2f48659dd00d9e1f4ff5c0b9aee3373cc57fe3f592ed50b6cd3d09db7449e966

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe
Size

282KB
MD5

a667bbbe6a3110291250a15076aa5e46
SHA1

1e784f1a156e5ed848cb9a2c8f557b739a34be4a
SHA256

2f48659dd00d9e1f4ff5c0b9aee3373cc57fe3f592ed50b6cd3d09db7449e966
SHA512

0368facc79268744787ebae9ade7765facd2d6d62e96c9c6d053f9fa8b9f59484aadd8b0be2d8b05ff14d25a8c1fd591921f5af4cec2f1da9eeab304d9b6aaea
SSDEEP

6144:v52HPJAA9jslC3Nvju2NCjV+GenP8k3JTLLeR:h2HPJh9jJdjN+V+GenEIpLE

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2128	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1708	sopes.exe

Loads dropped DLL 2 IoCs

pid	Process
2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe
2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\{09E0E5E8-6808-AD4F-43B0-714965AC5254} = "C:\\Users\\Admin\\AppData\\Roaming\\Yfwoe\\sopes.exe"	sopes.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 2128	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sopes.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe
1708	sopes.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe
Token: SeSecurityPrivilege	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe
Token: SeSecurityPrivilege	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe
1708	sopes.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1708	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1708	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1708	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	30
PID 2132 wrote to memory of 1708	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	30
PID 1708 wrote to memory of 1108	1708	sopes.exe	19
PID 1708 wrote to memory of 1108	1708	sopes.exe	19
PID 1708 wrote to memory of 1108	1708	sopes.exe	19
PID 1708 wrote to memory of 1108	1708	sopes.exe	19
PID 1708 wrote to memory of 1108	1708	sopes.exe	19
PID 1708 wrote to memory of 1192	1708	sopes.exe	20
PID 1708 wrote to memory of 1192	1708	sopes.exe	20
PID 1708 wrote to memory of 1192	1708	sopes.exe	20
PID 1708 wrote to memory of 1192	1708	sopes.exe	20
PID 1708 wrote to memory of 1192	1708	sopes.exe	20
PID 1708 wrote to memory of 1240	1708	sopes.exe	21
PID 1708 wrote to memory of 1240	1708	sopes.exe	21
PID 1708 wrote to memory of 1240	1708	sopes.exe	21
PID 1708 wrote to memory of 1240	1708	sopes.exe	21
PID 1708 wrote to memory of 1240	1708	sopes.exe	21
PID 1708 wrote to memory of 1304	1708	sopes.exe	23
PID 1708 wrote to memory of 1304	1708	sopes.exe	23
PID 1708 wrote to memory of 1304	1708	sopes.exe	23
PID 1708 wrote to memory of 1304	1708	sopes.exe	23
PID 1708 wrote to memory of 1304	1708	sopes.exe	23
PID 1708 wrote to memory of 2132	1708	sopes.exe	29
PID 1708 wrote to memory of 2132	1708	sopes.exe	29
PID 1708 wrote to memory of 2132	1708	sopes.exe	29
PID 1708 wrote to memory of 2132	1708	sopes.exe	29
PID 1708 wrote to memory of 2132	1708	sopes.exe	29
PID 2132 wrote to memory of 2128	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2128	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2128	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2128	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2128	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2128	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2128	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2128	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2128	2132	a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a667bbbe6a3110291250a15076aa5e46_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Roaming\Yfwoe\sopes.exe
    "C:\Users\Admin\AppData\Roaming\Yfwoe\sopes.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb6c97476.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb6c97476.bat

Filesize
271B

MD5
f742972f41dcfd0c07c2f36281097406

SHA1
ab04c3f6abe7d7c864910d57bdc10f9ec26eccbf

SHA256
b69c9bad2ceb566924fde60a1655103255dbf2926b0dc645e9e073aaced0d9d2

SHA512
06735dc8032912b37f4c9b19fbb1ed08b682b19f0ec704404a89ac6ac458965897ff5d89f2a7aa2c69bcb2e6056dba35c3b157e05014913c7017990b4ba43dae

Download Submit
C:\Users\Admin\AppData\Roaming\Axalf\ohyk.lux

Filesize
380B

MD5
60464d661088914eff4b1f90a6216e28

SHA1
b2dba00f5992f0a27d6e486b9d26c954d553183c

SHA256
e81ef65cb3e8bdb5a0c29be3a22ce25bd29f9bc8b027d69a822f549985af9598

SHA512
f4501b4967beccad3deab45914e2adb3683f25f6cb92dd01a4b666635888e3db43784242d2fdf4be459d453dfb26dc7948cabe8e6d5333b10e6e365aff6b1a5d

Download Submit
C:\Users\Admin\AppData\Roaming\Yfwoe\sopes.exe

Filesize
282KB

MD5
8510c797e682e8e0d6413e3cc3b437d3

SHA1
48f9cc36375b9318015df6b609c125c4c316de53

SHA256
8c110508513517a8d48c206ec21ec9f91f44eb2e513c47c1e0321a98cce440c9

SHA512
f0ba5632666d006383df157737c5b40c06e3b3edd53820a7a6d69c72ebd79262ae8e72021915e2badcacf9cd8b0c22e1a4d05dc89c00351f22c104d4aab8b860

Download Submit
memory/1108-23-0x00000000021A0000-0x00000000021E1000-memory.dmp

Filesize
260KB

Download
memory/1108-25-0x00000000021A0000-0x00000000021E1000-memory.dmp

Filesize
260KB

Download
memory/1108-21-0x00000000021A0000-0x00000000021E1000-memory.dmp

Filesize
260KB

Download
memory/1108-27-0x00000000021A0000-0x00000000021E1000-memory.dmp

Filesize
260KB

Download
memory/1108-19-0x00000000021A0000-0x00000000021E1000-memory.dmp

Filesize
260KB

Download
memory/1192-34-0x0000000000150000-0x0000000000191000-memory.dmp

Filesize
260KB

Download
memory/1192-32-0x0000000000150000-0x0000000000191000-memory.dmp

Filesize
260KB

Download
memory/1192-36-0x0000000000150000-0x0000000000191000-memory.dmp

Filesize
260KB

Download
memory/1192-30-0x0000000000150000-0x0000000000191000-memory.dmp

Filesize
260KB

Download
memory/1240-40-0x0000000002540000-0x0000000002581000-memory.dmp

Filesize
260KB

Download
memory/1240-39-0x0000000002540000-0x0000000002581000-memory.dmp

Filesize
260KB

Download
memory/1240-41-0x0000000002540000-0x0000000002581000-memory.dmp

Filesize
260KB

Download
memory/1240-42-0x0000000002540000-0x0000000002581000-memory.dmp

Filesize
260KB

Download
memory/1304-46-0x0000000001C40000-0x0000000001C81000-memory.dmp

Filesize
260KB

Download
memory/1304-47-0x0000000001C40000-0x0000000001C81000-memory.dmp

Filesize
260KB

Download
memory/1304-44-0x0000000001C40000-0x0000000001C81000-memory.dmp

Filesize
260KB

Download
memory/1304-45-0x0000000001C40000-0x0000000001C81000-memory.dmp

Filesize
260KB

Download
memory/1708-15-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/1708-16-0x0000000000360000-0x00000000003AA000-memory.dmp

Filesize
296KB

Download
memory/1708-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2132-79-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-75-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-59-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-57-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-55-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-53-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2132-52-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2132-51-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2132-50-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2132-63-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-65-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-67-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-69-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-71-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-73-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-61-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-77-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-136-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2132-138-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2132-137-0x0000000077A00000-0x0000000077A01000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x00000000002D0000-0x000000000031A000-memory.dmp

Filesize
296KB

Download
memory/2132-54-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2132-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2132-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2132-164-0x0000000002280000-0x00000000022C1000-memory.dmp

Filesize
260KB

Download
memory/2132-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2132-162-0x00000000002D0000-0x000000000031A000-memory.dmp

Filesize
296KB

Download
memory/2132-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2132-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2132-0-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download