5d074903e1032e1da363018eb17bc5f3548c8747991fab08f6be465f9826bf04

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe
Size

385KB
MD5

bb7096445553a9927df5474867fc91e2
SHA1

4c443947efe1157f0ce8b30cf14755e529a11a98
SHA256

5d074903e1032e1da363018eb17bc5f3548c8747991fab08f6be465f9826bf04
SHA512

72139fe1bab2b6726337a1387d02dc999ac54c67769b68994bebc03c12b2a4b77158752fe51ac0d2a4a27f5c688eed4dee3a4aeaab78b07b79ddd200a3dbfc72
SSDEEP

6144:o/82mxLy7OvyilGHUmlXExMXWCDJSw4LlKg90H65Q6UZo70+Ph:oE2mJQkvmhExcTDJSzLk7a5QTc

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1956	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
664	rivuny.exe

Loads dropped DLL 1 IoCs

pid	Process
2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\{75DA6328-6F30-AD4F-96DD-2BAD86C808B0} = "C:\\Users\\Admin\\AppData\\Roaming\\Tojuu\\rivuny.exe"	rivuny.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 1956	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rivuny.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe
664	rivuny.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe
664	rivuny.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 664	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	29
PID 2488 wrote to memory of 664	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	29
PID 2488 wrote to memory of 664	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	29
PID 2488 wrote to memory of 664	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	29
PID 664 wrote to memory of 1232	664	rivuny.exe	18
PID 664 wrote to memory of 1232	664	rivuny.exe	18
PID 664 wrote to memory of 1232	664	rivuny.exe	18
PID 664 wrote to memory of 1232	664	rivuny.exe	18
PID 664 wrote to memory of 1232	664	rivuny.exe	18
PID 664 wrote to memory of 1336	664	rivuny.exe	19
PID 664 wrote to memory of 1336	664	rivuny.exe	19
PID 664 wrote to memory of 1336	664	rivuny.exe	19
PID 664 wrote to memory of 1336	664	rivuny.exe	19
PID 664 wrote to memory of 1336	664	rivuny.exe	19
PID 664 wrote to memory of 1392	664	rivuny.exe	20
PID 664 wrote to memory of 1392	664	rivuny.exe	20
PID 664 wrote to memory of 1392	664	rivuny.exe	20
PID 664 wrote to memory of 1392	664	rivuny.exe	20
PID 664 wrote to memory of 1392	664	rivuny.exe	20
PID 664 wrote to memory of 932	664	rivuny.exe	24
PID 664 wrote to memory of 932	664	rivuny.exe	24
PID 664 wrote to memory of 932	664	rivuny.exe	24
PID 664 wrote to memory of 932	664	rivuny.exe	24
PID 664 wrote to memory of 932	664	rivuny.exe	24
PID 664 wrote to memory of 2488	664	rivuny.exe	28
PID 664 wrote to memory of 2488	664	rivuny.exe	28
PID 664 wrote to memory of 2488	664	rivuny.exe	28
PID 664 wrote to memory of 2488	664	rivuny.exe	28
PID 664 wrote to memory of 2488	664	rivuny.exe	28
PID 2488 wrote to memory of 1956	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1956	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1956	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1956	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1956	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1956	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1956	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1956	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1956	2488	bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bb7096445553a9927df5474867fc91e2_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Roaming\Tojuu\rivuny.exe
    "C:\Users\Admin\AppData\Roaming\Tojuu\rivuny.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8fd606f8.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1956

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8fd606f8.bat

Filesize
271B

MD5
df81bad510ffcae5239b35955189dd0c

SHA1
36c7c90a2cacfd8c87044e2bf7b38b3594ec18c7

SHA256
bdf7cb3010ae0ebecb6a6e48f8d141699e20001311527c87072078a30ad02e03

SHA512
c0df0eb36e203c5d1e0cd7116c98d20d09d835381e1820f1a38d62cdd44017da92f48ae81d880fe21c727d2ed7939ce3bfa9eb683ae26289a12c439436f0bdb2

Download Submit
\Users\Admin\AppData\Roaming\Tojuu\rivuny.exe

Filesize
385KB

MD5
1649b6107839534bf42083bc9c33893b

SHA1
88f8fd7caef4c9a4d716d61b4b6bc1a93d58d310

SHA256
276f9e3119c30fa13edf31b0b92e1f84ad09ff929109d84704cb165a2f93378f

SHA512
7468bd096cb40abe77564bce3582b401f0bbbec3a96dc67e2494f67206ce71fbb078317124676620775f1856bb7f900eb171d6e9dc88c5bf32fb8fa9c9ec7514

Download Submit
memory/664-276-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/664-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/664-14-0x0000000000380000-0x00000000003E3000-memory.dmp

Filesize
396KB

Download
memory/664-13-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/932-40-0x0000000001FF0000-0x0000000002032000-memory.dmp

Filesize
264KB

Download
memory/932-38-0x0000000001FF0000-0x0000000002032000-memory.dmp

Filesize
264KB

Download
memory/932-37-0x0000000001FF0000-0x0000000002032000-memory.dmp

Filesize
264KB

Download
memory/932-39-0x0000000001FF0000-0x0000000002032000-memory.dmp

Filesize
264KB

Download
memory/1232-17-0x0000000001F30000-0x0000000001F72000-memory.dmp

Filesize
264KB

Download
memory/1232-20-0x0000000001F30000-0x0000000001F72000-memory.dmp

Filesize
264KB

Download
memory/1232-16-0x0000000001F30000-0x0000000001F72000-memory.dmp

Filesize
264KB

Download
memory/1232-19-0x0000000001F30000-0x0000000001F72000-memory.dmp

Filesize
264KB

Download
memory/1232-18-0x0000000001F30000-0x0000000001F72000-memory.dmp

Filesize
264KB

Download
memory/1336-25-0x00000000001A0000-0x00000000001E2000-memory.dmp

Filesize
264KB

Download
memory/1336-29-0x00000000001A0000-0x00000000001E2000-memory.dmp

Filesize
264KB

Download
memory/1336-23-0x00000000001A0000-0x00000000001E2000-memory.dmp

Filesize
264KB

Download
memory/1336-27-0x00000000001A0000-0x00000000001E2000-memory.dmp

Filesize
264KB

Download
memory/1392-32-0x0000000002A10000-0x0000000002A52000-memory.dmp

Filesize
264KB

Download
memory/1392-33-0x0000000002A10000-0x0000000002A52000-memory.dmp

Filesize
264KB

Download
memory/1392-35-0x0000000002A10000-0x0000000002A52000-memory.dmp

Filesize
264KB

Download
memory/1392-34-0x0000000002A10000-0x0000000002A52000-memory.dmp

Filesize
264KB

Download
memory/2488-73-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-134-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-1-0x0000000000470000-0x00000000004D3000-memory.dmp

Filesize
396KB

Download
memory/2488-49-0x0000000002290000-0x00000000022D2000-memory.dmp

Filesize
264KB

Download
memory/2488-43-0x0000000002290000-0x00000000022D2000-memory.dmp

Filesize
264KB

Download
memory/2488-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-77-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-75-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-47-0x0000000002290000-0x00000000022D2000-memory.dmp

Filesize
264KB

Download
memory/2488-65-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-63-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-71-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-51-0x0000000002290000-0x00000000022D2000-memory.dmp

Filesize
264KB

Download
memory/2488-69-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-67-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-56-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-61-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-60-0x0000000076EF0000-0x0000000076EF1000-memory.dmp

Filesize
4KB

Download
memory/2488-52-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-58-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-54-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2488-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-45-0x0000000002290000-0x00000000022D2000-memory.dmp

Filesize
264KB

Download
memory/2488-158-0x0000000000470000-0x00000000004D3000-memory.dmp

Filesize
396KB

Download
memory/2488-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-0-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download