9435adb201110308b389ba5cb2f935de96a0190cc347dc28cbf7a41da45fe387

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15-08-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe
Size

262KB
MD5

983b7c98aae7dd6b3e370c5c3d8d404a
SHA1

bfd6d26c2c573d3ba9859f391cb430678fed167a
SHA256

9435adb201110308b389ba5cb2f935de96a0190cc347dc28cbf7a41da45fe387
SHA512

429987cb8851d4d62f851a22275a56ae3d84a5e829835767fe71ca6c11a45cfb7aa132c312a4d3b3ca8ff5c2d20dea9d9fb472e2b3a43183ac1e2ae9b8c98cd7
SSDEEP

6144:2jJ8Gp+df0afmVTRMdQdpn94sLrNXel9Fb98+MAv6:uJ8YkfXf4TRMA94svNuzFb9ZU

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1908 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

oxfoa.exe

pid process

2260 oxfoa.exe
Loads dropped DLL 1 IoCs

Processes:

983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe

pid process

3008 983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe

pid	process
1908	cmd.exe

pid	process
3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

oxfoa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\{3109E6C8-6F84-AD4F-D756-D1AEF6AEF2B3} = "C:\\Users\\Admin\\AppData\\Roaming\\Ryze\\oxfoa.exe"	oxfoa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe

description pid process target process

PID 3008 set thread context of 1908 3008 983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe cmd.exe

description	pid	process	target process
PID 3008 set thread context of 1908	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

oxfoa.exe

pid	process
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe
2260	oxfoa.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe

description	pid	process
Token: SeSecurityPrivilege	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe
Token: SeSecurityPrivilege	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe
Token: SeSecurityPrivilege	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exeoxfoa.exe

pid process

3008 983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe
2260 oxfoa.exe

pid	process
3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe
2260	oxfoa.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exeoxfoa.exe

description	pid	process	target process
PID 3008 wrote to memory of 2260	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	oxfoa.exe
PID 3008 wrote to memory of 2260	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	oxfoa.exe
PID 3008 wrote to memory of 2260	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	oxfoa.exe
PID 3008 wrote to memory of 2260	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	oxfoa.exe
PID 2260 wrote to memory of 1108	2260	oxfoa.exe	taskhost.exe
PID 2260 wrote to memory of 1108	2260	oxfoa.exe	taskhost.exe
PID 2260 wrote to memory of 1108	2260	oxfoa.exe	taskhost.exe
PID 2260 wrote to memory of 1108	2260	oxfoa.exe	taskhost.exe
PID 2260 wrote to memory of 1108	2260	oxfoa.exe	taskhost.exe
PID 2260 wrote to memory of 1176	2260	oxfoa.exe	Dwm.exe
PID 2260 wrote to memory of 1176	2260	oxfoa.exe	Dwm.exe
PID 2260 wrote to memory of 1176	2260	oxfoa.exe	Dwm.exe
PID 2260 wrote to memory of 1176	2260	oxfoa.exe	Dwm.exe
PID 2260 wrote to memory of 1176	2260	oxfoa.exe	Dwm.exe
PID 2260 wrote to memory of 1208	2260	oxfoa.exe	Explorer.EXE
PID 2260 wrote to memory of 1208	2260	oxfoa.exe	Explorer.EXE
PID 2260 wrote to memory of 1208	2260	oxfoa.exe	Explorer.EXE
PID 2260 wrote to memory of 1208	2260	oxfoa.exe	Explorer.EXE
PID 2260 wrote to memory of 1208	2260	oxfoa.exe	Explorer.EXE
PID 2260 wrote to memory of 1844	2260	oxfoa.exe	DllHost.exe
PID 2260 wrote to memory of 1844	2260	oxfoa.exe	DllHost.exe
PID 2260 wrote to memory of 1844	2260	oxfoa.exe	DllHost.exe
PID 2260 wrote to memory of 1844	2260	oxfoa.exe	DllHost.exe
PID 2260 wrote to memory of 1844	2260	oxfoa.exe	DllHost.exe
PID 2260 wrote to memory of 3008	2260	oxfoa.exe	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe
PID 2260 wrote to memory of 3008	2260	oxfoa.exe	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe
PID 2260 wrote to memory of 3008	2260	oxfoa.exe	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe
PID 2260 wrote to memory of 3008	2260	oxfoa.exe	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe
PID 2260 wrote to memory of 3008	2260	oxfoa.exe	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe
PID 3008 wrote to memory of 1908	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	cmd.exe
PID 3008 wrote to memory of 1908	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	cmd.exe
PID 3008 wrote to memory of 1908	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	cmd.exe
PID 3008 wrote to memory of 1908	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	cmd.exe
PID 3008 wrote to memory of 1908	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	cmd.exe
PID 3008 wrote to memory of 1908	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	cmd.exe
PID 3008 wrote to memory of 1908	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	cmd.exe
PID 3008 wrote to memory of 1908	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	cmd.exe
PID 3008 wrote to memory of 1908	3008	983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\983b7c98aae7dd6b3e370c5c3d8d404a_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Roaming\Ryze\oxfoa.exe
"C:\Users\Admin\AppData\Roaming\Ryze\oxfoa.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp66cec313.bat"
3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1908

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp66cec313.bat

Filesize
271B

MD5
11d6714d1ad45b85d0bc9081ae01c684

SHA1
b8c95dc92b30ebbf96ada060bfd26885ff19023a

SHA256
86dbf57eed5705e78f620a945b8f2bb4de6975de9c11f55aee2c727d00044083

SHA512
d7b99250e0270c7c344837a4ed80fd7fe8ed53f73c3e165f11ff7fab6982915809b2c5789fc4ed3f0da9874ca4fb539f02092966b3b27618460d3408e2bc0676

Download Submit
C:\Users\Admin\AppData\Roaming\Meid\uxmix.vac

Filesize
380B

MD5
3808a6d3f6fdb3660b9113d086523c3e

SHA1
aa0a1599c4769dbebb2cd435502ad71391554e35

SHA256
9efd1cba1d6f6fdf72efefd0d65718851ba23a655523393c9237ea0980188cda

SHA512
d56451422a40b501d8492612500137d821a68e0e00413faf888a946839d7823592c301dc4d1610c293c2902d7a2ee5ecadc9a9ea0f63e078169b7ea4c081f513

Download Submit
\Users\Admin\AppData\Roaming\Ryze\oxfoa.exe

Filesize
262KB

MD5
b2f200a60d6787b0e7ae1a5e211d7d07

SHA1
f1bb7ea39c2f9bd3d5770d0db11e7c2bffd5cdb9

SHA256
496599fde469ad898af7f8d015622cf9df2a08f9be003253cd167b8f4c2ccc47

SHA512
af9ccb5497567fa7422e0b61ad33e1065bdd752facd1fc4265b0a7497513276000f7d6d84e4fc101cc28591d9a2c0bdb8e2ffd38f25dc8c3d416957aeed69770

Download Submit
memory/1108-18-0x0000000002190000-0x00000000021D1000-memory.dmp

Filesize
260KB

Download
memory/1108-22-0x0000000002190000-0x00000000021D1000-memory.dmp

Filesize
260KB

Download
memory/1108-24-0x0000000002190000-0x00000000021D1000-memory.dmp

Filesize
260KB

Download
memory/1108-16-0x0000000002190000-0x00000000021D1000-memory.dmp

Filesize
260KB

Download
memory/1108-20-0x0000000002190000-0x00000000021D1000-memory.dmp

Filesize
260KB

Download
memory/1176-35-0x0000000002010000-0x0000000002051000-memory.dmp

Filesize
260KB

Download
memory/1176-28-0x0000000002010000-0x0000000002051000-memory.dmp

Filesize
260KB

Download
memory/1176-30-0x0000000002010000-0x0000000002051000-memory.dmp

Filesize
260KB

Download
memory/1176-32-0x0000000002010000-0x0000000002051000-memory.dmp

Filesize
260KB

Download
memory/1208-40-0x0000000002EE0000-0x0000000002F21000-memory.dmp

Filesize
260KB

Download
memory/1208-38-0x0000000002EE0000-0x0000000002F21000-memory.dmp

Filesize
260KB

Download
memory/1208-37-0x0000000002EE0000-0x0000000002F21000-memory.dmp

Filesize
260KB

Download
memory/1208-39-0x0000000002EE0000-0x0000000002F21000-memory.dmp

Filesize
260KB

Download
memory/1844-45-0x0000000001D40000-0x0000000001D81000-memory.dmp

Filesize
260KB

Download
memory/1844-42-0x0000000001D40000-0x0000000001D81000-memory.dmp

Filesize
260KB

Download
memory/1844-43-0x0000000001D40000-0x0000000001D81000-memory.dmp

Filesize
260KB

Download
memory/1844-44-0x0000000001D40000-0x0000000001D81000-memory.dmp

Filesize
260KB

Download
memory/2260-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2260-14-0x0000000000390000-0x00000000003D5000-memory.dmp

Filesize
276KB

Download
memory/2260-13-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/3008-62-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-72-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-58-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-56-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-54-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-52-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-50-0x0000000001D70000-0x0000000001DB1000-memory.dmp

Filesize
260KB

Download
memory/3008-49-0x0000000001D70000-0x0000000001DB1000-memory.dmp

Filesize
260KB

Download
memory/3008-48-0x0000000001D70000-0x0000000001DB1000-memory.dmp

Filesize
260KB

Download
memory/3008-47-0x0000000001D70000-0x0000000001DB1000-memory.dmp

Filesize
260KB

Download
memory/3008-61-0x0000000077D60000-0x0000000077D61000-memory.dmp

Filesize
4KB

Download
memory/3008-64-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-66-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-70-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-0-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/3008-60-0x0000000001D70000-0x0000000001DB1000-memory.dmp

Filesize
260KB

Download
memory/3008-74-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-76-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-68-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-135-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3008-1-0x00000000004C0000-0x0000000000505000-memory.dmp

Filesize
276KB

Download
memory/3008-161-0x0000000001D70000-0x0000000001DB1000-memory.dmp

Filesize
260KB

Download
memory/3008-160-0x00000000004C0000-0x0000000000505000-memory.dmp

Filesize
276KB

Download
memory/3008-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-51-0x0000000001D70000-0x0000000001DB1000-memory.dmp

Filesize
260KB

Download