35bc1d7c3b71c3948947a87fb06d164dddecd9abd7753bf4a3f37d07eb0eab81

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe
Size

298KB
MD5

b906794f8ae289ac54682bcc202e2b01
SHA1

bb29c0989263505adcf21b065cf29e044f56774a
SHA256

35bc1d7c3b71c3948947a87fb06d164dddecd9abd7753bf4a3f37d07eb0eab81
SHA512

ad477c840404853066205b69df229f4e4128a033703a527ad957687a486adc28f36cb7f970ef72215e73bae3913439159d0776e35b5fc6a36c3e346bcecc016a
SSDEEP

6144:RawPHWSIg118HWULKjC7Dif1mO45xFVN0cp0cyIF:RDjIaC7Dy45xFko0cyIF

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1516	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2376	adme.exe

Loads dropped DLL 2 IoCs

pid	Process
2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe
2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\{09E0E5E8-6808-AD4F-43B0-714965AC5254} = "C:\\Users\\Admin\\AppData\\Roaming\\Umiz\\adme.exe"	adme.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 1516	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe
2376	adme.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe
Token: SeSecurityPrivilege	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe
Token: SeSecurityPrivilege	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe
2376	adme.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2376	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2376	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2376	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2376	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	30
PID 2376 wrote to memory of 1112	2376	adme.exe	19
PID 2376 wrote to memory of 1112	2376	adme.exe	19
PID 2376 wrote to memory of 1112	2376	adme.exe	19
PID 2376 wrote to memory of 1112	2376	adme.exe	19
PID 2376 wrote to memory of 1112	2376	adme.exe	19
PID 2376 wrote to memory of 1176	2376	adme.exe	20
PID 2376 wrote to memory of 1176	2376	adme.exe	20
PID 2376 wrote to memory of 1176	2376	adme.exe	20
PID 2376 wrote to memory of 1176	2376	adme.exe	20
PID 2376 wrote to memory of 1176	2376	adme.exe	20
PID 2376 wrote to memory of 1212	2376	adme.exe	21
PID 2376 wrote to memory of 1212	2376	adme.exe	21
PID 2376 wrote to memory of 1212	2376	adme.exe	21
PID 2376 wrote to memory of 1212	2376	adme.exe	21
PID 2376 wrote to memory of 1212	2376	adme.exe	21
PID 2376 wrote to memory of 1520	2376	adme.exe	23
PID 2376 wrote to memory of 1520	2376	adme.exe	23
PID 2376 wrote to memory of 1520	2376	adme.exe	23
PID 2376 wrote to memory of 1520	2376	adme.exe	23
PID 2376 wrote to memory of 1520	2376	adme.exe	23
PID 2376 wrote to memory of 2360	2376	adme.exe	29
PID 2376 wrote to memory of 2360	2376	adme.exe	29
PID 2376 wrote to memory of 2360	2376	adme.exe	29
PID 2376 wrote to memory of 2360	2376	adme.exe	29
PID 2376 wrote to memory of 2360	2376	adme.exe	29
PID 2360 wrote to memory of 1516	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1516	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1516	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1516	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1516	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1516	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1516	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1516	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1516	2360	b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b906794f8ae289ac54682bcc202e2b01_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Roaming\Umiz\adme.exe
    "C:\Users\Admin\AppData\Roaming\Umiz\adme.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp2c5dd663.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1516

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2c5dd663.bat

Filesize
271B

MD5
290017dfbbdb93989864b50f98b8bddd

SHA1
04d450303e4538c263faf81569b1659d38492096

SHA256
ed363a6ee9ce1c09719e4511ddf96a39309865ee5785d080c855eb22984dfd3c

SHA512
af78670cc289c897c715833d9ce4f10a0546ea9debe9c0b63e5ebb968c104682965f12bbc7ba4000b90443f8c12b4fcbd3370d2a0bc177cf8b549a84dc35cd88

Download Submit
C:\Users\Admin\AppData\Roaming\Biehi\obyfa.kui

Filesize
380B

MD5
5f92668d91d9247eb21e3ced4f42b8e8

SHA1
f5afbf3ae1e54180d6d6ae755506b3d564b33889

SHA256
499df26a99e56cbc7166740d5802ffcd932f7ba8d2088aa106e1c827f962eb49

SHA512
1684d1165a77cceeef42eab566a61397b063da8c151849f4e743994666bbc6ad29d3a301bcaf07518c4c75e22dc57baac7f613368500ee3fc3d0495b8764b0e7

Download Submit
\Users\Admin\AppData\Roaming\Umiz\adme.exe

Filesize
298KB

MD5
c16ce4ae94eb36dbe4360dd8f0588c46

SHA1
be55d1bc09877539320da64e8c2327707989c556

SHA256
d46c3d998bc2bc31dd797294ff0f55d3230db58af0bff65e609b4e051bb25cfe

SHA512
8419e9ff13e7366534d01a5f74878dfc764deaacf4a5fc334262adba37143a82b10beb77e85a98f432f815f345eb1c8b85465d543cc7a1b15cd7049677b8ada9

Download Submit
memory/1112-26-0x0000000000520000-0x0000000000561000-memory.dmp

Filesize
260KB

Download
memory/1112-22-0x0000000000520000-0x0000000000561000-memory.dmp

Filesize
260KB

Download
memory/1112-20-0x0000000000520000-0x0000000000561000-memory.dmp

Filesize
260KB

Download
memory/1112-18-0x0000000000520000-0x0000000000561000-memory.dmp

Filesize
260KB

Download
memory/1112-24-0x0000000000520000-0x0000000000561000-memory.dmp

Filesize
260KB

Download
memory/1176-32-0x0000000001FB0000-0x0000000001FF1000-memory.dmp

Filesize
260KB

Download
memory/1176-29-0x0000000001FB0000-0x0000000001FF1000-memory.dmp

Filesize
260KB

Download
memory/1176-30-0x0000000001FB0000-0x0000000001FF1000-memory.dmp

Filesize
260KB

Download
memory/1176-31-0x0000000001FB0000-0x0000000001FF1000-memory.dmp

Filesize
260KB

Download
memory/1212-36-0x0000000002D40000-0x0000000002D81000-memory.dmp

Filesize
260KB

Download
memory/1212-35-0x0000000002D40000-0x0000000002D81000-memory.dmp

Filesize
260KB

Download
memory/1212-34-0x0000000002D40000-0x0000000002D81000-memory.dmp

Filesize
260KB

Download
memory/1212-37-0x0000000002D40000-0x0000000002D81000-memory.dmp

Filesize
260KB

Download
memory/1520-42-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/1520-41-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/1520-40-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/1520-39-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/2360-53-0x0000000002300000-0x0000000002341000-memory.dmp

Filesize
260KB

Download
memory/2360-71-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-49-0x0000000002300000-0x0000000002341000-memory.dmp

Filesize
260KB

Download
memory/2360-51-0x0000000002300000-0x0000000002341000-memory.dmp

Filesize
260KB

Download
memory/2360-0-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2360-45-0x0000000002300000-0x0000000002341000-memory.dmp

Filesize
260KB

Download
memory/2360-1-0x0000000000390000-0x00000000003E8000-memory.dmp

Filesize
352KB

Download
memory/2360-162-0x0000000000390000-0x00000000003E8000-memory.dmp

Filesize
352KB

Download
memory/2360-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-67-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-65-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-69-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-63-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-62-0x0000000076F80000-0x0000000076F81000-memory.dmp

Filesize
4KB

Download
memory/2360-73-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-47-0x0000000002300000-0x0000000002341000-memory.dmp

Filesize
260KB

Download
memory/2360-60-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-58-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-56-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-54-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-79-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-77-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-75-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-136-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2360-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-160-0x0000000000300000-0x0000000000341000-memory.dmp

Filesize
260KB

Download
memory/2360-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2376-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2376-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2376-280-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2376-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download