b99201c0cea2537f05b5c8e61f8aaabc3827e3166ad9133ec9d7ab986a916b58

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe
Size

327KB
MD5

d320d1f7f7c9e975083a3f7a9ea15ab5
SHA1

b09321b68b77e667a337a39e78519767470cf1ca
SHA256

b99201c0cea2537f05b5c8e61f8aaabc3827e3166ad9133ec9d7ab986a916b58
SHA512

29505f4d9ea170999788485f79f8ab427b01f2214bf4cc76052fa93bd6c478d23590f07c1b71243077df585edfa9b3f668bc4112abd2b4bb0005696719cc4b7b
SSDEEP

6144:v64FaDFLjydzoKSgt4n7mptOO4TyUo+C5Nqqsoeb:v6FDkdoKS647mCTZBOqZ

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2868	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	joos.exe
3064	joos.exe

Loads dropped DLL 2 IoCs

pid	Process
2748	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe
2748	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\{ED60B7C8-3C80-AD4F-2955-D827011AFB3A} = "C:\\Users\\Admin\\AppData\\Roaming\\Duehi\\joos.exe"	joos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1848 set thread context of 2748	1848	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	30
PID 2896 set thread context of 3064	2896	joos.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	joos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe
3064	joos.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2748	1848	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2748	1848	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2748	1848	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2748	1848	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2748	1848	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2748	1848	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2748	1848	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2748	1848	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	30
PID 1848 wrote to memory of 2748	1848	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2896	2748	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2896	2748	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2896	2748	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2896	2748	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	31
PID 2896 wrote to memory of 3064	2896	joos.exe	32
PID 2896 wrote to memory of 3064	2896	joos.exe	32
PID 2896 wrote to memory of 3064	2896	joos.exe	32
PID 2896 wrote to memory of 3064	2896	joos.exe	32
PID 2896 wrote to memory of 3064	2896	joos.exe	32
PID 2896 wrote to memory of 3064	2896	joos.exe	32
PID 2896 wrote to memory of 3064	2896	joos.exe	32
PID 2896 wrote to memory of 3064	2896	joos.exe	32
PID 2896 wrote to memory of 3064	2896	joos.exe	32
PID 2748 wrote to memory of 2868	2748	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	33
PID 2748 wrote to memory of 2868	2748	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	33
PID 2748 wrote to memory of 2868	2748	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	33
PID 2748 wrote to memory of 2868	2748	d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe	33
PID 3064 wrote to memory of 1104	3064	joos.exe	19
PID 3064 wrote to memory of 1104	3064	joos.exe	19
PID 3064 wrote to memory of 1104	3064	joos.exe	19
PID 3064 wrote to memory of 1104	3064	joos.exe	19
PID 3064 wrote to memory of 1104	3064	joos.exe	19
PID 3064 wrote to memory of 1168	3064	joos.exe	20
PID 3064 wrote to memory of 1168	3064	joos.exe	20
PID 3064 wrote to memory of 1168	3064	joos.exe	20
PID 3064 wrote to memory of 1168	3064	joos.exe	20
PID 3064 wrote to memory of 1168	3064	joos.exe	20
PID 3064 wrote to memory of 1212	3064	joos.exe	21
PID 3064 wrote to memory of 1212	3064	joos.exe	21
PID 3064 wrote to memory of 1212	3064	joos.exe	21
PID 3064 wrote to memory of 1212	3064	joos.exe	21
PID 3064 wrote to memory of 1212	3064	joos.exe	21
PID 3064 wrote to memory of 856	3064	joos.exe	23
PID 3064 wrote to memory of 856	3064	joos.exe	23
PID 3064 wrote to memory of 856	3064	joos.exe	23
PID 3064 wrote to memory of 856	3064	joos.exe	23
PID 3064 wrote to memory of 856	3064	joos.exe	23
PID 3064 wrote to memory of 2868	3064	joos.exe	33
PID 3064 wrote to memory of 2868	3064	joos.exe	33
PID 3064 wrote to memory of 2868	3064	joos.exe	33
PID 3064 wrote to memory of 2868	3064	joos.exe	33
PID 3064 wrote to memory of 2868	3064	joos.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d320d1f7f7c9e975083a3f7a9ea15ab5_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Roaming\Duehi\joos.exe
      "C:\Users\Admin\AppData\Roaming\Duehi\joos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Users\Admin\AppData\Roaming\Duehi\joos.exe
        
        "C:\Users\Admin\AppData\Roaming\Duehi\joos.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3064
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd876aaa5.bat"
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:2868

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd876aaa5.bat

Filesize
271B

MD5
280adf5528d8eaeb2ddcbeef1f92ce3f

SHA1
e904414e4f5f025b95b2c0a320c131be73149522

SHA256
9c8fcf5586f38422e275ff321fd292f832c1b77624dfb6bec846feac084a7d7e

SHA512
5ee480cfc5d003add7b51c86251a3b00c69822b01e96fe61107fd70354282f87f90797458bbdf3cee6f952ff813930eb964de1a423c10f85b3b441984de27b2e

Download Submit
\Users\Admin\AppData\Roaming\Duehi\joos.exe

Filesize
327KB

MD5
72db930e6e2d0e3e902232f2fe66412e

SHA1
2e26db037267cb7aadaa93fbe5ebcc66e4a19b24

SHA256
e81b31dd95db439c8f9418597e4f966a2569fee38e646a9f91819efb8d7a2725

SHA512
5a109bd3834be28ea64fcc36cffee449503eb18ea27614e1c10a24cb6af49c1933212cd69fe7bc8d6ba29e01bbcfa3d3ef6651678824a9122f215f9140014403

Download Submit
memory/856-70-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/856-72-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/856-71-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/856-73-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1104-57-0x0000000001E40000-0x0000000001E84000-memory.dmp

Filesize
272KB

Download
memory/1104-58-0x0000000001E40000-0x0000000001E84000-memory.dmp

Filesize
272KB

Download
memory/1104-56-0x0000000001E40000-0x0000000001E84000-memory.dmp

Filesize
272KB

Download
memory/1104-55-0x0000000001E40000-0x0000000001E84000-memory.dmp

Filesize
272KB

Download
memory/1168-60-0x0000000001AD0000-0x0000000001B14000-memory.dmp

Filesize
272KB

Download
memory/1168-61-0x0000000001AD0000-0x0000000001B14000-memory.dmp

Filesize
272KB

Download
memory/1168-62-0x0000000001AD0000-0x0000000001B14000-memory.dmp

Filesize
272KB

Download
memory/1168-63-0x0000000001AD0000-0x0000000001B14000-memory.dmp

Filesize
272KB

Download
memory/1212-66-0x0000000002B00000-0x0000000002B44000-memory.dmp

Filesize
272KB

Download
memory/1212-65-0x0000000002B00000-0x0000000002B44000-memory.dmp

Filesize
272KB

Download
memory/1212-67-0x0000000002B00000-0x0000000002B44000-memory.dmp

Filesize
272KB

Download
memory/1212-68-0x0000000002B00000-0x0000000002B44000-memory.dmp

Filesize
272KB

Download
memory/1848-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1848-14-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1848-1-0x0000000000320000-0x0000000000377000-memory.dmp

Filesize
348KB

Download
memory/2748-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-52-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-29-0x0000000000390000-0x00000000003E7000-memory.dmp

Filesize
348KB

Download
memory/2748-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2868-76-0x0000000000080000-0x00000000000C4000-memory.dmp

Filesize
272KB

Download
memory/2868-79-0x0000000000080000-0x00000000000C4000-memory.dmp

Filesize
272KB

Download
memory/2868-78-0x0000000000080000-0x00000000000C4000-memory.dmp

Filesize
272KB

Download
memory/2868-77-0x0000000000080000-0x00000000000C4000-memory.dmp

Filesize
272KB

Download
memory/2868-75-0x0000000000080000-0x00000000000C4000-memory.dmp

Filesize
272KB

Download
memory/2896-31-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2896-46-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3064-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3064-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download