fe74b95f4206c66f682145fe2d0de7f7ef04674082c61cba3afa3ad3c217ea49

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe
Size

272KB
MD5

d44ff69480d56f5dbc6c7a54f75e342d
SHA1

6f6f28db929a307a7823e70087714651662a2afa
SHA256

fe74b95f4206c66f682145fe2d0de7f7ef04674082c61cba3afa3ad3c217ea49
SHA512

d935455b9f67a260676f123b9bc2d6fdf6c05338b3042cff187d5ff6e346e0652915dfcc1be51f2c99fe379fc0668e3eb47a1e602e2fc53c7716ee3357bab8d8
SSDEEP

3072:2KqM7xgT1jfHnyvVCe9n7cuqovIYhWYuKnBSDdNZ1nWEu5hJWrrxeTlKT5TqpZKZ:JxYfHnytCfyIYGKBodNZ1WEuAUo5

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
664	efef.exe
3048	efef.exe

Loads dropped DLL 2 IoCs

pid	Process
2932	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe
2932	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\{654D676B-B07F-6D5A-E5FB-A60E42FBFE61} = "C:\\Users\\Admin\\AppData\\Roaming\\Etuw\\efef.exe"	efef.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 2932	2488	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	31
PID 664 set thread context of 3048	664	efef.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe
3048	efef.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2932	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2488	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe
664	efef.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2932	2488	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2932	2488	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2932	2488	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2932	2488	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2932	2488	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2932	2488	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2932	2488	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2932	2488	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2932	2488	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	31
PID 2932 wrote to memory of 664	2932	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	32
PID 2932 wrote to memory of 664	2932	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	32
PID 2932 wrote to memory of 664	2932	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	32
PID 2932 wrote to memory of 664	2932	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	32
PID 664 wrote to memory of 3048	664	efef.exe	33
PID 664 wrote to memory of 3048	664	efef.exe	33
PID 664 wrote to memory of 3048	664	efef.exe	33
PID 664 wrote to memory of 3048	664	efef.exe	33
PID 664 wrote to memory of 3048	664	efef.exe	33
PID 664 wrote to memory of 3048	664	efef.exe	33
PID 664 wrote to memory of 3048	664	efef.exe	33
PID 664 wrote to memory of 3048	664	efef.exe	33
PID 664 wrote to memory of 3048	664	efef.exe	33
PID 3048 wrote to memory of 1204	3048	efef.exe	19
PID 3048 wrote to memory of 1204	3048	efef.exe	19
PID 3048 wrote to memory of 1204	3048	efef.exe	19
PID 3048 wrote to memory of 1204	3048	efef.exe	19
PID 3048 wrote to memory of 1204	3048	efef.exe	19
PID 3048 wrote to memory of 1308	3048	efef.exe	20
PID 3048 wrote to memory of 1308	3048	efef.exe	20
PID 3048 wrote to memory of 1308	3048	efef.exe	20
PID 3048 wrote to memory of 1308	3048	efef.exe	20
PID 3048 wrote to memory of 1308	3048	efef.exe	20
PID 3048 wrote to memory of 1368	3048	efef.exe	21
PID 3048 wrote to memory of 1368	3048	efef.exe	21
PID 3048 wrote to memory of 1368	3048	efef.exe	21
PID 3048 wrote to memory of 1368	3048	efef.exe	21
PID 3048 wrote to memory of 1368	3048	efef.exe	21
PID 3048 wrote to memory of 1448	3048	efef.exe	25
PID 3048 wrote to memory of 1448	3048	efef.exe	25
PID 3048 wrote to memory of 1448	3048	efef.exe	25
PID 3048 wrote to memory of 1448	3048	efef.exe	25
PID 3048 wrote to memory of 1448	3048	efef.exe	25
PID 3048 wrote to memory of 2932	3048	efef.exe	31
PID 3048 wrote to memory of 2932	3048	efef.exe	31
PID 3048 wrote to memory of 2932	3048	efef.exe	31
PID 3048 wrote to memory of 2932	3048	efef.exe	31
PID 3048 wrote to memory of 2932	3048	efef.exe	31
PID 2932 wrote to memory of 2804	2932	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	34
PID 2932 wrote to memory of 2804	2932	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	34
PID 2932 wrote to memory of 2804	2932	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	34
PID 2932 wrote to memory of 2804	2932	d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe	34
PID 3048 wrote to memory of 2804	3048	efef.exe	34
PID 3048 wrote to memory of 2804	3048	efef.exe	34
PID 3048 wrote to memory of 2804	3048	efef.exe	34
PID 3048 wrote to memory of 2804	3048	efef.exe	34
PID 3048 wrote to memory of 2804	3048	efef.exe	34
PID 3048 wrote to memory of 2632	3048	efef.exe	35
PID 3048 wrote to memory of 2632	3048	efef.exe	35
PID 3048 wrote to memory of 2632	3048	efef.exe	35
PID 3048 wrote to memory of 2632	3048	efef.exe	35
PID 3048 wrote to memory of 2632	3048	efef.exe	35
PID 3048 wrote to memory of 1656	3048	efef.exe	36
PID 3048 wrote to memory of 1656	3048	efef.exe	36
PID 3048 wrote to memory of 1656	3048	efef.exe	36

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1204

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1308

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d44ff69480d56f5dbc6c7a54f75e342d_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Roaming\Etuw\efef.exe
      "C:\Users\Admin\AppData\Roaming\Etuw\efef.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:664
    - - C:\Users\Admin\AppData\Roaming\Etuw\efef.exe
        
        "C:\Users\Admin\AppData\Roaming\Etuw\efef.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp384dc822.bat"
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:2804

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1441912123-905252274-1721799970210464597021004199028347055424610890651153088522"
1⤵
PID:2632

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp384dc822.bat

Filesize
271B

MD5
c154db299189e8281d93dbd718f6a7bc

SHA1
99c22db61a9f36e2e0f00c6df41f83446b65dd66

SHA256
5dfa69c22fbb62fe78ae6fcbeec1e315c498cd7361ae34f7ac35495c080513b4

SHA512
4636cc88f944e1f5873bafe39ff4c97db39aa5afde124ffcd1925b0913d4ef8f128b9ad2d841ef0d663d36a3242dda5b81fc6c4cd1c8f39d4127f476e18340a4

Download Submit
C:\Users\Admin\AppData\Roaming\Etuw\efef.exe

Filesize
272KB

MD5
a3beb2475a815df97a3015ea8d24f6ec

SHA1
046982be5cf77540158ca2286c456234dc1471fb

SHA256
89b01a0a4d93b16feb88f733d66b11dfbe342579e05aec1359366bdd8adc6926

SHA512
ded6412f127954ef28b9e541de3a836d4d15f77613883ba9789a21ad5eea494e74d5e351084a09ebd1f7fc5d274abbbd22fc6520d15d5049120c0a5965716c3a

Download Submit
memory/2488-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download