c6d8baad06ed74c83df58922e84d2ac0ef42913d0c281045f1df15d28d697c97

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe
Size

138KB
MD5

be602ca6ddd24492bc74c749d313646d
SHA1

e45b6d37792e4a6f47245fe90ab69dd4d0363af9
SHA256

c6d8baad06ed74c83df58922e84d2ac0ef42913d0c281045f1df15d28d697c97
SHA512

68158201b5fd92094bd03ef225f5808433ab84b959ce41fd9101b0c7470b0c1ac962bb7734923a27dda3637f53200a3b49c35f327534888f27fd10897eb647a7
SSDEEP

3072:7tsaT9r2uHKN/BDzh/5jrCIHer7Zmv3HSruNyLamWjMAKdWrc:7Gahr2uHKNfYJmaiNyVWPdrc

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3000	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	otme.exe

Loads dropped DLL 2 IoCs

pid	Process
2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe
2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7727D04D-753C-9C27-1042-6AD8E6613E9C} = "C:\\Users\\Admin\\AppData\\Roaming\\Wuywvu\\otme.exe"	otme.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2544 set thread context of 3000	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	otme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\783A47A8-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe
3040	otme.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe
Token: SeSecurityPrivilege	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe
Token: SeSecurityPrivilege	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2140	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2140	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2140	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2140	WinMail.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 3040	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	30
PID 2544 wrote to memory of 3040	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	30
PID 2544 wrote to memory of 3040	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	30
PID 2544 wrote to memory of 3040	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1120	3040	otme.exe	19
PID 3040 wrote to memory of 1120	3040	otme.exe	19
PID 3040 wrote to memory of 1120	3040	otme.exe	19
PID 3040 wrote to memory of 1120	3040	otme.exe	19
PID 3040 wrote to memory of 1120	3040	otme.exe	19
PID 3040 wrote to memory of 1228	3040	otme.exe	20
PID 3040 wrote to memory of 1228	3040	otme.exe	20
PID 3040 wrote to memory of 1228	3040	otme.exe	20
PID 3040 wrote to memory of 1228	3040	otme.exe	20
PID 3040 wrote to memory of 1228	3040	otme.exe	20
PID 3040 wrote to memory of 1276	3040	otme.exe	21
PID 3040 wrote to memory of 1276	3040	otme.exe	21
PID 3040 wrote to memory of 1276	3040	otme.exe	21
PID 3040 wrote to memory of 1276	3040	otme.exe	21
PID 3040 wrote to memory of 1276	3040	otme.exe	21
PID 3040 wrote to memory of 628	3040	otme.exe	25
PID 3040 wrote to memory of 628	3040	otme.exe	25
PID 3040 wrote to memory of 628	3040	otme.exe	25
PID 3040 wrote to memory of 628	3040	otme.exe	25
PID 3040 wrote to memory of 628	3040	otme.exe	25
PID 3040 wrote to memory of 2544	3040	otme.exe	29
PID 3040 wrote to memory of 2544	3040	otme.exe	29
PID 3040 wrote to memory of 2544	3040	otme.exe	29
PID 3040 wrote to memory of 2544	3040	otme.exe	29
PID 3040 wrote to memory of 2544	3040	otme.exe	29
PID 2544 wrote to memory of 3000	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	32
PID 2544 wrote to memory of 3000	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	32
PID 2544 wrote to memory of 3000	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	32
PID 2544 wrote to memory of 3000	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	32
PID 2544 wrote to memory of 3000	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	32
PID 2544 wrote to memory of 3000	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	32
PID 2544 wrote to memory of 3000	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	32
PID 2544 wrote to memory of 3000	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	32
PID 2544 wrote to memory of 3000	2544	be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2508	3040	otme.exe	34
PID 3040 wrote to memory of 2508	3040	otme.exe	34
PID 3040 wrote to memory of 2508	3040	otme.exe	34
PID 3040 wrote to memory of 2508	3040	otme.exe	34
PID 3040 wrote to memory of 2508	3040	otme.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1228

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\be602ca6ddd24492bc74c749d313646d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Roaming\Wuywvu\otme.exe
    "C:\Users\Admin\AppData\Roaming\Wuywvu\otme.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp55a2a0aa.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:3000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:628

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
a9e66de51be12b6e70e17f98fa7bc871

SHA1
3824f33951d6aab57dcfba571704d1ca9a631ca7

SHA256
d8fdb6095b14b1ae00a6b0e9bb51028c55cfad430ef80b2cf2ae6837b048d9ca

SHA512
4dda5136a2a78c59c4cd00e2cfe12ccea0d7f4a6eeb3c49779d0c34cb0bff3eb5598d2c11d07db57d86288e28ccee74c63a9e915fda53cf71db818a9842ea1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp55a2a0aa.bat

Filesize
271B

MD5
ad390b8d69dcea8c611c8424b28ebb23

SHA1
4c18eeb906be6dcaf5976895f3fe378fd9b281c7

SHA256
f97e78d5027fd970069ce5f26add6ec942b07c79e5b0754b188da13e0c671462

SHA512
eeb5e4565deca6eb93ef2af243debe7dbb588869a7c1d525ca2bf4c20de65690edb0aa7be5902e665901e644e6a33d0577187e6a78f31b395d37239c886e458f

Download Submit
C:\Users\Admin\AppData\Roaming\Oquzt\duvih.bas

Filesize
380B

MD5
60a978c44dd341217bb06c8af76c80c6

SHA1
09ec84578acd92a19ef5fc4ad26a3079891a56a2

SHA256
5a28386cca3011960eb124b3958edb992574f181e31f63b01ad20668af1dc1e3

SHA512
16a3cddbe0cd666825e6ef7a0760baaaf347b1b876f878153101063e9f537c91f010ae86150631dc15d89502bf5c321d8afc0cf5b1003bc521a61fcf539804be

Download Submit
\Users\Admin\AppData\Roaming\Wuywvu\otme.exe

Filesize
138KB

MD5
e91a163aeb3ecd60d479a0056f06b2c9

SHA1
055e62d9a2db3f34b7c69d226888169ccb13b3ef

SHA256
682c2c582b8ec1f11794a23d8126659b44633b12acc4723e4803dac9c4df5447

SHA512
8fa082aa52f50f5358e444d286a98d57c47fecf999b896113a23e7463e9a9dd287f5fb8e392efded391639eb6f74f7fe4f475323822e89dd819f8c3c3da090f1

Download Submit
memory/628-34-0x0000000001C50000-0x0000000001C77000-memory.dmp

Filesize
156KB

Download
memory/628-31-0x0000000001C50000-0x0000000001C77000-memory.dmp

Filesize
156KB

Download
memory/628-33-0x0000000001C50000-0x0000000001C77000-memory.dmp

Filesize
156KB

Download
memory/628-32-0x0000000001C50000-0x0000000001C77000-memory.dmp

Filesize
156KB

Download
memory/1120-18-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1120-16-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1120-12-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1120-14-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1120-10-0x0000000002030000-0x0000000002057000-memory.dmp

Filesize
156KB

Download
memory/1228-24-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1228-23-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1228-22-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1228-21-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1276-26-0x00000000025A0000-0x00000000025C7000-memory.dmp

Filesize
156KB

Download
memory/1276-29-0x00000000025A0000-0x00000000025C7000-memory.dmp

Filesize
156KB

Download
memory/1276-28-0x00000000025A0000-0x00000000025C7000-memory.dmp

Filesize
156KB

Download
memory/1276-27-0x00000000025A0000-0x00000000025C7000-memory.dmp

Filesize
156KB

Download
memory/2544-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-37-0x0000000000370000-0x0000000000397000-memory.dmp

Filesize
156KB

Download
memory/2544-59-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-57-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-53-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-51-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-49-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-47-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-45-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-43-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-39-0x0000000000370000-0x0000000000397000-memory.dmp

Filesize
156KB

Download
memory/2544-38-0x0000000000370000-0x0000000000397000-memory.dmp

Filesize
156KB

Download
memory/2544-63-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-36-0x0000000000370000-0x0000000000397000-memory.dmp

Filesize
156KB

Download
memory/2544-65-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-67-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-69-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-71-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-123-0x0000000000370000-0x0000000000397000-memory.dmp

Filesize
156KB

Download
memory/2544-124-0x00000000775E0000-0x00000000775E1000-memory.dmp

Filesize
4KB

Download
memory/2544-41-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-125-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-73-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2544-40-0x0000000000370000-0x0000000000397000-memory.dmp

Filesize
156KB

Download