07f72778f682980efa80b3e1f69b9f7a9e8ff523146170d2575c408025f275f7

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe
Size

321KB
MD5

cea3dc805e5ed8518b55455411028bea
SHA1

2ea3d2074db31225beee0d5f9a3df4ac37c4e69e
SHA256

07f72778f682980efa80b3e1f69b9f7a9e8ff523146170d2575c408025f275f7
SHA512

3d56605537c09966cbb48bdd9f0371d36c2954362663aaf73dffa98135bf46dd5e7638cb04f91c636babf9d36552baac31893217a17701e623c9cc2e06ea23c2
SSDEEP

6144:rT+FQoid7SswMHScIOq1G/PqRnC2CkErfob:uFhi3ycBqwqRC2gcb

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2940	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2556	uryra.exe

Loads dropped DLL 2 IoCs

pid	Process
2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe
2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\{09E0E5E8-6808-AD4F-43B0-714965AC5254} = "C:\\Users\\Admin\\AppData\\Roaming\\Fywove\\uryra.exe"	uryra.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 2940	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uryra.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe
2556	uryra.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe
2556	uryra.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2556	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2556	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2556	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2556	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	30
PID 2556 wrote to memory of 1112	2556	uryra.exe	19
PID 2556 wrote to memory of 1112	2556	uryra.exe	19
PID 2556 wrote to memory of 1112	2556	uryra.exe	19
PID 2556 wrote to memory of 1112	2556	uryra.exe	19
PID 2556 wrote to memory of 1112	2556	uryra.exe	19
PID 2556 wrote to memory of 1176	2556	uryra.exe	20
PID 2556 wrote to memory of 1176	2556	uryra.exe	20
PID 2556 wrote to memory of 1176	2556	uryra.exe	20
PID 2556 wrote to memory of 1176	2556	uryra.exe	20
PID 2556 wrote to memory of 1176	2556	uryra.exe	20
PID 2556 wrote to memory of 1212	2556	uryra.exe	21
PID 2556 wrote to memory of 1212	2556	uryra.exe	21
PID 2556 wrote to memory of 1212	2556	uryra.exe	21
PID 2556 wrote to memory of 1212	2556	uryra.exe	21
PID 2556 wrote to memory of 1212	2556	uryra.exe	21
PID 2556 wrote to memory of 1520	2556	uryra.exe	23
PID 2556 wrote to memory of 1520	2556	uryra.exe	23
PID 2556 wrote to memory of 1520	2556	uryra.exe	23
PID 2556 wrote to memory of 1520	2556	uryra.exe	23
PID 2556 wrote to memory of 1520	2556	uryra.exe	23
PID 2556 wrote to memory of 2384	2556	uryra.exe	29
PID 2556 wrote to memory of 2384	2556	uryra.exe	29
PID 2556 wrote to memory of 2384	2556	uryra.exe	29
PID 2556 wrote to memory of 2384	2556	uryra.exe	29
PID 2556 wrote to memory of 2384	2556	uryra.exe	29
PID 2384 wrote to memory of 2940	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2940	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2940	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2940	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2940	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2940	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2940	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2940	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2940	2384	cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe	31
PID 2556 wrote to memory of 2768	2556	uryra.exe	34
PID 2556 wrote to memory of 2768	2556	uryra.exe	34
PID 2556 wrote to memory of 2768	2556	uryra.exe	34
PID 2556 wrote to memory of 2768	2556	uryra.exe	34
PID 2556 wrote to memory of 2768	2556	uryra.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cea3dc805e5ed8518b55455411028bea_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Roaming\Fywove\uryra.exe
    "C:\Users\Admin\AppData\Roaming\Fywove\uryra.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp45334e95.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2940

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1520

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp45334e95.bat

Filesize
271B

MD5
04d13a0ecc0273cd4bbd0ba04a797017

SHA1
c5c9e573761b67ce3d8c1955b54458bb64f2366c

SHA256
5db5788b14ee019cfe318ba08b26d8aa640f54f2f9f23aea11c0d872d8ec7611

SHA512
566ff58371a3728af4784094e62b68457f63fb2deb9208ea9f85b3623041dcde5362fd41e2288915c0ad4539bd2ec424c9d1731b9970f0b20ed91989e8982945

Download Submit
\Users\Admin\AppData\Roaming\Fywove\uryra.exe

Filesize
321KB

MD5
eb5d3018828b117b1fdcab32b586f7bb

SHA1
9f40df9e22fe11880adaaeeef3e4c94a71aba2d2

SHA256
3b5923748274ead0f51a95c2f75cc40bcd95f6f7af8cbb1ba048098fc28ee5f3

SHA512
c9613ae01f027cca16ff85fdbc82f1bd5768a0972e970bfd24ad4d6392f87a8f102c6c70a5328858d93597553cce0fb5b2781702c7ca1a5bfa428f6866435767

Download Submit
memory/1112-22-0x0000000000520000-0x0000000000564000-memory.dmp

Filesize
272KB

Download
memory/1112-18-0x0000000000520000-0x0000000000564000-memory.dmp

Filesize
272KB

Download
memory/1112-19-0x0000000000520000-0x0000000000564000-memory.dmp

Filesize
272KB

Download
memory/1112-20-0x0000000000520000-0x0000000000564000-memory.dmp

Filesize
272KB

Download
memory/1112-21-0x0000000000520000-0x0000000000564000-memory.dmp

Filesize
272KB

Download
memory/1176-24-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1176-26-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1176-28-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1176-29-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1212-34-0x0000000002D40000-0x0000000002D84000-memory.dmp

Filesize
272KB

Download
memory/1212-33-0x0000000002D40000-0x0000000002D84000-memory.dmp

Filesize
272KB

Download
memory/1212-31-0x0000000002D40000-0x0000000002D84000-memory.dmp

Filesize
272KB

Download
memory/1212-32-0x0000000002D40000-0x0000000002D84000-memory.dmp

Filesize
272KB

Download
memory/1520-39-0x0000000001F50000-0x0000000001F94000-memory.dmp

Filesize
272KB

Download
memory/1520-38-0x0000000001F50000-0x0000000001F94000-memory.dmp

Filesize
272KB

Download
memory/1520-37-0x0000000001F50000-0x0000000001F94000-memory.dmp

Filesize
272KB

Download
memory/1520-36-0x0000000001F50000-0x0000000001F94000-memory.dmp

Filesize
272KB

Download
memory/2384-50-0x00000000022C0000-0x0000000002304000-memory.dmp

Filesize
272KB

Download
memory/2384-71-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-44-0x00000000022C0000-0x0000000002304000-memory.dmp

Filesize
272KB

Download
memory/2384-48-0x00000000022C0000-0x0000000002304000-memory.dmp

Filesize
272KB

Download
memory/2384-1-0x00000000002D0000-0x0000000000326000-memory.dmp

Filesize
344KB

Download
memory/2384-46-0x00000000022C0000-0x0000000002304000-memory.dmp

Filesize
272KB

Download
memory/2384-0-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2384-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2384-81-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-79-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-77-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-75-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-73-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-42-0x00000000022C0000-0x0000000002304000-memory.dmp

Filesize
272KB

Download
memory/2384-69-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-68-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2384-66-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-64-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-62-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-60-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-59-0x0000000076F80000-0x0000000076F81000-memory.dmp

Filesize
4KB

Download
memory/2384-57-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-55-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-53-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-51-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-137-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2384-160-0x00000000002D0000-0x0000000000326000-memory.dmp

Filesize
344KB

Download
memory/2556-15-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2556-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-283-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2556-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download