d57a1302ac2bfdd78775e66ad08e43956279e5db1d33c5e6bdcec8ea59345535

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe
Size

307KB
MD5

aedc5de633046a7432a0fd0bc7b14d50
SHA1

3be821b7a72d04d3fc648df371fe862540b2eeec
SHA256

d57a1302ac2bfdd78775e66ad08e43956279e5db1d33c5e6bdcec8ea59345535
SHA512

d854bcdee52a9466158c640825d03029f8ea86bf93a8ec49d17db1b5d3a4e77f32636a6c746c12a72aff93910b460293e8fe53e9de68229eb8e8f492cb3b59e1
SSDEEP

6144:2qzvT72Y0SpzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOxPECYeixlYGicYxSI:2Cr7SSQYsY1UMqMZJYSN7wbstOx8fveH

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1692	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2544	wywocu.exe

Loads dropped DLL 1 IoCs

pid	Process
1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F5C6EAE8-1B61-AD4F-A81D-915899A2B245} = "C:\\Users\\Admin\\AppData\\Roaming\\Ojwo\\wywocu.exe"	wywocu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1916 set thread context of 1692	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wywocu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Privacy	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe
2544	wywocu.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2544	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	30
PID 1916 wrote to memory of 2544	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	30
PID 1916 wrote to memory of 2544	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	30
PID 1916 wrote to memory of 2544	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	30
PID 2544 wrote to memory of 1076	2544	wywocu.exe	18
PID 2544 wrote to memory of 1076	2544	wywocu.exe	18
PID 2544 wrote to memory of 1076	2544	wywocu.exe	18
PID 2544 wrote to memory of 1076	2544	wywocu.exe	18
PID 2544 wrote to memory of 1076	2544	wywocu.exe	18
PID 2544 wrote to memory of 1168	2544	wywocu.exe	20
PID 2544 wrote to memory of 1168	2544	wywocu.exe	20
PID 2544 wrote to memory of 1168	2544	wywocu.exe	20
PID 2544 wrote to memory of 1168	2544	wywocu.exe	20
PID 2544 wrote to memory of 1168	2544	wywocu.exe	20
PID 2544 wrote to memory of 1208	2544	wywocu.exe	21
PID 2544 wrote to memory of 1208	2544	wywocu.exe	21
PID 2544 wrote to memory of 1208	2544	wywocu.exe	21
PID 2544 wrote to memory of 1208	2544	wywocu.exe	21
PID 2544 wrote to memory of 1208	2544	wywocu.exe	21
PID 2544 wrote to memory of 1800	2544	wywocu.exe	25
PID 2544 wrote to memory of 1800	2544	wywocu.exe	25
PID 2544 wrote to memory of 1800	2544	wywocu.exe	25
PID 2544 wrote to memory of 1800	2544	wywocu.exe	25
PID 2544 wrote to memory of 1800	2544	wywocu.exe	25
PID 2544 wrote to memory of 1916	2544	wywocu.exe	29
PID 2544 wrote to memory of 1916	2544	wywocu.exe	29
PID 2544 wrote to memory of 1916	2544	wywocu.exe	29
PID 2544 wrote to memory of 1916	2544	wywocu.exe	29
PID 2544 wrote to memory of 1916	2544	wywocu.exe	29
PID 1916 wrote to memory of 1692	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	31
PID 1916 wrote to memory of 1692	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	31
PID 1916 wrote to memory of 1692	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	31
PID 1916 wrote to memory of 1692	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	31
PID 1916 wrote to memory of 1692	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	31
PID 1916 wrote to memory of 1692	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	31
PID 1916 wrote to memory of 1692	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	31
PID 1916 wrote to memory of 1692	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	31
PID 1916 wrote to memory of 1692	1916	aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe	31
PID 2544 wrote to memory of 3020	2544	wywocu.exe	34
PID 2544 wrote to memory of 3020	2544	wywocu.exe	34
PID 2544 wrote to memory of 3020	2544	wywocu.exe	34
PID 2544 wrote to memory of 3020	2544	wywocu.exe	34
PID 2544 wrote to memory of 3020	2544	wywocu.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1076

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\aedc5de633046a7432a0fd0bc7b14d50_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Roaming\Ojwo\wywocu.exe
    "C:\Users\Admin\AppData\Roaming\Ojwo\wywocu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9128c813.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1692

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1800

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9128c813.bat

Filesize
271B

MD5
27e6d1d92def68aa6d641d5980123463

SHA1
74bfae7afd769852af46b83f94c319ea577e8132

SHA256
3ee5b15db8d90b6ef93b963debdd816109a5bcffb5f514581054cc93930a208c

SHA512
976965ee0856ea337200298b68db0aafb05c3fc64eb3ad925b077cbe4bf337a4ae7746fe90cdcecb094461e42bc4e9c8f55f7e3b470fb33c6320614623f99615

Download Submit
\Users\Admin\AppData\Roaming\Ojwo\wywocu.exe

Filesize
307KB

MD5
29499ff7315de7d18019109a68036d58

SHA1
1d8220e676496d177e477c17dd1b4d0a6dddc5f2

SHA256
db1890a7957a6d22aed59ea53cd961c0d9d1584861d92d22b5aeb2e6700ae254

SHA512
777c2008d2db501bd348513c90f223352c391482fb1e5e5358d4a4d9391066dfd930b7d176aaf2b3b27d9baa37a6ce6d417e15310bba40f0ca8fded8a13fc11c

Download Submit
memory/1076-23-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/1076-15-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/1076-17-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/1076-19-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/1076-21-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/1168-26-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/1168-27-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/1168-28-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/1168-29-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/1208-32-0x0000000002F80000-0x0000000002FC4000-memory.dmp

Filesize
272KB

Download
memory/1208-31-0x0000000002F80000-0x0000000002FC4000-memory.dmp

Filesize
272KB

Download
memory/1208-33-0x0000000002F80000-0x0000000002FC4000-memory.dmp

Filesize
272KB

Download
memory/1208-34-0x0000000002F80000-0x0000000002FC4000-memory.dmp

Filesize
272KB

Download
memory/1800-36-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1800-39-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1800-38-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1800-37-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1916-45-0x0000000000440000-0x0000000000484000-memory.dmp

Filesize
272KB

Download
memory/1916-73-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-43-0x0000000000440000-0x0000000000484000-memory.dmp

Filesize
272KB

Download
memory/1916-44-0x0000000000440000-0x0000000000484000-memory.dmp

Filesize
272KB

Download
memory/1916-0-0x0000000000F90000-0x0000000000FE0000-memory.dmp

Filesize
320KB

Download
memory/1916-47-0x0000000000440000-0x0000000000484000-memory.dmp

Filesize
272KB

Download
memory/1916-46-0x0000000000440000-0x0000000000484000-memory.dmp

Filesize
272KB

Download
memory/1916-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1916-159-0x0000000000F90000-0x0000000000FE0000-memory.dmp

Filesize
320KB

Download
memory/1916-8-0x0000000000920000-0x0000000000970000-memory.dmp

Filesize
320KB

Download
memory/1916-6-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1916-3-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1916-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1916-67-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-65-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-77-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-75-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-42-0x0000000000440000-0x0000000000484000-memory.dmp

Filesize
272KB

Download
memory/1916-71-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-69-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-63-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-61-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-60-0x0000000077E80000-0x0000000077E81000-memory.dmp

Filesize
4KB

Download
memory/1916-58-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-56-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-54-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-52-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-50-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-48-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-136-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1916-161-0x0000000000440000-0x0000000000484000-memory.dmp

Filesize
272KB

Download
memory/1916-160-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2544-12-0x0000000000920000-0x0000000000970000-memory.dmp

Filesize
320KB

Download
memory/2544-13-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2544-283-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2544-292-0x0000000000920000-0x0000000000970000-memory.dmp

Filesize
320KB

Download