20069e8530e9643a75fe1a6ab6919aca3a55da640156dbbad559078ece27634c

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe
Size

377KB
MD5

dc697759329abaaf6a6dc6acf57e7124
SHA1

034128d9159f6484c18f2497d700b4ddeb95ddf1
SHA256

20069e8530e9643a75fe1a6ab6919aca3a55da640156dbbad559078ece27634c
SHA512

2ad9c2bee80c8febad665cdfb1288a37e3176c13c8af9ab00db3cba04d45964ad483798db3a02ec24065eb0d9c7694bc43a1fc9371ba972138a341d19a16e1af
SSDEEP

6144:8B8lev8CcOsW1D8fBUkEv8a6dRPMfbt4xb7s5evZ08zj6:8mlevXfsgofykHREfbSbfvZY

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1244	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1732	exyn.exe

Loads dropped DLL 2 IoCs

pid	Process
1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe
1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D5718048-3C80-AD4F-91EC-8CC98FD5AFD4} = "C:\\Users\\Admin\\AppData\\Roaming\\Ohdy\\exyn.exe"	exyn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 1244	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Privacy	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe
1732	exyn.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe
1732	exyn.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1732	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	30
PID 1924 wrote to memory of 1732	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	30
PID 1924 wrote to memory of 1732	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	30
PID 1924 wrote to memory of 1732	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1120	1732	exyn.exe	19
PID 1732 wrote to memory of 1120	1732	exyn.exe	19
PID 1732 wrote to memory of 1120	1732	exyn.exe	19
PID 1732 wrote to memory of 1120	1732	exyn.exe	19
PID 1732 wrote to memory of 1120	1732	exyn.exe	19
PID 1732 wrote to memory of 1176	1732	exyn.exe	20
PID 1732 wrote to memory of 1176	1732	exyn.exe	20
PID 1732 wrote to memory of 1176	1732	exyn.exe	20
PID 1732 wrote to memory of 1176	1732	exyn.exe	20
PID 1732 wrote to memory of 1176	1732	exyn.exe	20
PID 1732 wrote to memory of 1208	1732	exyn.exe	21
PID 1732 wrote to memory of 1208	1732	exyn.exe	21
PID 1732 wrote to memory of 1208	1732	exyn.exe	21
PID 1732 wrote to memory of 1208	1732	exyn.exe	21
PID 1732 wrote to memory of 1208	1732	exyn.exe	21
PID 1732 wrote to memory of 1288	1732	exyn.exe	25
PID 1732 wrote to memory of 1288	1732	exyn.exe	25
PID 1732 wrote to memory of 1288	1732	exyn.exe	25
PID 1732 wrote to memory of 1288	1732	exyn.exe	25
PID 1732 wrote to memory of 1288	1732	exyn.exe	25
PID 1732 wrote to memory of 1924	1732	exyn.exe	29
PID 1732 wrote to memory of 1924	1732	exyn.exe	29
PID 1732 wrote to memory of 1924	1732	exyn.exe	29
PID 1732 wrote to memory of 1924	1732	exyn.exe	29
PID 1732 wrote to memory of 1924	1732	exyn.exe	29
PID 1924 wrote to memory of 1244	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	31
PID 1924 wrote to memory of 1244	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	31
PID 1924 wrote to memory of 1244	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	31
PID 1924 wrote to memory of 1244	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	31
PID 1924 wrote to memory of 1244	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	31
PID 1924 wrote to memory of 1244	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	31
PID 1924 wrote to memory of 1244	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	31
PID 1924 wrote to memory of 1244	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	31
PID 1924 wrote to memory of 1244	1924	dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dc697759329abaaf6a6dc6acf57e7124_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Roaming\Ohdy\exyn.exe
    "C:\Users\Admin\AppData\Roaming\Ohdy\exyn.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp53d1968a.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1244

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp53d1968a.bat

Filesize
271B

MD5
6c059b0c73e539ced64b75169ac900b5

SHA1
d8655d6c09d40c01a1546d8f1d35b2efc0e40680

SHA256
8f626c5fc1c51caeb3c3edc697df233792da30593ed97fd6de7db35e3fdcf061

SHA512
7ab5f011008d34d292140a7b65fb66037e54f83cf5bdd596f9b9871588471336c61604582a04fad77e25c9acc0d1cadfe698ed0e548d1fe5c2d0047c5ab74881

Download Submit
C:\Users\Admin\AppData\Roaming\Ohdy\exyn.exe

Filesize
377KB

MD5
266e1d5bc2e10b48c1aef10168d25bb6

SHA1
c9abfe606f195ee60850649e5313f17bea9dde7c

SHA256
194cd7c603112a79089a81fe5eb5493c44f4088993a41d36bff4dac977b57482

SHA512
5cb261f5227523430e5b56d7a48650ae9ac736cd2cf5def2d16d5b62002a2abc5bde770e0ba63496ce184c90c97b4a0e2a77ce5ecc288a947d98a61b77f38412

Download Submit
memory/1120-24-0x0000000000420000-0x0000000000462000-memory.dmp

Filesize
264KB

Download
memory/1120-23-0x0000000000420000-0x0000000000462000-memory.dmp

Filesize
264KB

Download
memory/1120-19-0x0000000000420000-0x0000000000462000-memory.dmp

Filesize
264KB

Download
memory/1120-21-0x0000000000420000-0x0000000000462000-memory.dmp

Filesize
264KB

Download
memory/1120-22-0x0000000000420000-0x0000000000462000-memory.dmp

Filesize
264KB

Download
memory/1176-26-0x0000000002020000-0x0000000002062000-memory.dmp

Filesize
264KB

Download
memory/1176-27-0x0000000002020000-0x0000000002062000-memory.dmp

Filesize
264KB

Download
memory/1176-29-0x0000000002020000-0x0000000002062000-memory.dmp

Filesize
264KB

Download
memory/1176-28-0x0000000002020000-0x0000000002062000-memory.dmp

Filesize
264KB

Download
memory/1208-34-0x0000000002970000-0x00000000029B2000-memory.dmp

Filesize
264KB

Download
memory/1208-33-0x0000000002970000-0x00000000029B2000-memory.dmp

Filesize
264KB

Download
memory/1208-32-0x0000000002970000-0x00000000029B2000-memory.dmp

Filesize
264KB

Download
memory/1208-31-0x0000000002970000-0x00000000029B2000-memory.dmp

Filesize
264KB

Download
memory/1288-37-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1288-36-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1288-39-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1288-38-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1732-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-15-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/1732-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-16-0x0000000000370000-0x00000000003D1000-memory.dmp

Filesize
388KB

Download
memory/1924-58-0x00000000772D0000-0x00000000772D1000-memory.dmp

Filesize
4KB

Download
memory/1924-73-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-59-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-56-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-54-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-52-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-50-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-133-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-47-0x00000000004C0000-0x0000000000502000-memory.dmp

Filesize
264KB

Download
memory/1924-45-0x00000000004C0000-0x0000000000502000-memory.dmp

Filesize
264KB

Download
memory/1924-43-0x00000000004C0000-0x0000000000502000-memory.dmp

Filesize
264KB

Download
memory/1924-41-0x00000000004C0000-0x0000000000502000-memory.dmp

Filesize
264KB

Download
memory/1924-67-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-69-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-71-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-61-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-75-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-77-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-79-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-81-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-65-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-63-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/1924-1-0x0000000000380000-0x00000000003E1000-memory.dmp

Filesize
388KB

Download
memory/1924-49-0x00000000004C0000-0x0000000000502000-memory.dmp

Filesize
264KB

Download
memory/1924-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-156-0x0000000000380000-0x00000000003E1000-memory.dmp

Filesize
388KB

Download
memory/1924-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-0-0x0000000000330000-0x0000000000372000-memory.dmp

Filesize
264KB

Download