a6b9f36c4a18081e1772ace56a81ff67e94d7a6bd6b6fc81a35237c40656810c

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe
Size

255KB
MD5

ab723227b9b890069b937f7317e9d144
SHA1

7ca4064ed37eed54d498ca3d4831b2b5b0ea583c
SHA256

a6b9f36c4a18081e1772ace56a81ff67e94d7a6bd6b6fc81a35237c40656810c
SHA512

27906415c03b7a6c6afc008eeac72a74e5dec30b3cbbc87a4883db1e6f9c26095b478e02a1fd6795536ecf1d230227e3e53aeb53b450c34731b65b1470015157
SSDEEP

6144:P4TE1mRi76B3R7XM7WTXJqBD1p2bz3xCBv5+ALP:P441b76B3hXM7WAl2bz3QP+S

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	ymhax.exe

Loads dropped DLL 2 IoCs

pid	Process
2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe
2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\{15320D28-6FEE-AD4F-3AAA-40C7281D63DA} = "C:\\Users\\Admin\\AppData\\Roaming\\Febot\\ymhax.exe"	ymhax.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2248 set thread context of 2608	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ymhax.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe
2840	ymhax.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe
2840	ymhax.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2840	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2840	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2840	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	28
PID 2248 wrote to memory of 2840	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	28
PID 2840 wrote to memory of 1060	2840	ymhax.exe	18
PID 2840 wrote to memory of 1060	2840	ymhax.exe	18
PID 2840 wrote to memory of 1060	2840	ymhax.exe	18
PID 2840 wrote to memory of 1060	2840	ymhax.exe	18
PID 2840 wrote to memory of 1060	2840	ymhax.exe	18
PID 2840 wrote to memory of 1152	2840	ymhax.exe	20
PID 2840 wrote to memory of 1152	2840	ymhax.exe	20
PID 2840 wrote to memory of 1152	2840	ymhax.exe	20
PID 2840 wrote to memory of 1152	2840	ymhax.exe	20
PID 2840 wrote to memory of 1152	2840	ymhax.exe	20
PID 2840 wrote to memory of 1184	2840	ymhax.exe	21
PID 2840 wrote to memory of 1184	2840	ymhax.exe	21
PID 2840 wrote to memory of 1184	2840	ymhax.exe	21
PID 2840 wrote to memory of 1184	2840	ymhax.exe	21
PID 2840 wrote to memory of 1184	2840	ymhax.exe	21
PID 2840 wrote to memory of 2024	2840	ymhax.exe	23
PID 2840 wrote to memory of 2024	2840	ymhax.exe	23
PID 2840 wrote to memory of 2024	2840	ymhax.exe	23
PID 2840 wrote to memory of 2024	2840	ymhax.exe	23
PID 2840 wrote to memory of 2024	2840	ymhax.exe	23
PID 2840 wrote to memory of 2248	2840	ymhax.exe	27
PID 2840 wrote to memory of 2248	2840	ymhax.exe	27
PID 2840 wrote to memory of 2248	2840	ymhax.exe	27
PID 2840 wrote to memory of 2248	2840	ymhax.exe	27
PID 2840 wrote to memory of 2248	2840	ymhax.exe	27
PID 2248 wrote to memory of 2608	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2608	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2608	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2608	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2608	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2608	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2608	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2608	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	29
PID 2248 wrote to memory of 2608	2248	ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1060

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ab723227b9b890069b937f7317e9d144_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Roaming\Febot\ymhax.exe
    "C:\Users\Admin\AppData\Roaming\Febot\ymhax.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp27021e27.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp27021e27.bat

Filesize
271B

MD5
25be0524cafe1c5013049d83a7236b5d

SHA1
0bf96e630669aa2042fe96ea147fdaa7619f57ef

SHA256
b3bf4919ad5d29834f55a972cf19cc0092f20b4eacc66c7db1407489f6246ab1

SHA512
c59ff7bede22f3a9c763fd69b65e87e1af89b2f98a5f82f571eb8dc41e17da15a65ccd5caf7c3a94e5936dbb78935ec064756a2793c2d6642ac32e455f25a143

Download Submit
\Users\Admin\AppData\Roaming\Febot\ymhax.exe

Filesize
255KB

MD5
b000aea4306ef43bff7c0a4705866198

SHA1
adf2035eec53d79eb800e735b77ccd42be7d277c

SHA256
3fe1182c32772c9c39986ecc95bd05bda6501df6c9e347631d38274e39b36025

SHA512
4da49e8c7725a79867c17d7c914365dafa9be054da865363897f8fa3f7cfcc41014096e84b3204116c7e9e619527af8ad9ebab7a3fa4ef1c35ca35e53c14af53

Download Submit
memory/1060-21-0x0000000001F40000-0x0000000001F7F000-memory.dmp

Filesize
252KB

Download
memory/1060-23-0x0000000001F40000-0x0000000001F7F000-memory.dmp

Filesize
252KB

Download
memory/1060-20-0x0000000001F40000-0x0000000001F7F000-memory.dmp

Filesize
252KB

Download
memory/1060-19-0x0000000001F40000-0x0000000001F7F000-memory.dmp

Filesize
252KB

Download
memory/1060-22-0x0000000001F40000-0x0000000001F7F000-memory.dmp

Filesize
252KB

Download
memory/1152-25-0x0000000000130000-0x000000000016F000-memory.dmp

Filesize
252KB

Download
memory/1152-27-0x0000000000130000-0x000000000016F000-memory.dmp

Filesize
252KB

Download
memory/1152-28-0x0000000000130000-0x000000000016F000-memory.dmp

Filesize
252KB

Download
memory/1152-26-0x0000000000130000-0x000000000016F000-memory.dmp

Filesize
252KB

Download
memory/1184-33-0x00000000024F0000-0x000000000252F000-memory.dmp

Filesize
252KB

Download
memory/1184-30-0x00000000024F0000-0x000000000252F000-memory.dmp

Filesize
252KB

Download
memory/1184-31-0x00000000024F0000-0x000000000252F000-memory.dmp

Filesize
252KB

Download
memory/1184-32-0x00000000024F0000-0x000000000252F000-memory.dmp

Filesize
252KB

Download
memory/2024-37-0x0000000001BE0000-0x0000000001C1F000-memory.dmp

Filesize
252KB

Download
memory/2024-35-0x0000000001BE0000-0x0000000001C1F000-memory.dmp

Filesize
252KB

Download
memory/2024-36-0x0000000001BE0000-0x0000000001C1F000-memory.dmp

Filesize
252KB

Download
memory/2024-38-0x0000000001BE0000-0x0000000001C1F000-memory.dmp

Filesize
252KB

Download
memory/2248-72-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-51-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-70-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-66-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-4-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2248-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2248-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2248-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2248-46-0x00000000005E0000-0x000000000061F000-memory.dmp

Filesize
252KB

Download
memory/2248-63-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-68-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-80-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-78-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-76-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-74-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-0-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2248-1-0x00000000002A0000-0x00000000002E5000-memory.dmp

Filesize
276KB

Download
memory/2248-156-0x00000000002A0000-0x00000000002E5000-memory.dmp

Filesize
276KB

Download
memory/2248-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2248-65-0x0000000077D80000-0x0000000077D81000-memory.dmp

Filesize
4KB

Download
memory/2248-61-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-59-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-57-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-55-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-53-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-48-0x00000000005E0000-0x000000000061F000-memory.dmp

Filesize
252KB

Download
memory/2248-49-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2248-44-0x00000000005E0000-0x000000000061F000-memory.dmp

Filesize
252KB

Download
memory/2248-43-0x00000000005E0000-0x000000000061F000-memory.dmp

Filesize
252KB

Download
memory/2248-40-0x00000000005E0000-0x000000000061F000-memory.dmp

Filesize
252KB

Download
memory/2248-133-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2840-16-0x00000000002A0000-0x00000000002E5000-memory.dmp

Filesize
276KB

Download
memory/2840-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2840-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2840-275-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2840-276-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download