27bb67656f06fc1a191945ccb9c3901a6fa1f120dc9683c8e52a16d93c7643bb

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 05:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe
Size

293KB
MD5

ba7ff1c7291fffc5d73975abe06f43ee
SHA1

c8d590b0cf3fd32d86aa6c60dbc13fbbd3db0994
SHA256

27bb67656f06fc1a191945ccb9c3901a6fa1f120dc9683c8e52a16d93c7643bb
SHA512

02a0e205a8abe8ff7600867ed2174b497275fc8c48fe3c624cc3705e695303c90414712713f137ae71292ab8c735b9f22303b23b970f0524f41a2e2141fcc241
SSDEEP

6144:GPdMcMANEVzGlcEDUl4qaRYVQ9JTGbusJRhgnGXcND7Xm2BeddhMHH6li:iNEh8cSLqd+sisDhgnGCBBedDMn6A

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2944	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1256	afli.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe
2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\{3109E6C8-6F84-AD4F-D756-D1AEF6AEF2B3} = "C:\\Users\\Admin\\AppData\\Roaming\\Nanay\\afli.exe"	afli.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 2944	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe
1256	afli.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe
Token: SeSecurityPrivilege	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe
Token: SeSecurityPrivilege	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe
1256	afli.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1256	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	30
PID 2136 wrote to memory of 1256	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	30
PID 2136 wrote to memory of 1256	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	30
PID 2136 wrote to memory of 1256	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	30
PID 1256 wrote to memory of 1104	1256	afli.exe	19
PID 1256 wrote to memory of 1104	1256	afli.exe	19
PID 1256 wrote to memory of 1104	1256	afli.exe	19
PID 1256 wrote to memory of 1104	1256	afli.exe	19
PID 1256 wrote to memory of 1104	1256	afli.exe	19
PID 1256 wrote to memory of 1176	1256	afli.exe	20
PID 1256 wrote to memory of 1176	1256	afli.exe	20
PID 1256 wrote to memory of 1176	1256	afli.exe	20
PID 1256 wrote to memory of 1176	1256	afli.exe	20
PID 1256 wrote to memory of 1176	1256	afli.exe	20
PID 1256 wrote to memory of 1200	1256	afli.exe	21
PID 1256 wrote to memory of 1200	1256	afli.exe	21
PID 1256 wrote to memory of 1200	1256	afli.exe	21
PID 1256 wrote to memory of 1200	1256	afli.exe	21
PID 1256 wrote to memory of 1200	1256	afli.exe	21
PID 1256 wrote to memory of 1196	1256	afli.exe	23
PID 1256 wrote to memory of 1196	1256	afli.exe	23
PID 1256 wrote to memory of 1196	1256	afli.exe	23
PID 1256 wrote to memory of 1196	1256	afli.exe	23
PID 1256 wrote to memory of 1196	1256	afli.exe	23
PID 1256 wrote to memory of 2136	1256	afli.exe	29
PID 1256 wrote to memory of 2136	1256	afli.exe	29
PID 1256 wrote to memory of 2136	1256	afli.exe	29
PID 1256 wrote to memory of 2136	1256	afli.exe	29
PID 1256 wrote to memory of 2136	1256	afli.exe	29
PID 2136 wrote to memory of 2944	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2944	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2944	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2944	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2944	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2944	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2944	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2944	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2944	2136	ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ba7ff1c7291fffc5d73975abe06f43ee_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Roaming\Nanay\afli.exe
    "C:\Users\Admin\AppData\Roaming\Nanay\afli.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb8987759.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb8987759.bat

Filesize
271B

MD5
5fbe93d663d53bcb2184610ee04c3d12

SHA1
d361b4235e7a644c0d795bcc3bb1f063f16dc81d

SHA256
053143213cd51227080377ce333935a502207633000b431016cb8f3d0edf5442

SHA512
d31e0f8f0130e09285c4a41be327aa381462171b5587e73fa3edf025d893f3e3dfa70c72cf25a864c2196d63e8a3524f59725a6819d27d0b8d9766903b41b819

Download Submit
C:\Users\Admin\AppData\Roaming\Safai\odwa.epe

Filesize
380B

MD5
1d4a3aea7284e67b870249d24be0223a

SHA1
7d3e594f7bed905b5278a56dcdcaaee4d76207e4

SHA256
4c09fe7430bff962ba65fdf4bc80450d0e1762d5e51cee2054cf671231e91e04

SHA512
f59875b1a3c64efb2a80135b8848eb6c7487b71984167e04e1fbb4b525b04ba68a8e4cbd9bf171c7b78242bf1c5ff1774e1d6e43751b45469be8eddda9d9d548

Download Submit
\Users\Admin\AppData\Roaming\Nanay\afli.exe

Filesize
293KB

MD5
d06fbb84f8393986415ad74989975ab7

SHA1
a2aea654cf240b21f1614ff6d1188943386c9228

SHA256
ab8329ad19d14e468b3eef1ef73608e4690580ba3bb4b15f0656d21f7b549b04

SHA512
de7e1d40b3f3e3c9a8b033d3b8bd48a419acc67ee036794e1cb2f91c0fcdb14ec515c9d269c79cce3e56d1a2d490e7ce87440f24a07a42dd7e61242e11bb6af3

Download Submit
memory/1104-21-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1104-22-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1104-18-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1104-20-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1104-19-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1176-27-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1176-31-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1176-25-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1176-29-0x0000000001EA0000-0x0000000001EE1000-memory.dmp

Filesize
260KB

Download
memory/1196-42-0x0000000002310000-0x0000000002351000-memory.dmp

Filesize
260KB

Download
memory/1196-39-0x0000000002310000-0x0000000002351000-memory.dmp

Filesize
260KB

Download
memory/1196-40-0x0000000002310000-0x0000000002351000-memory.dmp

Filesize
260KB

Download
memory/1196-41-0x0000000002310000-0x0000000002351000-memory.dmp

Filesize
260KB

Download
memory/1200-36-0x0000000002D90000-0x0000000002DD1000-memory.dmp

Filesize
260KB

Download
memory/1200-34-0x0000000002D90000-0x0000000002DD1000-memory.dmp

Filesize
260KB

Download
memory/1200-35-0x0000000002D90000-0x0000000002DD1000-memory.dmp

Filesize
260KB

Download
memory/1200-37-0x0000000002D90000-0x0000000002DD1000-memory.dmp

Filesize
260KB

Download
memory/1256-279-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1256-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1256-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1256-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2136-135-0x0000000077E00000-0x0000000077E01000-memory.dmp

Filesize
4KB

Download
memory/2136-54-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-53-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2136-51-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2136-49-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2136-48-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2136-58-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-60-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-62-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-64-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-66-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-68-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-70-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-72-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-74-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-56-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-76-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-0-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2136-80-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-45-0x0000000000490000-0x00000000004D1000-memory.dmp

Filesize
260KB

Download
memory/2136-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-136-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2136-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-160-0x00000000002C0000-0x000000000030B000-memory.dmp

Filesize
300KB

Download
memory/2136-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-1-0x00000000002C0000-0x000000000030B000-memory.dmp

Filesize
300KB

Download