Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20-08-2024 00:54
Static task
static1
Behavioral task
behavioral1
Sample
ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe
-
Size
144KB
-
MD5
ad4748d01ef07b43d3f2cb3add9da911
-
SHA1
e1ae4f4512d6b98c81d18d7cdf9a24dbc6d0ef0d
-
SHA256
b4ed4637cccd997870068114c3c7d1d1cd49625620e9880a8161555b00ba2e2a
-
SHA512
e3c10bbd7a0adcc5f58d5c286de2f49713792bae1b2269c8ac308795d5c78c54de912a3f3cd0f8965dd41f311ac8c04d3e8442e0554cc8bfbcf5450b8d0d433f
-
SSDEEP
3072:MrMUqcZLEHGtzbPTHfEfXRp79MPcSI9SFcZtAbmy+nIdIe/:Mr1HEHwPPEhMPcSI9SFfll
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 876 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1964 cyup.exe -
Loads dropped DLL 2 IoCs
pid Process 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A942B74A-4E71-C008-C5F9-7FC4B7BB0533} = "C:\\Users\\Admin\\AppData\\Roaming\\Raide\\cyup.exe" cyup.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2036 set thread context of 876 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 45 -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cyup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Privacy ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\746E25A8-00000001.eml:OECustomProperty WinMail.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe 1964 cyup.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe Token: SeSecurityPrivilege 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe Token: SeSecurityPrivilege 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe Token: SeManageVolumePrivilege 2224 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2224 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2224 WinMail.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2224 WinMail.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2384 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 30 PID 2036 wrote to memory of 2384 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 30 PID 2036 wrote to memory of 2384 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 30 PID 2036 wrote to memory of 2384 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2192 2384 net.exe 32 PID 2384 wrote to memory of 2192 2384 net.exe 32 PID 2384 wrote to memory of 2192 2384 net.exe 32 PID 2384 wrote to memory of 2192 2384 net.exe 32 PID 2036 wrote to memory of 3008 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 33 PID 2036 wrote to memory of 3008 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 33 PID 2036 wrote to memory of 3008 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 33 PID 2036 wrote to memory of 3008 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 33 PID 3008 wrote to memory of 2012 3008 net.exe 35 PID 3008 wrote to memory of 2012 3008 net.exe 35 PID 3008 wrote to memory of 2012 3008 net.exe 35 PID 3008 wrote to memory of 2012 3008 net.exe 35 PID 2036 wrote to memory of 1964 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 37 PID 2036 wrote to memory of 1964 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 37 PID 2036 wrote to memory of 1964 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 37 PID 2036 wrote to memory of 1964 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 37 PID 1964 wrote to memory of 2860 1964 cyup.exe 38 PID 1964 wrote to memory of 2860 1964 cyup.exe 38 PID 1964 wrote to memory of 2860 1964 cyup.exe 38 PID 1964 wrote to memory of 2860 1964 cyup.exe 38 PID 2860 wrote to memory of 2844 2860 net.exe 40 PID 2860 wrote to memory of 2844 2860 net.exe 40 PID 2860 wrote to memory of 2844 2860 net.exe 40 PID 2860 wrote to memory of 2844 2860 net.exe 40 PID 1964 wrote to memory of 2736 1964 cyup.exe 41 PID 1964 wrote to memory of 2736 1964 cyup.exe 41 PID 1964 wrote to memory of 2736 1964 cyup.exe 41 PID 1964 wrote to memory of 2736 1964 cyup.exe 41 PID 1964 wrote to memory of 1100 1964 cyup.exe 19 PID 1964 wrote to memory of 1100 1964 cyup.exe 19 PID 1964 wrote to memory of 1100 1964 cyup.exe 19 PID 1964 wrote to memory of 1100 1964 cyup.exe 19 PID 1964 wrote to memory of 1100 1964 cyup.exe 19 PID 1964 wrote to memory of 1164 1964 cyup.exe 20 PID 1964 wrote to memory of 1164 1964 cyup.exe 20 PID 1964 wrote to memory of 1164 1964 cyup.exe 20 PID 1964 wrote to memory of 1164 1964 cyup.exe 20 PID 1964 wrote to memory of 1164 1964 cyup.exe 20 PID 1964 wrote to memory of 1200 1964 cyup.exe 21 PID 1964 wrote to memory of 1200 1964 cyup.exe 21 PID 1964 wrote to memory of 1200 1964 cyup.exe 21 PID 1964 wrote to memory of 1200 1964 cyup.exe 21 PID 1964 wrote to memory of 1200 1964 cyup.exe 21 PID 1964 wrote to memory of 1596 1964 cyup.exe 23 PID 1964 wrote to memory of 1596 1964 cyup.exe 23 PID 1964 wrote to memory of 1596 1964 cyup.exe 23 PID 1964 wrote to memory of 1596 1964 cyup.exe 23 PID 1964 wrote to memory of 1596 1964 cyup.exe 23 PID 1964 wrote to memory of 2036 1964 cyup.exe 29 PID 1964 wrote to memory of 2036 1964 cyup.exe 29 PID 1964 wrote to memory of 2036 1964 cyup.exe 29 PID 1964 wrote to memory of 2036 1964 cyup.exe 29 PID 1964 wrote to memory of 2036 1964 cyup.exe 29 PID 2736 wrote to memory of 2984 2736 net.exe 43 PID 2736 wrote to memory of 2984 2736 net.exe 43 PID 2736 wrote to memory of 2984 2736 net.exe 43 PID 2736 wrote to memory of 2984 2736 net.exe 43 PID 2036 wrote to memory of 876 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 45 PID 2036 wrote to memory of 876 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 45 PID 2036 wrote to memory of 876 2036 ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe 45
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1100
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ad4748d01ef07b43d3f2cb3add9da911_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\net.exenet stop wscsvc3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc4⤵
- System Location Discovery: System Language Discovery
PID:2192
-
-
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
PID:2012
-
-
-
C:\Users\Admin\AppData\Roaming\Raide\cyup.exe"C:\Users\Admin\AppData\Roaming\Raide\cyup.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\net.exenet stop wscsvc4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc5⤵
- System Location Discovery: System Language Discovery
PID:2844
-
-
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess5⤵
- System Location Discovery: System Language Discovery
PID:2984
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp72aa8807.bat"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:876
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1596
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2224
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD523336646c8fa8e882c967872c1dda385
SHA1f95f755ac046e33f1f770e3db3e7e180dd20a321
SHA2560a922b020c149cb3cf8ecc03da8452f6320f538e2f81dd095625c846860cc16d
SHA5122cf4933538e0420e2473017cfcf35e31771efbb3924244915d1ac4c941241830644c1d2415cafb5ac07e37c963f8332e8f4911851b80ec5a5dee5b0345200dc6
-
Filesize
271B
MD58f1405fab6a26fd72c1fe68f89b3bdff
SHA101cb54519b3253411e7dd0c6fe27d0aacfe1528f
SHA256ca6528fe442888e2916fa224971be290bf61687f6cb6492f4e96a7a2bce8620b
SHA512e95cde94ee708dceb438876343125595c573b7fd9c795ef32de878902036470ed7be58cd0021bdd874b133e238174791b9643e6cdd2d8d9fc9c218380d1fb6cb
-
Filesize
380B
MD51fa89ef7171b7fa28d28d41867fa4a4d
SHA1f762848622dd9be12a04fe75a5d9b60913a25c84
SHA256dbab9e770c8d744bcc1ac321048edd79b513733486bde28a6fdad247914c3d79
SHA512bd70fb6085aeba5073aced8c4d137126816966dbeceba0ee4c3f447ec633652514ac7e508ebf233517ac0a91774713cd46a4b0a18e44bb263640d0dc0cefb0e5
-
Filesize
144KB
MD5125a6ef05f239c9905e2631a22167e1b
SHA124cce5a0070322f26a33851f72d055d21ce87ea8
SHA256737e0c13f8e1f4688bb1a1ae4061b53598babfe85b9a5c1319e12b00b1fb0df5
SHA5123b91a8225653051bb26f68690ae9f9ddef1f68b3f14a813fe8b2d6ca9e78d139a2d971629e9fe572217e1023688c5eb64bc7617053c3220a67d8ef80117996b2