4e4c56d9cc3d5b3f6a01f2760e79bce0124f16bac813ffadf5985e96d4c90b9d

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe
Size

373KB
MD5

bc5c229b8bf976f1cf6800903eb46852
SHA1

666f17ec8ce429e8493eb34d83926bfdd9758628
SHA256

4e4c56d9cc3d5b3f6a01f2760e79bce0124f16bac813ffadf5985e96d4c90b9d
SHA512

120d6adfe2473ba45cc93b640c6b61540ad5d99862971a10f594ff2486d698cc3399f496a060ebbb08fce4bf6c6bc9ee991a78f602e961a1274dd6ae9a5045e1
SSDEEP

6144:9eWqrDvUgZVWhTd/f1JyMjaLvt9RPJbidydi+Nyz0AIoyD41/k68tafWY+RP7YxK:IWivUUWFdHLzjaJ9RxbiCiWEyy/6aw8v

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1212	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2832	ycjo.exe

Loads dropped DLL 2 IoCs

pid	Process
2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe
2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000173de-11.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\{15320D28-6FEE-AD4F-3AAA-40C7281D63DA} = "C:\\Users\\Admin\\AppData\\Roaming\\Meyr\\ycjo.exe"	ycjo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 1212	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe
2832	ycjo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe
Token: SeSecurityPrivilege	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe
Token: SeSecurityPrivilege	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2832	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2832	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2832	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2832	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	31
PID 2832 wrote to memory of 1104	2832	ycjo.exe	19
PID 2832 wrote to memory of 1104	2832	ycjo.exe	19
PID 2832 wrote to memory of 1104	2832	ycjo.exe	19
PID 2832 wrote to memory of 1104	2832	ycjo.exe	19
PID 2832 wrote to memory of 1104	2832	ycjo.exe	19
PID 2832 wrote to memory of 1160	2832	ycjo.exe	20
PID 2832 wrote to memory of 1160	2832	ycjo.exe	20
PID 2832 wrote to memory of 1160	2832	ycjo.exe	20
PID 2832 wrote to memory of 1160	2832	ycjo.exe	20
PID 2832 wrote to memory of 1160	2832	ycjo.exe	20
PID 2832 wrote to memory of 1188	2832	ycjo.exe	21
PID 2832 wrote to memory of 1188	2832	ycjo.exe	21
PID 2832 wrote to memory of 1188	2832	ycjo.exe	21
PID 2832 wrote to memory of 1188	2832	ycjo.exe	21
PID 2832 wrote to memory of 1188	2832	ycjo.exe	21
PID 2832 wrote to memory of 1304	2832	ycjo.exe	23
PID 2832 wrote to memory of 1304	2832	ycjo.exe	23
PID 2832 wrote to memory of 1304	2832	ycjo.exe	23
PID 2832 wrote to memory of 1304	2832	ycjo.exe	23
PID 2832 wrote to memory of 1304	2832	ycjo.exe	23
PID 2832 wrote to memory of 2712	2832	ycjo.exe	30
PID 2832 wrote to memory of 2712	2832	ycjo.exe	30
PID 2832 wrote to memory of 2712	2832	ycjo.exe	30
PID 2832 wrote to memory of 2712	2832	ycjo.exe	30
PID 2832 wrote to memory of 2712	2832	ycjo.exe	30
PID 2712 wrote to memory of 1212	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	32
PID 2712 wrote to memory of 1212	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	32
PID 2712 wrote to memory of 1212	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	32
PID 2712 wrote to memory of 1212	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	32
PID 2712 wrote to memory of 1212	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	32
PID 2712 wrote to memory of 1212	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	32
PID 2712 wrote to memory of 1212	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	32
PID 2712 wrote to memory of 1212	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	32
PID 2712 wrote to memory of 1212	2712	bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bc5c229b8bf976f1cf6800903eb46852_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Roaming\Meyr\ycjo.exe
    "C:\Users\Admin\AppData\Roaming\Meyr\ycjo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6d9f1a97.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1212

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6d9f1a97.bat

Filesize
271B

MD5
5d0bf64e9933dbe638e58235fc4137e9

SHA1
8b61df74686d6911a004eb2326cd93a7c6e423b1

SHA256
3b63863d6e648b62dad0d5ba7a3099f60535579a33eea9d6fce9a92de59c8dee

SHA512
a1e438600bdb60c520fe39e9c127cf82a302f7c3bd4d509e906db40d2df2dcd4eb1c45f361e1079aded1b28c364e32aa402ea68a3a48bc49eeef35d7da2263ee

Download Submit
C:\Users\Admin\AppData\Roaming\Kiytt\jiyv.ejv

Filesize
380B

MD5
65cef0251407fb351db13ea7581b0b19

SHA1
5e9e9ed7e94c32f909854f0b11bf28516e45237a

SHA256
d71c8e1121648004e2a9f625d9d1b1b1d15b2ebc93e4a2670f5472067d219e4b

SHA512
76b85901a5620f0a2cad9b125df028a352bef665654efc37c7f288b6e38ee267390a226b18db2726fae0dedd83f04cf71099534438caf7099a4307bc01b768e7

Download Submit
C:\Users\Admin\AppData\Roaming\Meyr\ycjo.exe

Filesize
373KB

MD5
c99bf31955027d3e093c310cec3fa193

SHA1
ec77b1442da849091b1173e19455f2c0331a0d03

SHA256
3db99b2a8d9531b12682c6a2b096b981ebf6000af4ad1c0cc590520203658756

SHA512
97bc4135eb111374fb21e06b3fba96e4138eb560e494305a928377c68ad13e64d9e05bbbbfd0356776e795e530294fef56091a1036306b0dafb0b377271da18f

Download Submit
memory/1104-17-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1104-13-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1104-14-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1104-15-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1104-16-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/1160-20-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/1160-19-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/1160-21-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/1160-22-0x0000000000340000-0x0000000000381000-memory.dmp

Filesize
260KB

Download
memory/1188-25-0x0000000002180000-0x00000000021C1000-memory.dmp

Filesize
260KB

Download
memory/1188-27-0x0000000002180000-0x00000000021C1000-memory.dmp

Filesize
260KB

Download
memory/1188-29-0x0000000002180000-0x00000000021C1000-memory.dmp

Filesize
260KB

Download
memory/1188-31-0x0000000002180000-0x00000000021C1000-memory.dmp

Filesize
260KB

Download
memory/1304-37-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1304-34-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1304-35-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/1304-36-0x0000000001CF0000-0x0000000001D31000-memory.dmp

Filesize
260KB

Download
memory/2712-62-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-64-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-42-0x0000000000360000-0x00000000003A1000-memory.dmp

Filesize
260KB

Download
memory/2712-41-0x0000000000360000-0x00000000003A1000-memory.dmp

Filesize
260KB

Download
memory/2712-40-0x0000000000360000-0x00000000003A1000-memory.dmp

Filesize
260KB

Download
memory/2712-39-0x0000000000360000-0x00000000003A1000-memory.dmp

Filesize
260KB

Download
memory/2712-44-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-46-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-48-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-50-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-52-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-54-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-58-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-60-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2712-43-0x0000000000360000-0x00000000003A1000-memory.dmp

Filesize
260KB

Download
memory/2712-66-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-68-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-70-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-72-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-74-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-76-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-56-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2712-3-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2712-129-0x0000000002490000-0x00000000025C7000-memory.dmp

Filesize
1.2MB

Download
memory/2712-131-0x0000000002490000-0x00000000025C7000-memory.dmp

Filesize
1.2MB

Download
memory/2712-0-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2712-148-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2712-150-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2832-130-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2832-268-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download