a99627df830ef9e4119eda79cdc9f379785f3651007e927f79d50a0e50401284

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe
Size

307KB
MD5

d28fe996d3f2aed7309512422bfedc20
SHA1

a278b27bc13d9f9f8cc3c7dd847d3c2042bb0756
SHA256

a99627df830ef9e4119eda79cdc9f379785f3651007e927f79d50a0e50401284
SHA512

4ebbc5ba15ad7bea82cae5bb000d5ea414144e0b60a8460b18ba5b7353412f0ebb677818a1e055b51dbb2a5f2af1578dbe3a09611f17f069ec240ace4a8e570b
SSDEEP

6144:2qzUT72Y0SdzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOVPECYeixlYGickz:2CI7SSUYsY1UMqMZJYSN7wbstOV8fveh

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1516	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2500	luluda.exe

Loads dropped DLL 1 IoCs

pid	Process
1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D9E5F948-3C80-AD4F-E7F9-6BD2C10548CF} = "C:\\Users\\Admin\\AppData\\Roaming\\Lofa\\luluda.exe"	luluda.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1848 set thread context of 1516	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luluda.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Privacy	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe
2500	luluda.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2500	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2500	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2500	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2500	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	30
PID 2500 wrote to memory of 1100	2500	luluda.exe	19
PID 2500 wrote to memory of 1100	2500	luluda.exe	19
PID 2500 wrote to memory of 1100	2500	luluda.exe	19
PID 2500 wrote to memory of 1100	2500	luluda.exe	19
PID 2500 wrote to memory of 1100	2500	luluda.exe	19
PID 2500 wrote to memory of 1172	2500	luluda.exe	20
PID 2500 wrote to memory of 1172	2500	luluda.exe	20
PID 2500 wrote to memory of 1172	2500	luluda.exe	20
PID 2500 wrote to memory of 1172	2500	luluda.exe	20
PID 2500 wrote to memory of 1172	2500	luluda.exe	20
PID 2500 wrote to memory of 1224	2500	luluda.exe	21
PID 2500 wrote to memory of 1224	2500	luluda.exe	21
PID 2500 wrote to memory of 1224	2500	luluda.exe	21
PID 2500 wrote to memory of 1224	2500	luluda.exe	21
PID 2500 wrote to memory of 1224	2500	luluda.exe	21
PID 2500 wrote to memory of 328	2500	luluda.exe	25
PID 2500 wrote to memory of 328	2500	luluda.exe	25
PID 2500 wrote to memory of 328	2500	luluda.exe	25
PID 2500 wrote to memory of 328	2500	luluda.exe	25
PID 2500 wrote to memory of 328	2500	luluda.exe	25
PID 2500 wrote to memory of 1848	2500	luluda.exe	29
PID 2500 wrote to memory of 1848	2500	luluda.exe	29
PID 2500 wrote to memory of 1848	2500	luluda.exe	29
PID 2500 wrote to memory of 1848	2500	luluda.exe	29
PID 2500 wrote to memory of 1848	2500	luluda.exe	29
PID 1848 wrote to memory of 1516	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	31
PID 1848 wrote to memory of 1516	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	31
PID 1848 wrote to memory of 1516	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	31
PID 1848 wrote to memory of 1516	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	31
PID 1848 wrote to memory of 1516	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	31
PID 1848 wrote to memory of 1516	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	31
PID 1848 wrote to memory of 1516	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	31
PID 1848 wrote to memory of 1516	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	31
PID 1848 wrote to memory of 1516	1848	d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe	31
PID 2500 wrote to memory of 1572	2500	luluda.exe	34
PID 2500 wrote to memory of 1572	2500	luluda.exe	34
PID 2500 wrote to memory of 1572	2500	luluda.exe	34
PID 2500 wrote to memory of 1572	2500	luluda.exe	34
PID 2500 wrote to memory of 1572	2500	luluda.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d28fe996d3f2aed7309512422bfedc20_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Users\Admin\AppData\Roaming\Lofa\luluda.exe
    "C:\Users\Admin\AppData\Roaming\Lofa\luluda.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8ccbd040.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1516

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8ccbd040.bat

Filesize
271B

MD5
8965943c1c4fd25d06bba9e0e607f2be

SHA1
c78709882dc893e9f14da3abf9b3435a3dd2932e

SHA256
1bc56482b1f431efadecef6dbf83112559ccc4523b7d48faca0bcf44464636ce

SHA512
f5fd5dc5cdbe169369f1fa5d61fca7d3dc474b37078b5bc004644aa8509dffd7bf0a3edec159fd5f0eb6646e2dfa9c79fb6bf29b1d0df35ba3cf59f1b4006e80

Download Submit
C:\Users\Admin\AppData\Roaming\Lofa\luluda.exe

Filesize
307KB

MD5
6d92781ffeafa395b333eb798bebcd6c

SHA1
687d6b83343955fdc448e45c1f30b7df4e38e615

SHA256
445e303eb92e1f3037d22b9ad85231f6c942bba58aae7d2ef4260e629e056c76

SHA512
f04d2f5244b138b443bd260b99155d6b656826ca42a92e6af4e8c0d8683d97afc46773edf2e63c6548111b8e9e29c6d03f5e87492dcffa26d3788a1553f2d18f

Download Submit
memory/328-34-0x0000000002080000-0x00000000020C4000-memory.dmp

Filesize
272KB

Download
memory/328-37-0x0000000002080000-0x00000000020C4000-memory.dmp

Filesize
272KB

Download
memory/328-36-0x0000000002080000-0x00000000020C4000-memory.dmp

Filesize
272KB

Download
memory/328-35-0x0000000002080000-0x00000000020C4000-memory.dmp

Filesize
272KB

Download
memory/1100-15-0x0000000002030000-0x0000000002074000-memory.dmp

Filesize
272KB

Download
memory/1100-17-0x0000000002030000-0x0000000002074000-memory.dmp

Filesize
272KB

Download
memory/1100-19-0x0000000002030000-0x0000000002074000-memory.dmp

Filesize
272KB

Download
memory/1100-21-0x0000000002030000-0x0000000002074000-memory.dmp

Filesize
272KB

Download
memory/1100-22-0x0000000002030000-0x0000000002074000-memory.dmp

Filesize
272KB

Download
memory/1172-24-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/1172-27-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/1172-26-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/1172-25-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/1224-29-0x0000000002E60000-0x0000000002EA4000-memory.dmp

Filesize
272KB

Download
memory/1224-30-0x0000000002E60000-0x0000000002EA4000-memory.dmp

Filesize
272KB

Download
memory/1224-31-0x0000000002E60000-0x0000000002EA4000-memory.dmp

Filesize
272KB

Download
memory/1224-32-0x0000000002E60000-0x0000000002EA4000-memory.dmp

Filesize
272KB

Download
memory/1848-64-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-134-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1848-70-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-68-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-66-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-62-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-58-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-56-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-54-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-53-0x0000000077080000-0x0000000077081000-memory.dmp

Filesize
4KB

Download
memory/1848-52-0x0000000000210000-0x0000000000254000-memory.dmp

Filesize
272KB

Download
memory/1848-48-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-46-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-44-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-41-0x0000000000210000-0x0000000000254000-memory.dmp

Filesize
272KB

Download
memory/1848-40-0x0000000000210000-0x0000000000254000-memory.dmp

Filesize
272KB

Download
memory/1848-39-0x0000000000210000-0x0000000000254000-memory.dmp

Filesize
272KB

Download
memory/1848-74-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-76-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-72-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-135-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-78-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-0-0x0000000000A90000-0x0000000000AE0000-memory.dmp

Filesize
320KB

Download
memory/1848-60-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-50-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1848-43-0x0000000000210000-0x0000000000254000-memory.dmp

Filesize
272KB

Download
memory/1848-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1848-158-0x0000000000A90000-0x0000000000AE0000-memory.dmp

Filesize
320KB

Download
memory/1848-11-0x0000000000210000-0x0000000000260000-memory.dmp

Filesize
320KB

Download
memory/1848-3-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1848-6-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1848-42-0x0000000000210000-0x0000000000254000-memory.dmp

Filesize
272KB

Download
memory/1848-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1848-160-0x0000000000210000-0x0000000000254000-memory.dmp

Filesize
272KB

Download
memory/1848-159-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2500-12-0x0000000000910000-0x0000000000960000-memory.dmp

Filesize
320KB

Download
memory/2500-13-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2500-283-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2500-291-0x0000000000910000-0x0000000000960000-memory.dmp

Filesize
320KB

Download