000000325000-memory.dmp

Filesize
276KB

Download
memory/1712-127-0x0000000001F60000-0x0000000001FA1000-memory.dmp

Filesize
260KB

Download
memory/1712-128-0x0000000077A20000-0x0000000077A21000-memory.dmp

Filesize
4KB

Download
memory/1712-61-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1712-0-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1712-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-41-0x0000000001F60000-0x0000000001FA1000-memory.dmp

Filesize
260KB

Download
memory/1820-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1820-14-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/1820-13-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1820-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download