cd1368db50c1b1e553ed4f200c06ed9cf342ad140b414e7e3dfa306d2a6335fe

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe
Size

357KB
MD5

a3baa4a1231ae7f0ffddcb977a4473a6
SHA1

21c72722e1a5983fa70fb11a19c11fb767dc0149
SHA256

cd1368db50c1b1e553ed4f200c06ed9cf342ad140b414e7e3dfa306d2a6335fe
SHA512

80f5e3e804a319a40a16c36596b689230744bbb5b1fa2cc6751f7357ede635394bddfe40f7cc55e3b5d160d085af48131ff30b501a27f715294b679de9f7c5c2
SSDEEP

6144:M4//bqpBm1Hs3czyOxW8RjSqjAvzxCaQHkRE0ZjOEd4xEtpzbpY:M4rqpB6Hs3czfxW8B7jAv1CaXGIGGbC

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2956	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2812	emuzy.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe
2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C4A05C48-6809-AD4F-9B76-1BFCA18838E1} = "C:\\Users\\Admin\\AppData\\Roaming\\Jafyec\\emuzy.exe"	emuzy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 2956	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emuzy.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Privacy	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe
2812	emuzy.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe
2812	emuzy.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2812	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	30
PID 2228 wrote to memory of 2812	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	30
PID 2228 wrote to memory of 2812	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	30
PID 2228 wrote to memory of 2812	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	30
PID 2812 wrote to memory of 1104	2812	emuzy.exe	19
PID 2812 wrote to memory of 1104	2812	emuzy.exe	19
PID 2812 wrote to memory of 1104	2812	emuzy.exe	19
PID 2812 wrote to memory of 1104	2812	emuzy.exe	19
PID 2812 wrote to memory of 1104	2812	emuzy.exe	19
PID 2812 wrote to memory of 1152	2812	emuzy.exe	20
PID 2812 wrote to memory of 1152	2812	emuzy.exe	20
PID 2812 wrote to memory of 1152	2812	emuzy.exe	20
PID 2812 wrote to memory of 1152	2812	emuzy.exe	20
PID 2812 wrote to memory of 1152	2812	emuzy.exe	20
PID 2812 wrote to memory of 1200	2812	emuzy.exe	21
PID 2812 wrote to memory of 1200	2812	emuzy.exe	21
PID 2812 wrote to memory of 1200	2812	emuzy.exe	21
PID 2812 wrote to memory of 1200	2812	emuzy.exe	21
PID 2812 wrote to memory of 1200	2812	emuzy.exe	21
PID 2812 wrote to memory of 1248	2812	emuzy.exe	25
PID 2812 wrote to memory of 1248	2812	emuzy.exe	25
PID 2812 wrote to memory of 1248	2812	emuzy.exe	25
PID 2812 wrote to memory of 1248	2812	emuzy.exe	25
PID 2812 wrote to memory of 1248	2812	emuzy.exe	25
PID 2812 wrote to memory of 2228	2812	emuzy.exe	29
PID 2812 wrote to memory of 2228	2812	emuzy.exe	29
PID 2812 wrote to memory of 2228	2812	emuzy.exe	29
PID 2812 wrote to memory of 2228	2812	emuzy.exe	29
PID 2812 wrote to memory of 2228	2812	emuzy.exe	29
PID 2228 wrote to memory of 2956	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2956	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2956	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2956	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2956	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2956	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2956	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2956	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2956	2228	a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2412	2812	emuzy.exe	34
PID 2812 wrote to memory of 2412	2812	emuzy.exe	34
PID 2812 wrote to memory of 2412	2812	emuzy.exe	34
PID 2812 wrote to memory of 2412	2812	emuzy.exe	34
PID 2812 wrote to memory of 2412	2812	emuzy.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a3baa4a1231ae7f0ffddcb977a4473a6_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Roaming\Jafyec\emuzy.exe
    "C:\Users\Admin\AppData\Roaming\Jafyec\emuzy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp15c47268.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2956

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1248

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp15c47268.bat

Filesize
271B

MD5
992fd82b0877e85c22efa137654dd8ca

SHA1
68933aa5bba3aef20c8a139da7f829e330640dcd

SHA256
25de83f2537fea1654538ac664108146060d600bdb2620c396e18b66b0e9cfcb

SHA512
555763ce7e76c57d7a14c54356ec04fbfb053100236d35a14721fc119e7d8f2c4c94764888308a6305a01a1e412333a4b2654d6de742054a5a4fc1813d524cd5

Download Submit
\Users\Admin\AppData\Roaming\Jafyec\emuzy.exe

Filesize
357KB

MD5
b0e9196ae92294b4dc723c41b0b59b53

SHA1
a82c8c3a08ca27b35b651c79dece1465eaacbdc8

SHA256
75d8e65582481af1c2bbf889081cd0461f9389a8de072418e90e5a6f7e417da6

SHA512
5206dd1f53d4a074daaf96f860465a47a6c919015bbc1a8d5e4f0086849dc5fba84f4a1c52e3f97e48173d7b344b85b977d88551ade05d9d9aa8a8fd5b7fd173

Download Submit
memory/1104-20-0x0000000002200000-0x0000000002244000-memory.dmp

Filesize
272KB

Download
memory/1104-22-0x0000000002200000-0x0000000002244000-memory.dmp

Filesize
272KB

Download
memory/1104-24-0x0000000002200000-0x0000000002244000-memory.dmp

Filesize
272KB

Download
memory/1104-26-0x0000000002200000-0x0000000002244000-memory.dmp

Filesize
272KB

Download
memory/1104-18-0x0000000002200000-0x0000000002244000-memory.dmp

Filesize
272KB

Download
memory/1152-31-0x0000000001F80000-0x0000000001FC4000-memory.dmp

Filesize
272KB

Download
memory/1152-30-0x0000000001F80000-0x0000000001FC4000-memory.dmp

Filesize
272KB

Download
memory/1152-29-0x0000000001F80000-0x0000000001FC4000-memory.dmp

Filesize
272KB

Download
memory/1152-32-0x0000000001F80000-0x0000000001FC4000-memory.dmp

Filesize
272KB

Download
memory/1200-34-0x0000000002500000-0x0000000002544000-memory.dmp

Filesize
272KB

Download
memory/1200-35-0x0000000002500000-0x0000000002544000-memory.dmp

Filesize
272KB

Download
memory/1200-36-0x0000000002500000-0x0000000002544000-memory.dmp

Filesize
272KB

Download
memory/1200-37-0x0000000002500000-0x0000000002544000-memory.dmp

Filesize
272KB

Download
memory/1248-42-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/1248-39-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/1248-40-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/1248-41-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/2228-135-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-45-0x0000000001F70000-0x0000000001FB4000-memory.dmp

Filesize
272KB

Download
memory/2228-158-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/2228-75-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-73-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-71-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-69-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-67-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-65-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-63-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-61-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-59-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-57-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-55-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-53-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-51-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-49-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-47-0x0000000001F70000-0x0000000001FB4000-memory.dmp

Filesize
272KB

Download
memory/2228-46-0x0000000001F70000-0x0000000001FB4000-memory.dmp

Filesize
272KB

Download
memory/2228-159-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/2228-44-0x0000000001F70000-0x0000000001FB4000-memory.dmp

Filesize
272KB

Download
memory/2228-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2228-161-0x0000000001F70000-0x0000000001FB4000-memory.dmp

Filesize
272KB

Download
memory/2228-77-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-79-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2228-0-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/2228-133-0x0000000001F70000-0x0000000001FB4000-memory.dmp

Filesize
272KB

Download
memory/2228-134-0x00000000774D0000-0x00000000774D1000-memory.dmp

Filesize
4KB

Download
memory/2228-48-0x0000000001F70000-0x0000000001FB4000-memory.dmp

Filesize
272KB

Download
memory/2228-1-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/2228-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2228-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2228-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2228-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2812-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2812-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2812-283-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2812-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download