e7d204a274e75bda62da9476f7ebc31b81e0e5be09b4823828e0d19e4096a864

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe
Size

364KB
MD5

b599a76333315ff518a6f8c4963be206
SHA1

ba96b5be7237e338f43faff9678aaefe59164f4e
SHA256

e7d204a274e75bda62da9476f7ebc31b81e0e5be09b4823828e0d19e4096a864
SHA512

668ab1abdb074534bb25a9e0784a121a331ee3931ef88780eef500e18625e80652d44e7ba90b9ae18229608fbda058df9fbf05e2bae26f0766eb9d2c00af18d2
SSDEEP

6144:bkfaAaSdMZlC47Jvn3Mh+miHnb6aoGPBVUEaUyd:WaAa2ShBn80jHnWsi+Q

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
572	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	cihye.exe

Loads dropped DLL 1 IoCs

pid	Process
2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F4363D88-6FEF-AD4F-FCEF-4765F9626478} = "C:\\Users\\Admin\\AppData\\Roaming\\Kyta\\cihye.exe"	cihye.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 572	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cihye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe
2700	cihye.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe
2700	cihye.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2700	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	31
PID 2788 wrote to memory of 2700	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	31
PID 2788 wrote to memory of 2700	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	31
PID 2788 wrote to memory of 2700	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	31
PID 2700 wrote to memory of 1064	2700	cihye.exe	18
PID 2700 wrote to memory of 1064	2700	cihye.exe	18
PID 2700 wrote to memory of 1064	2700	cihye.exe	18
PID 2700 wrote to memory of 1064	2700	cihye.exe	18
PID 2700 wrote to memory of 1064	2700	cihye.exe	18
PID 2700 wrote to memory of 1136	2700	cihye.exe	20
PID 2700 wrote to memory of 1136	2700	cihye.exe	20
PID 2700 wrote to memory of 1136	2700	cihye.exe	20
PID 2700 wrote to memory of 1136	2700	cihye.exe	20
PID 2700 wrote to memory of 1136	2700	cihye.exe	20
PID 2700 wrote to memory of 1184	2700	cihye.exe	21
PID 2700 wrote to memory of 1184	2700	cihye.exe	21
PID 2700 wrote to memory of 1184	2700	cihye.exe	21
PID 2700 wrote to memory of 1184	2700	cihye.exe	21
PID 2700 wrote to memory of 1184	2700	cihye.exe	21
PID 2700 wrote to memory of 1988	2700	cihye.exe	23
PID 2700 wrote to memory of 1988	2700	cihye.exe	23
PID 2700 wrote to memory of 1988	2700	cihye.exe	23
PID 2700 wrote to memory of 1988	2700	cihye.exe	23
PID 2700 wrote to memory of 1988	2700	cihye.exe	23
PID 2700 wrote to memory of 2788	2700	cihye.exe	30
PID 2700 wrote to memory of 2788	2700	cihye.exe	30
PID 2700 wrote to memory of 2788	2700	cihye.exe	30
PID 2700 wrote to memory of 2788	2700	cihye.exe	30
PID 2700 wrote to memory of 2788	2700	cihye.exe	30
PID 2788 wrote to memory of 572	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	32
PID 2788 wrote to memory of 572	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	32
PID 2788 wrote to memory of 572	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	32
PID 2788 wrote to memory of 572	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	32
PID 2788 wrote to memory of 572	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	32
PID 2788 wrote to memory of 572	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	32
PID 2788 wrote to memory of 572	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	32
PID 2788 wrote to memory of 572	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	32
PID 2788 wrote to memory of 572	2788	b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1064

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1136

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b599a76333315ff518a6f8c4963be206_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Roaming\Kyta\cihye.exe
    "C:\Users\Admin\AppData\Roaming\Kyta\cihye.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpdfcc3aa6.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpdfcc3aa6.bat

Filesize
271B

MD5
093a8b203e17d992a66ed536df2007cb

SHA1
929dfdfb136912edb3efe644e8e88a0bd44ae789

SHA256
eb209c64889f544025e2ae3a9bd6cfdb9719c2d19442a21ee7e79dccdab3b94d

SHA512
c82944c133f25104048b33628719be7e20c55eedad30adb33d971fc315ee0dc1f11827a916b143cc97e1575e39f4c418d763d7de6ec0915d891c009376dadf5f

Download Submit
\Users\Admin\AppData\Roaming\Kyta\cihye.exe

Filesize
364KB

MD5
1d07b2a540eb6600b5ffe4da202b5262

SHA1
4a9c4465dcf8ee4a33f5d08aa601f6a30e472ed2

SHA256
7a31c589b214fa0e45d71ae804888d2f1801a9135cf457c2d15febf9173de4f3

SHA512
b8948607ee5551a58040a5135cbaef45fd06b9d5402f85fca796c75dff3f2e923bbfea289fe75159f4e1bdbe5934ca3b632b9285f29a9afeed45d81f948a956a

Download Submit
memory/1064-15-0x00000000021B0000-0x00000000021F3000-memory.dmp

Filesize
268KB

Download
memory/1064-23-0x00000000021B0000-0x00000000021F3000-memory.dmp

Filesize
268KB

Download
memory/1064-21-0x00000000021B0000-0x00000000021F3000-memory.dmp

Filesize
268KB

Download
memory/1064-17-0x00000000021B0000-0x00000000021F3000-memory.dmp

Filesize
268KB

Download
memory/1064-19-0x00000000021B0000-0x00000000021F3000-memory.dmp

Filesize
268KB

Download
memory/1136-26-0x00000000022A0000-0x00000000022E3000-memory.dmp

Filesize
268KB

Download
memory/1136-29-0x00000000022A0000-0x00000000022E3000-memory.dmp

Filesize
268KB

Download
memory/1136-27-0x00000000022A0000-0x00000000022E3000-memory.dmp

Filesize
268KB

Download
memory/1136-28-0x00000000022A0000-0x00000000022E3000-memory.dmp

Filesize
268KB

Download
memory/1184-32-0x0000000002D10000-0x0000000002D53000-memory.dmp

Filesize
268KB

Download
memory/1184-33-0x0000000002D10000-0x0000000002D53000-memory.dmp

Filesize
268KB

Download
memory/1184-31-0x0000000002D10000-0x0000000002D53000-memory.dmp

Filesize
268KB

Download
memory/1184-34-0x0000000002D10000-0x0000000002D53000-memory.dmp

Filesize
268KB

Download
memory/1988-39-0x0000000001C60000-0x0000000001CA3000-memory.dmp

Filesize
268KB

Download
memory/1988-37-0x0000000001C60000-0x0000000001CA3000-memory.dmp

Filesize
268KB

Download
memory/1988-36-0x0000000001C60000-0x0000000001CA3000-memory.dmp

Filesize
268KB

Download
memory/1988-38-0x0000000001C60000-0x0000000001CA3000-memory.dmp

Filesize
268KB

Download
memory/2700-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-274-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2700-12-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2788-43-0x0000000001D20000-0x0000000001D63000-memory.dmp

Filesize
268KB

Download
memory/2788-65-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-42-0x0000000001D20000-0x0000000001D63000-memory.dmp

Filesize
268KB

Download
memory/2788-0-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2788-44-0x0000000001D20000-0x0000000001D63000-memory.dmp

Filesize
268KB

Download
memory/2788-45-0x0000000001D20000-0x0000000001D63000-memory.dmp

Filesize
268KB

Download
memory/2788-4-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2788-46-0x0000000001D20000-0x0000000001D63000-memory.dmp

Filesize
268KB

Download
memory/2788-5-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2788-58-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-56-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-55-0x0000000077690000-0x0000000077691000-memory.dmp

Filesize
4KB

Download
memory/2788-53-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-51-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-49-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-47-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-67-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-41-0x0000000001D20000-0x0000000001D63000-memory.dmp

Filesize
268KB

Download
memory/2788-64-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2788-62-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-60-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-132-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-131-0x0000000000460000-0x00000000004BE000-memory.dmp

Filesize
376KB

Download
memory/2788-79-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-77-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-75-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-73-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-71-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-69-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2788-156-0x0000000001D20000-0x0000000001D63000-memory.dmp

Filesize
268KB

Download
memory/2788-155-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2788-3-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2788-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2788-1-0x0000000000460000-0x00000000004BE000-memory.dmp

Filesize
376KB

Download