26f22a1a9d7af7d9ba4d79adb8ae550c452ef98b0920c1c9afafa52c4ce649a7

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe
Size

320KB
MD5

de46c953b26ba6b1b25d2594c309da31
SHA1

a64325de2d7eb49aeb41dddabe3dfc3083fb8253
SHA256

26f22a1a9d7af7d9ba4d79adb8ae550c452ef98b0920c1c9afafa52c4ce649a7
SHA512

a9d27e261b44631a5797e711c0ee88f2e0d02dc111b0a0fb0f3ca154fd465871c41c32895af606fd32b780a2956db7ad34082122472d44597d31a102cde55d5c
SSDEEP

6144:qF0jzdT9d941odtA89nQynoeJcFBVHuE24qEDRjS:qKjzZ9d93dtAQX6VHu5QDo

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2020	azal.exe

Loads dropped DLL 4 IoCs

pid	Process
2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\{09E0E5E8-6808-AD4F-43B0-714965AC5254} = "C:\\Users\\Admin\\AppData\\Roaming\\Iwqe\\azal.exe"	azal.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 2796	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azal.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe
2020	azal.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe
Token: SeSecurityPrivilege	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe
Token: SeSecurityPrivilege	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe
2020	azal.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2020	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2020	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2020	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2020	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2020	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2020	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	29
PID 2972 wrote to memory of 2020	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	29
PID 2020 wrote to memory of 1120	2020	azal.exe	18
PID 2020 wrote to memory of 1120	2020	azal.exe	18
PID 2020 wrote to memory of 1120	2020	azal.exe	18
PID 2020 wrote to memory of 1120	2020	azal.exe	18
PID 2020 wrote to memory of 1120	2020	azal.exe	18
PID 2020 wrote to memory of 1212	2020	azal.exe	19
PID 2020 wrote to memory of 1212	2020	azal.exe	19
PID 2020 wrote to memory of 1212	2020	azal.exe	19
PID 2020 wrote to memory of 1212	2020	azal.exe	19
PID 2020 wrote to memory of 1212	2020	azal.exe	19
PID 2020 wrote to memory of 1256	2020	azal.exe	20
PID 2020 wrote to memory of 1256	2020	azal.exe	20
PID 2020 wrote to memory of 1256	2020	azal.exe	20
PID 2020 wrote to memory of 1256	2020	azal.exe	20
PID 2020 wrote to memory of 1256	2020	azal.exe	20
PID 2020 wrote to memory of 1612	2020	azal.exe	22
PID 2020 wrote to memory of 1612	2020	azal.exe	22
PID 2020 wrote to memory of 1612	2020	azal.exe	22
PID 2020 wrote to memory of 1612	2020	azal.exe	22
PID 2020 wrote to memory of 1612	2020	azal.exe	22
PID 2020 wrote to memory of 2972	2020	azal.exe	28
PID 2020 wrote to memory of 2972	2020	azal.exe	28
PID 2020 wrote to memory of 2972	2020	azal.exe	28
PID 2020 wrote to memory of 2972	2020	azal.exe	28
PID 2020 wrote to memory of 2972	2020	azal.exe	28
PID 2972 wrote to memory of 2796	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2796	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2796	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2796	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2796	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2796	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2796	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2796	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2796	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2796	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2796	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2796	2972	de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1212

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\de46c953b26ba6b1b25d2594c309da31_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Roaming\Iwqe\azal.exe
    "C:\Users\Admin\AppData\Roaming\Iwqe\azal.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp5fa25514.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2796

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5fa25514.bat

Filesize
271B

MD5
6df9c6a11c32bcb1446de763fc9eac62

SHA1
58f416f9a66f0ca49fad7938475a40309ec25bac

SHA256
55446cf21791682752fee9597ea5ad240fa5087c0cd8364718e5eb749a5184d6

SHA512
bf6b23899bd1ccee3cfdbf365934a5a0a95b4e16c399f6cf4d72535c6705b555dd1b0e51340c7462dfa958ae30c8fffa48b758f37de09a0657648581018b4382

Download Submit
C:\Users\Admin\AppData\Roaming\Ohymtu\xiux.bae

Filesize
380B

MD5
30112ae2756db1b8611f7492ced7d166

SHA1
fabce49faffa230eec8f8bade3ceb6c1a16fe11a

SHA256
d31bb567e077c67205d7d8742df67f6d2a603c23097f3239b718fbdfc7fbd212

SHA512
c52fa65807b63bc3a4ea2586cd742e84d8d8db99723f904055772da35cc38c27f6172eb7d80f20435bf0cd55018ff7bd8d56769b319ff23ab65c3b251dfb0ca8

Download Submit
\Users\Admin\AppData\Roaming\Iwqe\azal.exe

Filesize
320KB

MD5
e0ef57a3a619e3b3efd19a6e5f54a6c0

SHA1
bee2a3592add2ff82575dc4eb893b3993de12079

SHA256
f8ae2a817bea90955c264f5aeba990bcdbbb049d934fd43f82bef8c6c74308ee

SHA512
4dd92b73a6c01a384a0bceb02e7ed7c86ca64cea5e4a93edd4a590e5e8b01f5db17ef21eb57bd5bed0d882891c8294eda403d49cebd47c9431d0c1361ba4e7d2

Download Submit
memory/1120-21-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1120-17-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1120-19-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1120-25-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1120-23-0x0000000001FA0000-0x0000000001FE1000-memory.dmp

Filesize
260KB

Download
memory/1212-31-0x00000000021D0000-0x0000000002211000-memory.dmp

Filesize
260KB

Download
memory/1212-29-0x00000000021D0000-0x0000000002211000-memory.dmp

Filesize
260KB

Download
memory/1212-33-0x00000000021D0000-0x0000000002211000-memory.dmp

Filesize
260KB

Download
memory/1212-35-0x00000000021D0000-0x0000000002211000-memory.dmp

Filesize
260KB

Download
memory/1256-38-0x0000000002490000-0x00000000024D1000-memory.dmp

Filesize
260KB

Download
memory/1256-40-0x0000000002490000-0x00000000024D1000-memory.dmp

Filesize
260KB

Download
memory/1256-44-0x0000000002490000-0x00000000024D1000-memory.dmp

Filesize
260KB

Download
memory/1256-42-0x0000000002490000-0x00000000024D1000-memory.dmp

Filesize
260KB

Download
memory/1612-50-0x0000000001CE0000-0x0000000001D21000-memory.dmp

Filesize
260KB

Download
memory/1612-49-0x0000000001CE0000-0x0000000001D21000-memory.dmp

Filesize
260KB

Download
memory/1612-48-0x0000000001CE0000-0x0000000001D21000-memory.dmp

Filesize
260KB

Download
memory/1612-47-0x0000000001CE0000-0x0000000001D21000-memory.dmp

Filesize
260KB

Download
memory/2020-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-311-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2020-310-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2020-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2796-309-0x0000000000090000-0x00000000000D1000-memory.dmp

Filesize
260KB

Download
memory/2796-191-0x0000000000090000-0x00000000000D1000-memory.dmp

Filesize
260KB

Download
memory/2972-69-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-59-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-57-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-55-0x00000000023A0000-0x00000000023E1000-memory.dmp

Filesize
260KB

Download
memory/2972-54-0x00000000023A0000-0x00000000023E1000-memory.dmp

Filesize
260KB

Download
memory/2972-53-0x00000000023A0000-0x00000000023E1000-memory.dmp

Filesize
260KB

Download
memory/2972-52-0x00000000023A0000-0x00000000023E1000-memory.dmp

Filesize
260KB

Download
memory/2972-61-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-63-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-65-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-67-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-71-0x00000000023A0000-0x00000000023E1000-memory.dmp

Filesize
260KB

Download
memory/2972-72-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-190-0x00000000023A0000-0x00000000023E1000-memory.dmp

Filesize
260KB

Download
memory/2972-74-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-76-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2972-0-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download
memory/2972-56-0x00000000023A0000-0x00000000023E1000-memory.dmp

Filesize
260KB

Download
memory/2972-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-1-0x0000000001CA0000-0x0000000001CF2000-memory.dmp

Filesize
328KB

Download
memory/2972-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download