39dff8e9e3d912c4cdb87e66ce56fc89849eccf5bd1570969449314f6d694256

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe
Size

105KB
MD5

a0e090f199d26464d4ac447b01a91d07
SHA1

b7bcb4acbfde0293d60658701d0bb3366dc1f1ef
SHA256

39dff8e9e3d912c4cdb87e66ce56fc89849eccf5bd1570969449314f6d694256
SHA512

4331721eb0827f39be6b4564b42475b0b80e31d3e18d821bb94f5c3dfc7258c02525fb1d69572eb9bbf817fa4435cd1528bb9b987d685d40e1b728fd3e3c4784
SSDEEP

3072:Qo39qySP8Kj2giI7H45KueESRyM7uVW6PrUfFs8Fb:5tJS6YHiLqyNk6PrUfFpF

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1808	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
580	mauvs.exe

Loads dropped DLL 2 IoCs

pid	Process
1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe
1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1644-0-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/files/0x0008000000016e98-10.dat	upx
behavioral1/memory/580-15-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/580-16-0x0000000000400000-0x0000000000521000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6045F6FE-E470-0686-C06B-27F24C363AEA} = "C:\\Users\\Admin\\AppData\\Roaming\\Deir\\mauvs.exe"	mauvs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1644 set thread context of 1808	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mauvs.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Privacy	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe
580	mauvs.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe
Token: SeSecurityPrivilege	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe
Token: SeSecurityPrivilege	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 580	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	30
PID 1644 wrote to memory of 580	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	30
PID 1644 wrote to memory of 580	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	30
PID 1644 wrote to memory of 580	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	30
PID 580 wrote to memory of 1184	580	mauvs.exe	19
PID 580 wrote to memory of 1184	580	mauvs.exe	19
PID 580 wrote to memory of 1184	580	mauvs.exe	19
PID 580 wrote to memory of 1184	580	mauvs.exe	19
PID 580 wrote to memory of 1184	580	mauvs.exe	19
PID 580 wrote to memory of 1240	580	mauvs.exe	20
PID 580 wrote to memory of 1240	580	mauvs.exe	20
PID 580 wrote to memory of 1240	580	mauvs.exe	20
PID 580 wrote to memory of 1240	580	mauvs.exe	20
PID 580 wrote to memory of 1240	580	mauvs.exe	20
PID 580 wrote to memory of 1304	580	mauvs.exe	21
PID 580 wrote to memory of 1304	580	mauvs.exe	21
PID 580 wrote to memory of 1304	580	mauvs.exe	21
PID 580 wrote to memory of 1304	580	mauvs.exe	21
PID 580 wrote to memory of 1304	580	mauvs.exe	21
PID 580 wrote to memory of 1628	580	mauvs.exe	25
PID 580 wrote to memory of 1628	580	mauvs.exe	25
PID 580 wrote to memory of 1628	580	mauvs.exe	25
PID 580 wrote to memory of 1628	580	mauvs.exe	25
PID 580 wrote to memory of 1628	580	mauvs.exe	25
PID 580 wrote to memory of 1644	580	mauvs.exe	29
PID 580 wrote to memory of 1644	580	mauvs.exe	29
PID 580 wrote to memory of 1644	580	mauvs.exe	29
PID 580 wrote to memory of 1644	580	mauvs.exe	29
PID 580 wrote to memory of 1644	580	mauvs.exe	29
PID 1644 wrote to memory of 1808	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	31
PID 1644 wrote to memory of 1808	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	31
PID 1644 wrote to memory of 1808	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	31
PID 1644 wrote to memory of 1808	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	31
PID 1644 wrote to memory of 1808	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	31
PID 1644 wrote to memory of 1808	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	31
PID 1644 wrote to memory of 1808	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	31
PID 1644 wrote to memory of 1808	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	31
PID 1644 wrote to memory of 1808	1644	a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe	31
PID 580 wrote to memory of 2888	580	mauvs.exe	33
PID 580 wrote to memory of 2888	580	mauvs.exe	33
PID 580 wrote to memory of 2888	580	mauvs.exe	33
PID 580 wrote to memory of 2888	580	mauvs.exe	33
PID 580 wrote to memory of 2888	580	mauvs.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1184

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a0e090f199d26464d4ac447b01a91d07_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Roaming\Deir\mauvs.exe
    "C:\Users\Admin\AppData\Roaming\Deir\mauvs.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5eb1e6ff.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1808

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1628

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5eb1e6ff.bat

Filesize
271B

MD5
fce47f249c6f904e6cade50d953bbacc

SHA1
427c237c40f2e93a10e73e4d48a37421b5463483

SHA256
3d76e79ad7ee79e6dbc10bcf0a5368a0fd87146e177fe81b46f2d9c4bfe75b1d

SHA512
6fe7f84ae3f3d6ddd1907540d2c73ac4f68f9cec866a2e4b2d167d8e4a1e58dc7c73992b0a33d99f4498850a7f760d80fb5e6f869670f976941bad61b23ff3b4

Download Submit
C:\Users\Admin\AppData\Roaming\Deir\mauvs.exe

Filesize
105KB

MD5
539bf342420240f2cb2e1243458e44ae

SHA1
f0f9e9c8e694c61784e0ae413668100fd8933b23

SHA256
4edc37bb144a3f2b756907dd50b19c904f238bab9aa4f002d99fecdf25fbffb2

SHA512
7b5a600ae9103c831472ae6ec46fdecd567b31411adc72c35b72239cb1a8395de01770e31351913b345ed778226f975c60a5a0dce4938bd786282716c02cc607

Download Submit
C:\Users\Admin\AppData\Roaming\Doafm\enwyy.tii

Filesize
380B

MD5
431bbbc83d12dff874815009114f65be

SHA1
ffd59f3a5bc307b5b292f2d19b516c0427cbf7a9

SHA256
0a5ea74de19441c7411fee63c8e5b5c49f481ca7847889b79aa30af141e6ae78

SHA512
8b2d82e42ef6589d8c7111f5ba86bacfedf2ebfa1c96d32690ac568b98f9e156cb3f6ea7b9aa939be534aff3bb3244c841f77eae7e725984dc2720bf83312b10

Download Submit
memory/580-16-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/580-126-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/580-18-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/580-15-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1184-25-0x0000000002120000-0x000000000213A000-memory.dmp

Filesize
104KB

Download
memory/1184-19-0x0000000002120000-0x000000000213A000-memory.dmp

Filesize
104KB

Download
memory/1184-23-0x0000000002120000-0x000000000213A000-memory.dmp

Filesize
104KB

Download
memory/1184-27-0x0000000002120000-0x000000000213A000-memory.dmp

Filesize
104KB

Download
memory/1184-21-0x0000000002120000-0x000000000213A000-memory.dmp

Filesize
104KB

Download
memory/1240-33-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1240-32-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1240-31-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1240-30-0x00000000002B0000-0x00000000002CA000-memory.dmp

Filesize
104KB

Download
memory/1304-36-0x00000000025F0000-0x000000000260A000-memory.dmp

Filesize
104KB

Download
memory/1304-37-0x00000000025F0000-0x000000000260A000-memory.dmp

Filesize
104KB

Download
memory/1304-38-0x00000000025F0000-0x000000000260A000-memory.dmp

Filesize
104KB

Download
memory/1304-35-0x00000000025F0000-0x000000000260A000-memory.dmp

Filesize
104KB

Download
memory/1628-40-0x0000000001E00000-0x0000000001E1A000-memory.dmp

Filesize
104KB

Download
memory/1628-41-0x0000000001E00000-0x0000000001E1A000-memory.dmp

Filesize
104KB

Download
memory/1628-42-0x0000000001E00000-0x0000000001E1A000-memory.dmp

Filesize
104KB

Download
memory/1628-43-0x0000000001E00000-0x0000000001E1A000-memory.dmp

Filesize
104KB

Download
memory/1644-48-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/1644-0-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1644-1-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1644-75-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-73-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-54-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/1644-50-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/1644-69-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-67-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-65-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-63-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-61-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-59-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-57-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-55-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-2-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1644-46-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/1644-3-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1644-77-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1644-78-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-80-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-97-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/1644-82-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-52-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/1644-71-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1644-13-0x0000000001F90000-0x00000000020B1000-memory.dmp

Filesize
1.1MB

Download
memory/1644-12-0x0000000001F90000-0x00000000020B1000-memory.dmp

Filesize
1.1MB

Download
memory/1808-125-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/1808-123-0x0000000077920000-0x0000000077921000-memory.dmp

Filesize
4KB

Download
memory/1808-98-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download