8e71708418eca969d80f3e2379e6c4f64b97142ab28593e55cb0280ad5eaf6f4

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe
Size

284KB
MD5

d5a5ec6d226fe4d981406dbc0bf00410
SHA1

2b7d631f531eaa852e6883a7e6524dbac03a3546
SHA256

8e71708418eca969d80f3e2379e6c4f64b97142ab28593e55cb0280ad5eaf6f4
SHA512

09b75a4cdcdcb24a3adc0dd9b648de1c84cbc24152541082761835fafaf920d9c08d0b3665d25854fad9cc12327bd9c2f4ce80f92636cb64cdedc48ec6644423
SSDEEP

6144:BNq6Az17HPwmDDANk9eAMezaM8Tu4+4lAGX9gGSwD7uc6Z:BM6Az17HB19bOLvuZ

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2944	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2324	wybyo.exe

Loads dropped DLL 2 IoCs

pid	Process
580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe
580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D95BC468-3C80-AD4F-F4E3-EFE6C1B1CCFB} = "C:\\Users\\Admin\\AppData\\Roaming\\Usgi\\wybyo.exe"	wybyo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 580 set thread context of 2944	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Privacy	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe
2324	wybyo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe
Token: SeSecurityPrivilege	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe
Token: SeSecurityPrivilege	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe
2324	wybyo.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 2324	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	31
PID 580 wrote to memory of 2324	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	31
PID 580 wrote to memory of 2324	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	31
PID 580 wrote to memory of 2324	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	31
PID 2324 wrote to memory of 1112	2324	wybyo.exe	19
PID 2324 wrote to memory of 1112	2324	wybyo.exe	19
PID 2324 wrote to memory of 1112	2324	wybyo.exe	19
PID 2324 wrote to memory of 1112	2324	wybyo.exe	19
PID 2324 wrote to memory of 1112	2324	wybyo.exe	19
PID 2324 wrote to memory of 1208	2324	wybyo.exe	20
PID 2324 wrote to memory of 1208	2324	wybyo.exe	20
PID 2324 wrote to memory of 1208	2324	wybyo.exe	20
PID 2324 wrote to memory of 1208	2324	wybyo.exe	20
PID 2324 wrote to memory of 1208	2324	wybyo.exe	20
PID 2324 wrote to memory of 1248	2324	wybyo.exe	21
PID 2324 wrote to memory of 1248	2324	wybyo.exe	21
PID 2324 wrote to memory of 1248	2324	wybyo.exe	21
PID 2324 wrote to memory of 1248	2324	wybyo.exe	21
PID 2324 wrote to memory of 1248	2324	wybyo.exe	21
PID 2324 wrote to memory of 288	2324	wybyo.exe	25
PID 2324 wrote to memory of 288	2324	wybyo.exe	25
PID 2324 wrote to memory of 288	2324	wybyo.exe	25
PID 2324 wrote to memory of 288	2324	wybyo.exe	25
PID 2324 wrote to memory of 288	2324	wybyo.exe	25
PID 2324 wrote to memory of 580	2324	wybyo.exe	30
PID 2324 wrote to memory of 580	2324	wybyo.exe	30
PID 2324 wrote to memory of 580	2324	wybyo.exe	30
PID 2324 wrote to memory of 580	2324	wybyo.exe	30
PID 2324 wrote to memory of 580	2324	wybyo.exe	30
PID 580 wrote to memory of 2944	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	32
PID 580 wrote to memory of 2944	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	32
PID 580 wrote to memory of 2944	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	32
PID 580 wrote to memory of 2944	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	32
PID 580 wrote to memory of 2944	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	32
PID 580 wrote to memory of 2944	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	32
PID 580 wrote to memory of 2944	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	32
PID 580 wrote to memory of 2944	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	32
PID 580 wrote to memory of 2944	580	d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1208

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a5ec6d226fe4d981406dbc0bf00410_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Users\Admin\AppData\Roaming\Usgi\wybyo.exe
    "C:\Users\Admin\AppData\Roaming\Usgi\wybyo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe0e8b018.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe0e8b018.bat

Filesize
271B

MD5
5feb89798ecc25d680323dd3b678de2a

SHA1
248d0c3c33764389dba2f7cd10366bd93172a3ac

SHA256
316fa46f0dba3b56d8e075f8261a281f56d9fb219c4a0d727d5bf91c5043d380

SHA512
2f670036f0d39f374ec7c739674856e53717d4747fb50dd7a0f936cb23f1f5ff1f015fbd93f3daad5ce54194dd5b161ef2b9e1c66f230a09ddda1fd86ccc5bd8

Download Submit
C:\Users\Admin\AppData\Roaming\Pehu\acypa.pau

Filesize
380B

MD5
d52cba6d5952a866887d329eec17e243

SHA1
39475a19a81ee51fc29ae0fbb0f43b749261029d

SHA256
7402fc8e89cb0b61afa4e7d29c4f637b4fc7794b3a977018fea16de5459dba17

SHA512
efbb545318c2a5a8b03582286064b7d3d2cbc455d29a36e3b2a45cf3d9bfabba604a2a26212b231f253f8c30cc2ddc870796358ef5db59a56fb3fa21aba7bbf8

Download Submit
\Users\Admin\AppData\Roaming\Usgi\wybyo.exe

Filesize
284KB

MD5
df5e17af026f27753991defbe8ec232d

SHA1
f5e49094dabe1eda041c3d87a19c4c2eb3ca86f8

SHA256
0f6fd065a5acc69b739bd66b7965371a8ab1619611240b2f1a7c6c15b760c1d3

SHA512
c90b11456e95b9c9f3796f0658a34cb5c65410944e8ecb3ef148a130eb4a11c2c7b8e20a3b2e00052779a2ecf0a622ac385569d4e3304ac7e09debdf3433de8a

Download Submit
memory/288-50-0x0000000001D90000-0x0000000001DD1000-memory.dmp

Filesize
260KB

Download
memory/288-44-0x0000000001D90000-0x0000000001DD1000-memory.dmp

Filesize
260KB

Download
memory/288-46-0x0000000001D90000-0x0000000001DD1000-memory.dmp

Filesize
260KB

Download
memory/288-48-0x0000000001D90000-0x0000000001DD1000-memory.dmp

Filesize
260KB

Download
memory/580-78-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/580-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/580-54-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/580-60-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/580-62-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/580-58-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/580-56-0x0000000001DD0000-0x0000000001E11000-memory.dmp

Filesize
260KB

Download
memory/580-1-0x0000000000380000-0x00000000003CF000-memory.dmp

Filesize
316KB

Download
memory/580-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/580-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/580-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/580-63-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/580-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/580-142-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/580-80-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/580-65-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/580-67-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/580-69-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/580-0-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/580-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/580-74-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/580-76-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/580-71-0x0000000077580000-0x0000000077581000-memory.dmp

Filesize
4KB

Download
memory/1112-20-0x0000000000210000-0x0000000000251000-memory.dmp

Filesize
260KB

Download
memory/1112-24-0x0000000000210000-0x0000000000251000-memory.dmp

Filesize
260KB

Download
memory/1112-18-0x0000000000210000-0x0000000000251000-memory.dmp

Filesize
260KB

Download
memory/1112-26-0x0000000000210000-0x0000000000251000-memory.dmp

Filesize
260KB

Download
memory/1112-22-0x0000000000210000-0x0000000000251000-memory.dmp

Filesize
260KB

Download
memory/1208-36-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/1208-30-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/1208-34-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/1208-32-0x0000000001F50000-0x0000000001F91000-memory.dmp

Filesize
260KB

Download
memory/1248-39-0x0000000003E30000-0x0000000003E71000-memory.dmp

Filesize
260KB

Download
memory/1248-40-0x0000000003E30000-0x0000000003E71000-memory.dmp

Filesize
260KB

Download
memory/1248-41-0x0000000003E30000-0x0000000003E71000-memory.dmp

Filesize
260KB

Download
memory/1248-42-0x0000000003E30000-0x0000000003E71000-memory.dmp

Filesize
260KB

Download
memory/2324-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2324-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2324-284-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2324-285-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2324-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download