c2ff729452eac1829ac8e3ab851b0da8b1ca0027229a5931c6442a6d8272a5c9

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de33dc8d122f69bb398e555b7c756355_JaffaCakes118.exe
Size

307KB
MD5

de33dc8d122f69bb398e555b7c756355
SHA1

8d2a28c25c236d74660eba7bc030cf0b6fa3e817
SHA256

c2ff729452eac1829ac8e3ab851b0da8b1ca0027229a5931c6442a6d8272a5c9
SHA512

f87a30f704cd6955c40e7b31f0add42b309ba6396faf58c3daf060ea8c18a84539da68941d12ff305516757fe29f120d62aa74d4cad34967b533bcb7a84d2b48
SSDEEP

6144:K0vzLT72Y0S8zinYKTY1SQshfRPVQe1MZkIYSccr7wbstOaPECYeixlYGict:K0bf7SS/YsY1UMqMZJYSN7wbstOa8fvz

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1808	ibyp.exe

Loads dropped DLL 1 IoCs

pid	Process
1288	de33dc8d122f69bb398e555b7c756355_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D82C35C8-3C80-AD4F-E5F4-3B51F60A184C} = "C:\\Users\\Admin\\AppData\\Roaming\\Fyepe\\ibyp.exe"	ibyp.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de33dc8d122f69bb398e555b7c756355_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibyp.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe
1808	ibyp.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1808	1288	de33dc8d122f69bb398e555b7c756355_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1808	1288	de33dc8d122f69bb398e555b7c756355_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1808	1288	de33dc8d122f69bb398e555b7c756355_JaffaCakes118.exe	30
PID 1288 wrote to memory of 1808	1288	de33dc8d122f69bb398e555b7c756355_JaffaCakes118.exe	30
PID 1808 wrote to memory of 1120	1808	ibyp.exe	19
PID 1808 wrote to memory of 1120	1808	ibyp.exe	19
PID 1808 wrote to memory of 1120	1808	ibyp.exe	19
PID 1808 wrote to memory of 1120	1808	ibyp.exe	19
PID 1808 wrote to memory of 1120	1808	ibyp.exe	19
PID 1808 wrote to memory of 1168	1808	ibyp.exe	20
PID 1808 wrote to memory of 1168	1808	ibyp.exe	20
PID 1808 wrote to memory of 1168	1808	ibyp.exe	20
PID 1808 wrote to memory of 1168	1808	ibyp.exe	20
PID 1808 wrote to memory of 1168	1808	ibyp.exe	20
PID 1808 wrote to memory of 1192	1808	ibyp.exe	21
PID 1808 wrote to memory of 1192	1808	ibyp.exe	21
PID 1808 wrote to memory of 1192	1808	ibyp.exe	21
PID 1808 wrote to memory of 1192	1808	ibyp.exe	21
PID 1808 wrote to memory of 1192	1808	ibyp.exe	21
PID 1808 wrote to memory of 852	1808	ibyp.exe	23
PID 1808 wrote to memory of 852	1808	ibyp.exe	23
PID 1808 wrote to memory of 852	1808	ibyp.exe	23
PID 1808 wrote to memory of 852	1808	ibyp.exe	23
PID 1808 wrote to memory of 852	1808	ibyp.exe	23
PID 1808 wrote to memory of 1288	1808	ibyp.exe	29
PID 1808 wrote to memory of 1288	1808	ibyp.exe	29
PID 1808 wrote to memory of 1288	1808	ibyp.exe	29
PID 1808 wrote to memory of 1288	1808	ibyp.exe	29
PID 1808 wrote to memory of 1288	1808	ibyp.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\de33dc8d122f69bb398e555b7c756355_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\de33dc8d122f69bb398e555b7c756355_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Users\Admin\AppData\Roaming\Fyepe\ibyp.exe
    "C:\Users\Admin\AppData\Roaming\Fyepe\ibyp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1808

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Fyepe\ibyp.exe

Filesize
307KB

MD5
b06ea6b8c3975a28b554f4bbd99278bd

SHA1
0da6f6ea839d73899a4f137001ca483bda92d26e

SHA256
fc3f76dd5bdc4b814fbff1e42a7b45fd9d5398903f86acb64429311ac1ab9b19

SHA512
635ff0f1807d14647f2db8d770acbea5a679916edb2b9c52613871e707f262561c545d5eb1c5c90218f952029d00fe25b6e7c06b23429f3dbb61d015512c84e5

Download Submit
memory/852-38-0x0000000001D20000-0x0000000001D64000-memory.dmp

Filesize
272KB

Download
memory/852-35-0x0000000001D20000-0x0000000001D64000-memory.dmp

Filesize
272KB

Download
memory/852-37-0x0000000001D20000-0x0000000001D64000-memory.dmp

Filesize
272KB

Download
memory/852-36-0x0000000001D20000-0x0000000001D64000-memory.dmp

Filesize
272KB

Download
memory/1120-15-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1120-16-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1120-18-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1120-22-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1120-20-0x0000000000110000-0x0000000000154000-memory.dmp

Filesize
272KB

Download
memory/1168-27-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1168-25-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1168-26-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1168-28-0x00000000002D0000-0x0000000000314000-memory.dmp

Filesize
272KB

Download
memory/1192-33-0x0000000002560000-0x00000000025A4000-memory.dmp

Filesize
272KB

Download
memory/1192-31-0x0000000002560000-0x00000000025A4000-memory.dmp

Filesize
272KB

Download
memory/1192-30-0x0000000002560000-0x00000000025A4000-memory.dmp

Filesize
272KB

Download
memory/1192-32-0x0000000002560000-0x00000000025A4000-memory.dmp

Filesize
272KB

Download
memory/1288-49-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1288-3-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1288-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1288-47-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1288-41-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1288-43-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1288-0-0x0000000001300000-0x0000000001350000-memory.dmp

Filesize
320KB

Download
memory/1288-45-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1288-58-0x0000000001300000-0x0000000001350000-memory.dmp

Filesize
320KB

Download
memory/1288-8-0x0000000000200000-0x0000000000250000-memory.dmp

Filesize
320KB

Download
memory/1288-6-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1288-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1808-12-0x0000000000D40000-0x0000000000D90000-memory.dmp

Filesize
320KB

Download
memory/1808-51-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1808-13-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1808-59-0x0000000000D40000-0x0000000000D90000-memory.dmp

Filesize
320KB

Download
memory/1808-60-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download