a1af1187d0d90dc13f73aa9f01e23bef0a9fe29804c5c19537ce43d7ed2c649b

Analysis

max time kernel
150s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe
Size

183KB
MD5

ab51e7d1206768ac7cb080b7669e4507
SHA1

8edfa669ef309a4b329cc109d6a90a3ab6635e71
SHA256

a1af1187d0d90dc13f73aa9f01e23bef0a9fe29804c5c19537ce43d7ed2c649b
SHA512

a5f8d03848925790c21ab27f28a7d47429cd188c807d7702a47067dcf983adabee7297dc7c3e8e143c5b4a72044db7888b5589f7811bd40d0c81cc9be11a71db
SSDEEP

3072:/9IxCZkIMJ45FlxmN71ySIrDG1zPw3jjhHoH5RPiQN/tUMuxsezGJI62ddQ7:RX5FlxY1yS6ypwBHoH5xLuQ2ddQ

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1932	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	xeamu.exe

Loads dropped DLL 2 IoCs

pid	Process
1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe
1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1316-0-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/files/0x0008000000016d3f-6.dat	upx
behavioral1/memory/1316-8-0x0000000000370000-0x00000000003B4000-memory.dmp	upx
behavioral1/memory/1316-13-0x0000000000370000-0x00000000003B4000-memory.dmp	upx
behavioral1/memory/2792-15-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C2421E3F-A70B-8452-0FF7-7A5368232AB4} = "C:\\Users\\Admin\\AppData\\Roaming\\Zaylgo\\xeamu.exe"	xeamu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1316 set thread context of 1932	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeamu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Privacy	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe
2792	xeamu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe
Token: SeSecurityPrivilege	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe
Token: SeSecurityPrivilege	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2792	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	30
PID 1316 wrote to memory of 2792	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	30
PID 1316 wrote to memory of 2792	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	30
PID 1316 wrote to memory of 2792	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	30
PID 2792 wrote to memory of 1116	2792	xeamu.exe	19
PID 2792 wrote to memory of 1116	2792	xeamu.exe	19
PID 2792 wrote to memory of 1116	2792	xeamu.exe	19
PID 2792 wrote to memory of 1116	2792	xeamu.exe	19
PID 2792 wrote to memory of 1116	2792	xeamu.exe	19
PID 2792 wrote to memory of 1164	2792	xeamu.exe	20
PID 2792 wrote to memory of 1164	2792	xeamu.exe	20
PID 2792 wrote to memory of 1164	2792	xeamu.exe	20
PID 2792 wrote to memory of 1164	2792	xeamu.exe	20
PID 2792 wrote to memory of 1164	2792	xeamu.exe	20
PID 2792 wrote to memory of 1200	2792	xeamu.exe	21
PID 2792 wrote to memory of 1200	2792	xeamu.exe	21
PID 2792 wrote to memory of 1200	2792	xeamu.exe	21
PID 2792 wrote to memory of 1200	2792	xeamu.exe	21
PID 2792 wrote to memory of 1200	2792	xeamu.exe	21
PID 2792 wrote to memory of 748	2792	xeamu.exe	23
PID 2792 wrote to memory of 748	2792	xeamu.exe	23
PID 2792 wrote to memory of 748	2792	xeamu.exe	23
PID 2792 wrote to memory of 748	2792	xeamu.exe	23
PID 2792 wrote to memory of 748	2792	xeamu.exe	23
PID 2792 wrote to memory of 1316	2792	xeamu.exe	29
PID 2792 wrote to memory of 1316	2792	xeamu.exe	29
PID 2792 wrote to memory of 1316	2792	xeamu.exe	29
PID 2792 wrote to memory of 1316	2792	xeamu.exe	29
PID 2792 wrote to memory of 1316	2792	xeamu.exe	29
PID 1316 wrote to memory of 1932	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	31
PID 1316 wrote to memory of 1932	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	31
PID 1316 wrote to memory of 1932	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	31
PID 1316 wrote to memory of 1932	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	31
PID 1316 wrote to memory of 1932	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	31
PID 1316 wrote to memory of 1932	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	31
PID 1316 wrote to memory of 1932	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	31
PID 1316 wrote to memory of 1932	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	31
PID 1316 wrote to memory of 1932	1316	ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe	31
PID 2792 wrote to memory of 1272	2792	xeamu.exe	33
PID 2792 wrote to memory of 1272	2792	xeamu.exe	33
PID 2792 wrote to memory of 1272	2792	xeamu.exe	33
PID 2792 wrote to memory of 1272	2792	xeamu.exe	33
PID 2792 wrote to memory of 1272	2792	xeamu.exe	33
PID 2792 wrote to memory of 2492	2792	xeamu.exe	34
PID 2792 wrote to memory of 2492	2792	xeamu.exe	34
PID 2792 wrote to memory of 2492	2792	xeamu.exe	34
PID 2792 wrote to memory of 2492	2792	xeamu.exe	34
PID 2792 wrote to memory of 2492	2792	xeamu.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ab51e7d1206768ac7cb080b7669e4507_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Roaming\Zaylgo\xeamu.exe
    "C:\Users\Admin\AppData\Roaming\Zaylgo\xeamu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpcd00467b.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:748

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1272

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcd00467b.bat

Filesize
271B

MD5
6ca5c66ff44d26d4abfbc2f3360cb32f

SHA1
59bfd5060b92c6923a7b0e83b5fdb10114bf16e4

SHA256
2a7dfa30328e6d5665ae36a382c0d92fbe16533106d7e312e461383a72ecc4fc

SHA512
63ce52e4a8e743949376cf5f0a2657c0333bddb75575d086c7fbb1337f5f95d84d718482dbb8d5cc1eaf4ddf29db0456db60a85d587be696fb1e2585290d1a0e

Download Submit
C:\Users\Admin\AppData\Roaming\Liivwa\duly.evp

Filesize
380B

MD5
2af70ccd37a6e00c0d4b58bc6f2fad76

SHA1
57caced7144e0c66e6d9061ed0b2964e4de8de18

SHA256
2153f28c96b6d6ed084c23bb7214d8527987a071fe9d62ade03306fec4799ab7

SHA512
0b932bb2095a4c22a6a451d898e62ed8d03fe6c3c83e10d5c0f297657ff6a1e6c108f092d841efdeca576311b9c4b3f417ac9a8c2f97f22b2c1bb1e653747845

Download Submit
\Users\Admin\AppData\Roaming\Zaylgo\xeamu.exe

Filesize
183KB

MD5
ed1642cb6832f89437c88e6b1a569d24

SHA1
befe32939535c8b9be9092aa319ef376647ab4f0

SHA256
eb2201287d5fcf4569f16343a79fdcd1948f4a341b358860043a4d305925d8ee

SHA512
480974113992f6f388c30a3e55e86307ed547f84f95cae93d8720073869808de3f91e0f35fdd69e84ad1f1cbc4aff275d7cf6cd8bc61d8cb4addb0a52de5ae15

Download Submit
memory/748-40-0x0000000001E00000-0x0000000001E26000-memory.dmp

Filesize
152KB

Download
memory/748-45-0x0000000001E00000-0x0000000001E26000-memory.dmp

Filesize
152KB

Download
memory/748-46-0x0000000001E00000-0x0000000001E26000-memory.dmp

Filesize
152KB

Download
memory/748-42-0x0000000001E00000-0x0000000001E26000-memory.dmp

Filesize
152KB

Download
memory/1116-20-0x0000000001F00000-0x0000000001F26000-memory.dmp

Filesize
152KB

Download
memory/1116-22-0x0000000001F00000-0x0000000001F26000-memory.dmp

Filesize
152KB

Download
memory/1116-24-0x0000000001F00000-0x0000000001F26000-memory.dmp

Filesize
152KB

Download
memory/1116-26-0x0000000001F00000-0x0000000001F26000-memory.dmp

Filesize
152KB

Download
memory/1116-18-0x0000000001F00000-0x0000000001F26000-memory.dmp

Filesize
152KB

Download
memory/1164-30-0x0000000000130000-0x0000000000156000-memory.dmp

Filesize
152KB

Download
memory/1164-32-0x0000000000130000-0x0000000000156000-memory.dmp

Filesize
152KB

Download
memory/1164-31-0x0000000000130000-0x0000000000156000-memory.dmp

Filesize
152KB

Download
memory/1164-29-0x0000000000130000-0x0000000000156000-memory.dmp

Filesize
152KB

Download
memory/1200-34-0x0000000002DF0000-0x0000000002E16000-memory.dmp

Filesize
152KB

Download
memory/1200-35-0x0000000002DF0000-0x0000000002E16000-memory.dmp

Filesize
152KB

Download
memory/1200-36-0x0000000002DF0000-0x0000000002E16000-memory.dmp

Filesize
152KB

Download
memory/1200-37-0x0000000002DF0000-0x0000000002E16000-memory.dmp

Filesize
152KB

Download
memory/1316-130-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-76-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-62-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-60-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-58-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-56-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-54-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-52-0x0000000000370000-0x0000000000396000-memory.dmp

Filesize
152KB

Download
memory/1316-50-0x0000000000370000-0x0000000000396000-memory.dmp

Filesize
152KB

Download
memory/1316-49-0x0000000000370000-0x0000000000396000-memory.dmp

Filesize
152KB

Download
memory/1316-66-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-68-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-70-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-72-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-74-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-64-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-78-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-80-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1316-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-53-0x0000000000370000-0x0000000000396000-memory.dmp

Filesize
152KB

Download
memory/1316-51-0x0000000000370000-0x0000000000396000-memory.dmp

Filesize
152KB

Download
memory/1316-1-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/1316-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-13-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1316-8-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1316-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-149-0x0000000000370000-0x0000000000396000-memory.dmp

Filesize
152KB

Download
memory/1316-148-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-265-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download