d9fa867a9baeca417f4e12809d1f9a1b7b4726cd6fc4b5273846155c36b45032

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe
Size

295KB
MD5

aa368e40fa1a3d7fa3d3aa89db1aaec4
SHA1

3a44fad1e540ceb4582da42e7da625e5dda7049a
SHA256

d9fa867a9baeca417f4e12809d1f9a1b7b4726cd6fc4b5273846155c36b45032
SHA512

4ff888e5019391d29f6a5f3d5bf9e3d4dade3069a840c10039d51363a13999693f108c4c87b233dbed2071a15986a9fd004eb6616db0f4a454753b8b6efcbbdb
SSDEEP

6144:F6OySx7crxMb/Q7K86gD+bW55zbMLdOMLmlDMMSXm:FrySWrxF28/75Zb2cMLmlDMFm

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2424	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2308	diduka.exe

Loads dropped DLL 1 IoCs

pid	Process
2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{75DA6328-6F30-AD4F-96DD-2BAD86C808B0} = "C:\\Users\\Admin\\AppData\\Roaming\\Uqak\\diduka.exe"	diduka.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2424	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diduka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe
2308	diduka.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2308	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	30
PID 2324 wrote to memory of 2308	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	30
PID 2324 wrote to memory of 2308	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	30
PID 2324 wrote to memory of 2308	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	30
PID 2308 wrote to memory of 1096	2308	diduka.exe	19
PID 2308 wrote to memory of 1096	2308	diduka.exe	19
PID 2308 wrote to memory of 1096	2308	diduka.exe	19
PID 2308 wrote to memory of 1096	2308	diduka.exe	19
PID 2308 wrote to memory of 1096	2308	diduka.exe	19
PID 2308 wrote to memory of 1168	2308	diduka.exe	20
PID 2308 wrote to memory of 1168	2308	diduka.exe	20
PID 2308 wrote to memory of 1168	2308	diduka.exe	20
PID 2308 wrote to memory of 1168	2308	diduka.exe	20
PID 2308 wrote to memory of 1168	2308	diduka.exe	20
PID 2308 wrote to memory of 1200	2308	diduka.exe	21
PID 2308 wrote to memory of 1200	2308	diduka.exe	21
PID 2308 wrote to memory of 1200	2308	diduka.exe	21
PID 2308 wrote to memory of 1200	2308	diduka.exe	21
PID 2308 wrote to memory of 1200	2308	diduka.exe	21
PID 2308 wrote to memory of 1644	2308	diduka.exe	24
PID 2308 wrote to memory of 1644	2308	diduka.exe	24
PID 2308 wrote to memory of 1644	2308	diduka.exe	24
PID 2308 wrote to memory of 1644	2308	diduka.exe	24
PID 2308 wrote to memory of 1644	2308	diduka.exe	24
PID 2308 wrote to memory of 2324	2308	diduka.exe	29
PID 2308 wrote to memory of 2324	2308	diduka.exe	29
PID 2308 wrote to memory of 2324	2308	diduka.exe	29
PID 2308 wrote to memory of 2324	2308	diduka.exe	29
PID 2308 wrote to memory of 2324	2308	diduka.exe	29
PID 2324 wrote to memory of 2424	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2424	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2424	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2424	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2424	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2424	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2424	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2424	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2424	2324	aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1096

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\aa368e40fa1a3d7fa3d3aa89db1aaec4_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Roaming\Uqak\diduka.exe
    "C:\Users\Admin\AppData\Roaming\Uqak\diduka.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9f292bc0.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2424

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9f292bc0.bat

Filesize
271B

MD5
c08515aebeb9c90dc35fbf5e16652ec0

SHA1
56ad325069fdb1115ffc3d10a6687c2dfaf687c7

SHA256
2b7dd60ea0b216b6c972b1e3afd526953b617b2a91dba045251e016374d7b2a5

SHA512
628b19b5b5284e4f221ea747f2f811245041f3622c22e1e4f14c2c7952a5318f3a8759861c60a9c17f5b9c61057270f33876fc1429ce1f8b7cf90bdf9dbc9bae

Download Submit
\Users\Admin\AppData\Roaming\Uqak\diduka.exe

Filesize
295KB

MD5
71c0b0318f25486e117a71597caff91a

SHA1
3ca70f6fefd216959264c2603b4bdea382aa6982

SHA256
a46575f69178345b6e4bbd94f0af1f6f1cfbeaa4f99fcaabd6322174b77d0175

SHA512
564e32d218ac44be43b4ab5fe01e1ce79bff795f8d7994adbba8841f725b2c20522d9011ea3a72201390ac8fb45e4aa9d384e3b959adb9a05c932769686b682c

Download Submit
memory/1096-18-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1096-22-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1096-20-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1096-15-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1096-16-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1168-27-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1168-25-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1168-28-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1168-26-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1200-31-0x0000000002970000-0x00000000029B4000-memory.dmp

Filesize
272KB

Download
memory/1200-30-0x0000000002970000-0x00000000029B4000-memory.dmp

Filesize
272KB

Download
memory/1200-32-0x0000000002970000-0x00000000029B4000-memory.dmp

Filesize
272KB

Download
memory/1200-33-0x0000000002970000-0x00000000029B4000-memory.dmp

Filesize
272KB

Download
memory/1644-38-0x0000000001C70000-0x0000000001CB4000-memory.dmp

Filesize
272KB

Download
memory/1644-35-0x0000000001C70000-0x0000000001CB4000-memory.dmp

Filesize
272KB

Download
memory/1644-36-0x0000000001C70000-0x0000000001CB4000-memory.dmp

Filesize
272KB

Download
memory/1644-37-0x0000000001C70000-0x0000000001CB4000-memory.dmp

Filesize
272KB

Download
memory/2308-293-0x0000000000A10000-0x0000000000A5E000-memory.dmp

Filesize
312KB

Download
memory/2308-285-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2308-12-0x0000000000A10000-0x0000000000A5E000-memory.dmp

Filesize
312KB

Download
memory/2308-13-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2324-135-0x0000000077C10000-0x0000000077C11000-memory.dmp

Filesize
4KB

Download
memory/2324-0-0x00000000001D0000-0x000000000021E000-memory.dmp

Filesize
312KB

Download
memory/2324-56-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-54-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-44-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2324-43-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2324-42-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2324-41-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2324-60-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-62-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-64-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-66-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-68-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-70-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-72-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-74-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-134-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2324-58-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-137-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-136-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2324-76-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-45-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2324-52-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-50-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-48-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-46-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2324-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2324-10-0x0000000000220000-0x000000000026E000-memory.dmp

Filesize
312KB

Download
memory/2324-162-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2324-161-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2324-160-0x00000000001D0000-0x000000000021E000-memory.dmp

Filesize
312KB

Download
memory/2324-3-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2324-4-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2324-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download