9fe3f8a049995fac58500d8dafa4e39cd300993c27f85e7fb6e2448bfbe00547

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe
Size

272KB
MD5

b45faf6f673e52480d221f931bf62300
SHA1

bee80c75eab484e944adc540f19dee6d0f189c9c
SHA256

9fe3f8a049995fac58500d8dafa4e39cd300993c27f85e7fb6e2448bfbe00547
SHA512

cee9ae3fa3bfa0d0606b4305034325a4f4481bdca2bd4589e08836deb911c2d7f18611088c0e111044877c2294052ca1fbeedc8c82c44a89db2fb05c6c75ad81
SSDEEP

6144:ZbSMuKl1iKGDJQRQ9NzkcJ6OGlOZjcn44rRL:ZbSMVlJGDGS9JL6ROSn44NL

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
292	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	yqbe.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\{278F5008-6814-AD4F-E8EF-460FE6556512} = "C:\\Users\\Admin\\AppData\\Roaming\\Wuhimo\\yqbe.exe"	yqbe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 292	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe
2772	yqbe.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe
Token: SeSecurityPrivilege	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe
Token: SeSecurityPrivilege	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe
2772	yqbe.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2772	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	30
PID 2196 wrote to memory of 2772	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	30
PID 2196 wrote to memory of 2772	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	30
PID 2196 wrote to memory of 2772	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	30
PID 2772 wrote to memory of 1116	2772	yqbe.exe	19
PID 2772 wrote to memory of 1116	2772	yqbe.exe	19
PID 2772 wrote to memory of 1116	2772	yqbe.exe	19
PID 2772 wrote to memory of 1116	2772	yqbe.exe	19
PID 2772 wrote to memory of 1116	2772	yqbe.exe	19
PID 2772 wrote to memory of 1176	2772	yqbe.exe	20
PID 2772 wrote to memory of 1176	2772	yqbe.exe	20
PID 2772 wrote to memory of 1176	2772	yqbe.exe	20
PID 2772 wrote to memory of 1176	2772	yqbe.exe	20
PID 2772 wrote to memory of 1176	2772	yqbe.exe	20
PID 2772 wrote to memory of 1204	2772	yqbe.exe	21
PID 2772 wrote to memory of 1204	2772	yqbe.exe	21
PID 2772 wrote to memory of 1204	2772	yqbe.exe	21
PID 2772 wrote to memory of 1204	2772	yqbe.exe	21
PID 2772 wrote to memory of 1204	2772	yqbe.exe	21
PID 2772 wrote to memory of 1624	2772	yqbe.exe	23
PID 2772 wrote to memory of 1624	2772	yqbe.exe	23
PID 2772 wrote to memory of 1624	2772	yqbe.exe	23
PID 2772 wrote to memory of 1624	2772	yqbe.exe	23
PID 2772 wrote to memory of 1624	2772	yqbe.exe	23
PID 2772 wrote to memory of 2196	2772	yqbe.exe	29
PID 2772 wrote to memory of 2196	2772	yqbe.exe	29
PID 2772 wrote to memory of 2196	2772	yqbe.exe	29
PID 2772 wrote to memory of 2196	2772	yqbe.exe	29
PID 2772 wrote to memory of 2196	2772	yqbe.exe	29
PID 2196 wrote to memory of 292	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	31
PID 2196 wrote to memory of 292	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	31
PID 2196 wrote to memory of 292	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	31
PID 2196 wrote to memory of 292	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	31
PID 2196 wrote to memory of 292	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	31
PID 2196 wrote to memory of 292	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	31
PID 2196 wrote to memory of 292	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	31
PID 2196 wrote to memory of 292	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	31
PID 2196 wrote to memory of 292	2196	b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b45faf6f673e52480d221f931bf62300_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Roaming\Wuhimo\yqbe.exe
    "C:\Users\Admin\AppData\Roaming\Wuhimo\yqbe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp13cb40a8.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:292

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp13cb40a8.bat

Filesize
271B

MD5
0c70539ac37878d7fb411e481f6daaf9

SHA1
740801919616b52e63db9cbec221d111edb3de4c

SHA256
a68ec3fa52692e7803a8750d408b4630b72448be6109fcffa5b985830ce8a2ff

SHA512
ba5e1df3010fd3700cb7e75e96c826ef207802fef190f4784d9bb5a3ac73bb71de3d4760f3d6a64dbfd3dbee9a8b103475f644333db2448341891d004c43ccad

Download Submit
C:\Users\Admin\AppData\Roaming\Laiba\ipitn.ocy

Filesize
380B

MD5
e208dd635c6cb98a0083741b97a35e75

SHA1
880b97cdc931ae0f1ef30f9f8c33d82a4e679d43

SHA256
4d46548c84e724f4022252633996cf9ed565e9cafde0f6e1b9793fb98be8df46

SHA512
6f000617ac7fa71bcef0917dba426aa63d029cd5689418906588c9c26b5d37de94cfb12efa62723d7214d47116d559f00d14026dad94c76ce1658cf4f2e3325e

Download Submit
C:\Users\Admin\AppData\Roaming\Wuhimo\yqbe.exe

Filesize
272KB

MD5
144532ebd6edcc0535c914c0640231fc

SHA1
4b0f696e7f52fe864594319dd44c7c4457e6b865

SHA256
558e43e6ded79be726b7da9ea17078d8021d8a014abec0633db8dc541e3ab29c

SHA512
e4d49574f534fad219cefc91128cac4a326110761d87cda45604879608e9563088ef6badc7457b5c32cb233a679cc82cb4473719b05ddbbc52aecb7dda374a73

Download Submit
memory/1116-15-0x00000000021C0000-0x0000000002201000-memory.dmp

Filesize
260KB

Download
memory/1116-16-0x00000000021C0000-0x0000000002201000-memory.dmp

Filesize
260KB

Download
memory/1116-17-0x00000000021C0000-0x0000000002201000-memory.dmp

Filesize
260KB

Download
memory/1116-18-0x00000000021C0000-0x0000000002201000-memory.dmp

Filesize
260KB

Download
memory/1116-19-0x00000000021C0000-0x0000000002201000-memory.dmp

Filesize
260KB

Download
memory/1176-22-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1176-21-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1176-23-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1176-24-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1204-28-0x0000000002CF0000-0x0000000002D31000-memory.dmp

Filesize
260KB

Download
memory/1204-26-0x0000000002CF0000-0x0000000002D31000-memory.dmp

Filesize
260KB

Download
memory/1204-27-0x0000000002CF0000-0x0000000002D31000-memory.dmp

Filesize
260KB

Download
memory/1204-29-0x0000000002CF0000-0x0000000002D31000-memory.dmp

Filesize
260KB

Download
memory/1624-31-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1624-32-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1624-33-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/1624-34-0x0000000001E30000-0x0000000001E71000-memory.dmp

Filesize
260KB

Download
memory/2196-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-152-0x0000000000390000-0x00000000003D8000-memory.dmp

Filesize
288KB

Download
memory/2196-72-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-70-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-68-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-66-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-64-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-60-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-58-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-54-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-52-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-50-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2196-48-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-46-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-44-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-42-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-40-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2196-39-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2196-38-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2196-128-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-37-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2196-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-154-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2196-74-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-76-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-0-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2196-62-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-56-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2196-51-0x0000000076F70000-0x0000000076F71000-memory.dmp

Filesize
4KB

Download
memory/2196-41-0x00000000007A0000-0x00000000007E1000-memory.dmp

Filesize
260KB

Download
memory/2196-1-0x0000000000390000-0x00000000003D8000-memory.dmp

Filesize
288KB

Download
memory/2196-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-12-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2772-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-272-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2772-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download