a4c9dcf0f9c2e56477f23f1fe9737b21c65fa3058922babfe6a86f1aca65d92b

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe
Size

290KB
MD5

aa68952b72f66fef836f5286488ec713
SHA1

390bc5736ba9672dba40cea2058fca2a5176ef4d
SHA256

a4c9dcf0f9c2e56477f23f1fe9737b21c65fa3058922babfe6a86f1aca65d92b
SHA512

4bdf26b31cde68a521f4a3e54724e6b9413bd08c3ee6deae10c50c67cab5488ae444c6cf1f4afe737f45fe49330932559f983e46ceb0569423825a2bc74ad606
SSDEEP

6144:6XvlvdqWLqOKD/B5RyaynzgvGq6JhW7zQgtm0DTlg1:6Xv/zLe/B5YzFHctmt

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2152	zydi.exe

Loads dropped DLL 2 IoCs

pid	Process
2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe
2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\{1B0C4E28-6E66-AD4F-AB1D-A71BBF328406} = "C:\\Users\\Admin\\AppData\\Roaming\\Yhgozu\\zydi.exe"	zydi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 2848	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe
2152	zydi.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe
Token: SeSecurityPrivilege	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe
Token: SeSecurityPrivilege	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe
2152	zydi.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2152	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	31
PID 2164 wrote to memory of 2152	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	31
PID 2164 wrote to memory of 2152	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	31
PID 2164 wrote to memory of 2152	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	31
PID 2152 wrote to memory of 1120	2152	zydi.exe	19
PID 2152 wrote to memory of 1120	2152	zydi.exe	19
PID 2152 wrote to memory of 1120	2152	zydi.exe	19
PID 2152 wrote to memory of 1120	2152	zydi.exe	19
PID 2152 wrote to memory of 1120	2152	zydi.exe	19
PID 2152 wrote to memory of 1204	2152	zydi.exe	20
PID 2152 wrote to memory of 1204	2152	zydi.exe	20
PID 2152 wrote to memory of 1204	2152	zydi.exe	20
PID 2152 wrote to memory of 1204	2152	zydi.exe	20
PID 2152 wrote to memory of 1204	2152	zydi.exe	20
PID 2152 wrote to memory of 1256	2152	zydi.exe	21
PID 2152 wrote to memory of 1256	2152	zydi.exe	21
PID 2152 wrote to memory of 1256	2152	zydi.exe	21
PID 2152 wrote to memory of 1256	2152	zydi.exe	21
PID 2152 wrote to memory of 1256	2152	zydi.exe	21
PID 2152 wrote to memory of 1372	2152	zydi.exe	23
PID 2152 wrote to memory of 1372	2152	zydi.exe	23
PID 2152 wrote to memory of 1372	2152	zydi.exe	23
PID 2152 wrote to memory of 1372	2152	zydi.exe	23
PID 2152 wrote to memory of 1372	2152	zydi.exe	23
PID 2152 wrote to memory of 2164	2152	zydi.exe	30
PID 2152 wrote to memory of 2164	2152	zydi.exe	30
PID 2152 wrote to memory of 2164	2152	zydi.exe	30
PID 2152 wrote to memory of 2164	2152	zydi.exe	30
PID 2152 wrote to memory of 2164	2152	zydi.exe	30
PID 2164 wrote to memory of 2848	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	32
PID 2164 wrote to memory of 2848	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	32
PID 2164 wrote to memory of 2848	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	32
PID 2164 wrote to memory of 2848	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	32
PID 2164 wrote to memory of 2848	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	32
PID 2164 wrote to memory of 2848	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	32
PID 2164 wrote to memory of 2848	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	32
PID 2164 wrote to memory of 2848	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	32
PID 2164 wrote to memory of 2848	2164	aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\aa68952b72f66fef836f5286488ec713_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Roaming\Yhgozu\zydi.exe
    "C:\Users\Admin\AppData\Roaming\Yhgozu\zydi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1a45140b.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2848

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1a45140b.bat

Filesize
271B

MD5
ab4dca07cf20a73edff588e74596834c

SHA1
c14cda3453e9c5b2ff908e0800bf1e4584379dde

SHA256
ace16f34d911626145bc94df0099067d6b8d7d9f7583f3a3794ff9f7bc7801a1

SHA512
eafa9836fad9514414e1b14f54e0c67051c14f8131d2908ad951a4de43155dcdea9f9d2b713e41abc400038888b4de5f6597195645ca6234fe551999c7055529

Download Submit
C:\Users\Admin\AppData\Roaming\Oxemde\kiuk.tam

Filesize
380B

MD5
d377358f476e2f2a78bf392cf46ee47f

SHA1
942ed11a4850b511b6847a2b1a99ad0325e7e419

SHA256
9b5f46a12d61b91c8c1c7b3a0ea912d0f2b77844bbb30edf00a9b62bca143557

SHA512
1f18459546e036413de03914b2ab56087f836a4035674a4beb8d23b416bfba0aeb1da378d65f1b48d90801b99544073991c7cf530c465b943c55052a59428e37

Download Submit
\Users\Admin\AppData\Roaming\Yhgozu\zydi.exe

Filesize
290KB

MD5
6232d4b0595fe2fb67309ca40ff36a65

SHA1
632a8f7e055bb37a78f5404abd7b8920b466bfce

SHA256
acf531789fb46de0b5164834ae4dd49060ad412846876a20791f18e099cffed5

SHA512
46ea3dc2bcc40c8069f5c11b057a3e94d2637a7f115c4b321b4929a2a5704d984dd9a8f2b0a65acbd5e0bd40d864c528f17ab064430ac74517aa6f593f7613c8

Download Submit
memory/1120-20-0x00000000020D0000-0x0000000002111000-memory.dmp

Filesize
260KB

Download
memory/1120-21-0x00000000020D0000-0x0000000002111000-memory.dmp

Filesize
260KB

Download
memory/1120-23-0x00000000020D0000-0x0000000002111000-memory.dmp

Filesize
260KB

Download
memory/1120-22-0x00000000020D0000-0x0000000002111000-memory.dmp

Filesize
260KB

Download
memory/1120-19-0x00000000020D0000-0x0000000002111000-memory.dmp

Filesize
260KB

Download
memory/1204-26-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1204-32-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1204-30-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1204-28-0x00000000001B0000-0x00000000001F1000-memory.dmp

Filesize
260KB

Download
memory/1256-36-0x0000000002DD0000-0x0000000002E11000-memory.dmp

Filesize
260KB

Download
memory/1256-35-0x0000000002DD0000-0x0000000002E11000-memory.dmp

Filesize
260KB

Download
memory/1256-37-0x0000000002DD0000-0x0000000002E11000-memory.dmp

Filesize
260KB

Download
memory/1256-38-0x0000000002DD0000-0x0000000002E11000-memory.dmp

Filesize
260KB

Download
memory/1372-43-0x0000000001E40000-0x0000000001E81000-memory.dmp

Filesize
260KB

Download
memory/1372-40-0x0000000001E40000-0x0000000001E81000-memory.dmp

Filesize
260KB

Download
memory/1372-41-0x0000000001E40000-0x0000000001E81000-memory.dmp

Filesize
260KB

Download
memory/1372-42-0x0000000001E40000-0x0000000001E81000-memory.dmp

Filesize
260KB

Download
memory/2152-16-0x00000000003A0000-0x00000000003ED000-memory.dmp

Filesize
308KB

Download
memory/2152-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2152-15-0x0000000000350000-0x0000000000391000-memory.dmp

Filesize
260KB

Download
memory/2152-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-79-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-77-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-55-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-53-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-51-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-48-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2164-47-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2164-46-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2164-59-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-61-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-63-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-65-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-67-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2164-69-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-71-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-73-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-75-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-57-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-0-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2164-81-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-68-0x0000000077CE0000-0x0000000077CE1000-memory.dmp

Filesize
4KB

Download
memory/2164-50-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2164-49-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2164-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-135-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2164-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-162-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2164-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-160-0x0000000000350000-0x000000000039D000-memory.dmp

Filesize
308KB

Download
memory/2164-159-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2164-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-1-0x0000000000350000-0x000000000039D000-memory.dmp

Filesize
308KB

Download