43ae4936dd7f0e4408a759c9880250f94b048851c70a45bd88c478183e2e0728

Analysis

max time kernel
151s
max time network
143s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/08/2024, 23:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a066e357131731dd27e06a23667d527f_JaffaCakes118.exe
Size

333KB
MD5

a066e357131731dd27e06a23667d527f
SHA1

53238f05e48c848103b021138799b2d474fc50dd
SHA256

43ae4936dd7f0e4408a759c9880250f94b048851c70a45bd88c478183e2e0728
SHA512

657273d4d3e8209f14daeca9c6baf0d781e0e0eea26e37e1064282c8f847640e2a3b4b910aabdca0a70aceab0f493438b8d853308e055f1bd2fea08f9bd06801
SSDEEP

6144:i80UKaRzEfCGF16F1xx+rHMYbvcOdNS0KCGOgmLArll67y0vAbGRB1zeV:i80UKaRI316Dxxsxvck6Ogm6ll62oRj2

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2472	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	vatiny.exe

Loads dropped DLL 1 IoCs

pid	Process
2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{75DA6328-6F30-AD4F-96DD-2BAD86C808B0} = "C:\\Users\\Admin\\AppData\\Roaming\\Ocyp\\vatiny.exe"	vatiny.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 2472	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vatiny.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe
2740	vatiny.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe
2740	vatiny.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2740	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	30
PID 2804 wrote to memory of 2740	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	30
PID 2804 wrote to memory of 2740	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	30
PID 2804 wrote to memory of 2740	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	30
PID 2740 wrote to memory of 1200	2740	vatiny.exe	19
PID 2740 wrote to memory of 1200	2740	vatiny.exe	19
PID 2740 wrote to memory of 1200	2740	vatiny.exe	19
PID 2740 wrote to memory of 1200	2740	vatiny.exe	19
PID 2740 wrote to memory of 1200	2740	vatiny.exe	19
PID 2740 wrote to memory of 1308	2740	vatiny.exe	20
PID 2740 wrote to memory of 1308	2740	vatiny.exe	20
PID 2740 wrote to memory of 1308	2740	vatiny.exe	20
PID 2740 wrote to memory of 1308	2740	vatiny.exe	20
PID 2740 wrote to memory of 1308	2740	vatiny.exe	20
PID 2740 wrote to memory of 1412	2740	vatiny.exe	21
PID 2740 wrote to memory of 1412	2740	vatiny.exe	21
PID 2740 wrote to memory of 1412	2740	vatiny.exe	21
PID 2740 wrote to memory of 1412	2740	vatiny.exe	21
PID 2740 wrote to memory of 1412	2740	vatiny.exe	21
PID 2740 wrote to memory of 1560	2740	vatiny.exe	25
PID 2740 wrote to memory of 1560	2740	vatiny.exe	25
PID 2740 wrote to memory of 1560	2740	vatiny.exe	25
PID 2740 wrote to memory of 1560	2740	vatiny.exe	25
PID 2740 wrote to memory of 1560	2740	vatiny.exe	25
PID 2740 wrote to memory of 2804	2740	vatiny.exe	29
PID 2740 wrote to memory of 2804	2740	vatiny.exe	29
PID 2740 wrote to memory of 2804	2740	vatiny.exe	29
PID 2740 wrote to memory of 2804	2740	vatiny.exe	29
PID 2740 wrote to memory of 2804	2740	vatiny.exe	29
PID 2804 wrote to memory of 2472	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	31
PID 2804 wrote to memory of 2472	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	31
PID 2804 wrote to memory of 2472	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	31
PID 2804 wrote to memory of 2472	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	31
PID 2804 wrote to memory of 2472	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	31
PID 2804 wrote to memory of 2472	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	31
PID 2804 wrote to memory of 2472	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	31
PID 2804 wrote to memory of 2472	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	31
PID 2804 wrote to memory of 2472	2804	a066e357131731dd27e06a23667d527f_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1200

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1308

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\a066e357131731dd27e06a23667d527f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a066e357131731dd27e06a23667d527f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Roaming\Ocyp\vatiny.exe
    "C:\Users\Admin\AppData\Roaming\Ocyp\vatiny.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp71cb6aed.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2472

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp71cb6aed.bat

Filesize
271B

MD5
09be00b1becdb7d9ef33508971d72974

SHA1
4039c9dde250dc6a8345f22dd0930c696bdfd84f

SHA256
8e7879c20399bc0cd6a2cf06a72bbf8262cd38093227938cf47980b95e608eb0

SHA512
ebc5d98039d245f6bb69bf7d0af64293e53b8c54e5a6f2257965c44b48514bae1f7dc34c2340d94142c7b1744b5a0b981b23cb5d09a27198af4d3a13f3793ee1

Download Submit
\Users\Admin\AppData\Roaming\Ocyp\vatiny.exe

Filesize
333KB

MD5
e01501bc055c571c51027ae064d60e3c

SHA1
0b62e443140eb1b2ea13472035a35f65372e9945

SHA256
8781c39cac6fd6d05be333d08b7747e9bb0e363cc028eb4b9194e04de8bc9d93

SHA512
ad2d0056e1bf93cb402065eb8f371eae68143eb0049baae3b41d1a20c5fa843a19b1f19d38b18dcba8d8bc0f5a8c7d30e8966c6f78a74ce2e946292fb18634f8

Download Submit
memory/1200-14-0x0000000001D70000-0x0000000001DB2000-memory.dmp

Filesize
264KB

Download
memory/1200-15-0x0000000001D70000-0x0000000001DB2000-memory.dmp

Filesize
264KB

Download
memory/1200-12-0x0000000001D70000-0x0000000001DB2000-memory.dmp

Filesize
264KB

Download
memory/1200-13-0x0000000001D70000-0x0000000001DB2000-memory.dmp

Filesize
264KB

Download
memory/1200-11-0x0000000001D70000-0x0000000001DB2000-memory.dmp

Filesize
264KB

Download
memory/1308-17-0x00000000019C0000-0x0000000001A02000-memory.dmp

Filesize
264KB

Download
memory/1308-18-0x00000000019C0000-0x0000000001A02000-memory.dmp

Filesize
264KB

Download
memory/1308-19-0x00000000019C0000-0x0000000001A02000-memory.dmp

Filesize
264KB

Download
memory/1308-20-0x00000000019C0000-0x0000000001A02000-memory.dmp

Filesize
264KB

Download
memory/1412-25-0x00000000026F0000-0x0000000002732000-memory.dmp

Filesize
264KB

Download
memory/1412-22-0x00000000026F0000-0x0000000002732000-memory.dmp

Filesize
264KB

Download
memory/1412-23-0x00000000026F0000-0x0000000002732000-memory.dmp

Filesize
264KB

Download
memory/1412-24-0x00000000026F0000-0x0000000002732000-memory.dmp

Filesize
264KB

Download
memory/1560-30-0x0000000001D70000-0x0000000001DB2000-memory.dmp

Filesize
264KB

Download
memory/2740-10-0x0000000076E10000-0x0000000076FB9000-memory.dmp

Filesize
1.7MB

Download
memory/2804-66-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-52-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-46-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-44-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-42-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-41-0x00000000004B0000-0x00000000004F2000-memory.dmp

Filesize
264KB

Download
memory/2804-39-0x00000000004B0000-0x00000000004F2000-memory.dmp

Filesize
264KB

Download
memory/2804-37-0x00000000004B0000-0x00000000004F2000-memory.dmp

Filesize
264KB

Download
memory/2804-35-0x00000000004B0000-0x00000000004F2000-memory.dmp

Filesize
264KB

Download
memory/2804-33-0x00000000004B0000-0x00000000004F2000-memory.dmp

Filesize
264KB

Download
memory/2804-50-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-48-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-54-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-56-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-58-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-62-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-64-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-0-0x0000000076E10000-0x0000000076FB9000-memory.dmp

Filesize
1.7MB

Download
memory/2804-68-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-70-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-72-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-60-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2804-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download