0a91593630ec377b8c13974886147e7a7cc73f5cebbeb9f1758001c241e8ce0a

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe
Size

290KB
MD5

dab27dfaa0f669314f57c94e188d2c33
SHA1

1ccd4c7f480b3f0b99b3cfff641c07e04c58431c
SHA256

0a91593630ec377b8c13974886147e7a7cc73f5cebbeb9f1758001c241e8ce0a
SHA512

28aa5034efc0f6588234b1080bb43a0f7effbba6b2415a5710ad5951cc3f3b43e3e762afd5e7f36a94fd7a2991de8458f26c97eea77274f9ceba1daa7084fb55
SSDEEP

6144:wXBlvdqWLqOKn/B5RyaynzgvGq6JhW7XQgtm0DT91n:wXB/zLG/B5YzFHEtmA

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1596	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2100	jeme.exe

Loads dropped DLL 2 IoCs

pid	Process
1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe
1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D2BEAD48-3C80-AD4F-FE01-FCCCDCDBDFD1} = "C:\\Users\\Admin\\AppData\\Roaming\\Akyn\\jeme.exe"	jeme.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 1596	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Privacy	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe
2100	jeme.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe
Token: SeSecurityPrivilege	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe
Token: SeSecurityPrivilege	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe
2100	jeme.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2100	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2100	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2100	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2100	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	30
PID 2100 wrote to memory of 1064	2100	jeme.exe	18
PID 2100 wrote to memory of 1064	2100	jeme.exe	18
PID 2100 wrote to memory of 1064	2100	jeme.exe	18
PID 2100 wrote to memory of 1064	2100	jeme.exe	18
PID 2100 wrote to memory of 1064	2100	jeme.exe	18
PID 2100 wrote to memory of 1128	2100	jeme.exe	19
PID 2100 wrote to memory of 1128	2100	jeme.exe	19
PID 2100 wrote to memory of 1128	2100	jeme.exe	19
PID 2100 wrote to memory of 1128	2100	jeme.exe	19
PID 2100 wrote to memory of 1128	2100	jeme.exe	19
PID 2100 wrote to memory of 1156	2100	jeme.exe	20
PID 2100 wrote to memory of 1156	2100	jeme.exe	20
PID 2100 wrote to memory of 1156	2100	jeme.exe	20
PID 2100 wrote to memory of 1156	2100	jeme.exe	20
PID 2100 wrote to memory of 1156	2100	jeme.exe	20
PID 2100 wrote to memory of 1876	2100	jeme.exe	25
PID 2100 wrote to memory of 1876	2100	jeme.exe	25
PID 2100 wrote to memory of 1876	2100	jeme.exe	25
PID 2100 wrote to memory of 1876	2100	jeme.exe	25
PID 2100 wrote to memory of 1876	2100	jeme.exe	25
PID 2100 wrote to memory of 1832	2100	jeme.exe	29
PID 2100 wrote to memory of 1832	2100	jeme.exe	29
PID 2100 wrote to memory of 1832	2100	jeme.exe	29
PID 2100 wrote to memory of 1832	2100	jeme.exe	29
PID 2100 wrote to memory of 1832	2100	jeme.exe	29
PID 1832 wrote to memory of 1596	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	31
PID 1832 wrote to memory of 1596	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	31
PID 1832 wrote to memory of 1596	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	31
PID 1832 wrote to memory of 1596	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	31
PID 1832 wrote to memory of 1596	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	31
PID 1832 wrote to memory of 1596	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	31
PID 1832 wrote to memory of 1596	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	31
PID 1832 wrote to memory of 1596	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	31
PID 1832 wrote to memory of 1596	1832	dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1064

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1156
- C:\Users\Admin\AppData\Local\Temp\dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dab27dfaa0f669314f57c94e188d2c33_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Roaming\Akyn\jeme.exe
    "C:\Users\Admin\AppData\Roaming\Akyn\jeme.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp54727ac9.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp54727ac9.bat

Filesize
271B

MD5
a2f10c3f25d6f7225440da34b66163c0

SHA1
96262ec178fecfc239f355eaf5ec52e428cb59c7

SHA256
cc2226e0e639ce6d1959b6075f431af4838ef35651bde0e826d355af254ded3b

SHA512
fb610ba8a499d9f09830dd7b0d825102747d8dfeb16b00125b7214f0010270753e183b2766d86a08a89e2dc421fd6088e1fb26905bdfb14f8be2b1b54cf2eab1

Download Submit
C:\Users\Admin\AppData\Roaming\Akyn\jeme.exe

Filesize
290KB

MD5
a11af48edd8aec69a68808c7f4b97e1a

SHA1
e441c3378afa821d2821593071e0c61020492bf9

SHA256
718da308d5568be48d8ac316333404d3eec702858c259724a14dcdd41a2f6bd1

SHA512
5953dfef4fce51b09a5b83849d2ea3873b3e6cef9d4c32adbaa2c945ba39872ed72c2982b6041ad515e1ea0b7af2d6b2f19cb6fa923fb43a03a25fba29c702c2

Download Submit
C:\Users\Admin\AppData\Roaming\Ojqor\oximy.ajn

Filesize
380B

MD5
77ae6edbe1e82ec6569043b25f3bdab9

SHA1
a290adf2dbdbe5ec936ec3f5fad45a77d1e8d58b

SHA256
4e1f6abb9c368af531c499d5129a1319fcf395b646563f994525d0720496d4f1

SHA512
b587bdd024c237858e4eb68a144ca30f94af4d9a8455d770dcf31034984f7449ea738e0c645f8ec6aed442c0ad9f02782fe9ba712e218b8947222b03aa4e901e

Download Submit
memory/1064-21-0x0000000002130000-0x0000000002171000-memory.dmp

Filesize
260KB

Download
memory/1064-17-0x0000000002130000-0x0000000002171000-memory.dmp

Filesize
260KB

Download
memory/1064-19-0x0000000002130000-0x0000000002171000-memory.dmp

Filesize
260KB

Download
memory/1064-16-0x0000000002130000-0x0000000002171000-memory.dmp

Filesize
260KB

Download
memory/1064-23-0x0000000002130000-0x0000000002171000-memory.dmp

Filesize
260KB

Download
memory/1128-26-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1128-27-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1128-28-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1128-29-0x0000000000130000-0x0000000000171000-memory.dmp

Filesize
260KB

Download
memory/1156-33-0x0000000002E90000-0x0000000002ED1000-memory.dmp

Filesize
260KB

Download
memory/1156-34-0x0000000002E90000-0x0000000002ED1000-memory.dmp

Filesize
260KB

Download
memory/1156-31-0x0000000002E90000-0x0000000002ED1000-memory.dmp

Filesize
260KB

Download
memory/1156-32-0x0000000002E90000-0x0000000002ED1000-memory.dmp

Filesize
260KB

Download
memory/1832-73-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-81-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-66-0x0000000077C00000-0x0000000077C01000-memory.dmp

Filesize
4KB

Download
memory/1832-64-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-62-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-60-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-58-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-57-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1832-55-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-134-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-53-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-51-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-49-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-1-0x0000000000390000-0x00000000003DD000-memory.dmp

Filesize
308KB

Download
memory/1832-158-0x0000000000390000-0x00000000003DD000-memory.dmp

Filesize
308KB

Download
memory/1832-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1832-43-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1832-42-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1832-41-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1832-160-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1832-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1832-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1832-69-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-71-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-0-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/1832-75-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-77-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-79-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-83-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1832-44-0x00000000004A0000-0x00000000004E1000-memory.dmp

Filesize
260KB

Download
memory/1832-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1832-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-36-0x0000000001B80000-0x0000000001BC1000-memory.dmp

Filesize
260KB

Download
memory/1876-37-0x0000000001B80000-0x0000000001BC1000-memory.dmp

Filesize
260KB

Download
memory/1876-38-0x0000000001B80000-0x0000000001BC1000-memory.dmp

Filesize
260KB

Download
memory/2100-46-0x00000000002A0000-0x00000000002E1000-memory.dmp

Filesize
260KB

Download
memory/2100-47-0x00000000002F0000-0x000000000033D000-memory.dmp

Filesize
308KB

Download
memory/2100-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2100-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download