45af7217d04bc9b7119a7fd23f3d1f16f046dfdb355d21d4cd9753055e13cdb2

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe
Size

112KB
MD5

e148f4fbeade7a304cf739445e645e95
SHA1

c2b698d538aef5212dd650cafa04a7207845cbbf
SHA256

45af7217d04bc9b7119a7fd23f3d1f16f046dfdb355d21d4cd9753055e13cdb2
SHA512

427a8a32e7bb13a5c52f94f32b7b12668dde1a934bcb39fb4fdc7761f17ff33ab95d4bd037858345920d1d5c9a5c77f39470b0db9b0a8450235e05bf4abad567
SSDEEP

3072:ypkVzM+wSMZe5LxFaev6wHTWsGFkk76by46O9lr:G+wSgW3J3HT7W2by46wr

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2344	igofx.exe

Loads dropped DLL 1 IoCs

pid	Process
2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\{EEF606CC-AD5E-82C7-E2AC-BA4529EDCB09} = "C:\\Users\\Admin\\AppData\\Roaming\\Amguta\\igofx.exe"	igofx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2496 set thread context of 2660	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Privacy	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe
2344	igofx.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe
Token: SeSecurityPrivilege	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe
Token: SeSecurityPrivilege	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2344	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	31
PID 2496 wrote to memory of 2344	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	31
PID 2496 wrote to memory of 2344	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	31
PID 2496 wrote to memory of 2344	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	31
PID 2344 wrote to memory of 1112	2344	igofx.exe	19
PID 2344 wrote to memory of 1112	2344	igofx.exe	19
PID 2344 wrote to memory of 1112	2344	igofx.exe	19
PID 2344 wrote to memory of 1112	2344	igofx.exe	19
PID 2344 wrote to memory of 1112	2344	igofx.exe	19
PID 2344 wrote to memory of 1172	2344	igofx.exe	20
PID 2344 wrote to memory of 1172	2344	igofx.exe	20
PID 2344 wrote to memory of 1172	2344	igofx.exe	20
PID 2344 wrote to memory of 1172	2344	igofx.exe	20
PID 2344 wrote to memory of 1172	2344	igofx.exe	20
PID 2344 wrote to memory of 1196	2344	igofx.exe	21
PID 2344 wrote to memory of 1196	2344	igofx.exe	21
PID 2344 wrote to memory of 1196	2344	igofx.exe	21
PID 2344 wrote to memory of 1196	2344	igofx.exe	21
PID 2344 wrote to memory of 1196	2344	igofx.exe	21
PID 2344 wrote to memory of 1308	2344	igofx.exe	25
PID 2344 wrote to memory of 1308	2344	igofx.exe	25
PID 2344 wrote to memory of 1308	2344	igofx.exe	25
PID 2344 wrote to memory of 1308	2344	igofx.exe	25
PID 2344 wrote to memory of 1308	2344	igofx.exe	25
PID 2344 wrote to memory of 2496	2344	igofx.exe	30
PID 2344 wrote to memory of 2496	2344	igofx.exe	30
PID 2344 wrote to memory of 2496	2344	igofx.exe	30
PID 2344 wrote to memory of 2496	2344	igofx.exe	30
PID 2344 wrote to memory of 2496	2344	igofx.exe	30
PID 2496 wrote to memory of 2660	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	32
PID 2496 wrote to memory of 2660	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	32
PID 2496 wrote to memory of 2660	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	32
PID 2496 wrote to memory of 2660	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	32
PID 2496 wrote to memory of 2660	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	32
PID 2496 wrote to memory of 2660	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	32
PID 2496 wrote to memory of 2660	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	32
PID 2496 wrote to memory of 2660	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	32
PID 2496 wrote to memory of 2660	2496	e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe	32
PID 2344 wrote to memory of 2232	2344	igofx.exe	34
PID 2344 wrote to memory of 2232	2344	igofx.exe	34
PID 2344 wrote to memory of 2232	2344	igofx.exe	34
PID 2344 wrote to memory of 2232	2344	igofx.exe	34
PID 2344 wrote to memory of 2232	2344	igofx.exe	34
PID 2344 wrote to memory of 340	2344	igofx.exe	35
PID 2344 wrote to memory of 340	2344	igofx.exe	35
PID 2344 wrote to memory of 340	2344	igofx.exe	35
PID 2344 wrote to memory of 340	2344	igofx.exe	35
PID 2344 wrote to memory of 340	2344	igofx.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e148f4fbeade7a304cf739445e645e95_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Users\Admin\AppData\Roaming\Amguta\igofx.exe
    "C:\Users\Admin\AppData\Roaming\Amguta\igofx.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9644592e.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1308

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2232

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9644592e.bat

Filesize
271B

MD5
34d6f348f69f7db9d30998a50b99209b

SHA1
42acb8323dfa067cd250f66c1c72267499e528f0

SHA256
44dd3580590a3f02a22a41dc88a0ba2efbc8805548a86f4a9b599355bc16c502

SHA512
21734bfdb7dc4a0bf6fe85351a3ecf44cab9452fde3b61fe5f0d22a948370855371ed19fbbaf5e30be3e4750b0ca87e07040a0496f88a9792e36a84be5143b40

Download Submit
C:\Users\Admin\AppData\Roaming\Tusoq\oget.ymi

Filesize
380B

MD5
6e493533404c91e24c17decd606cefe3

SHA1
09a7b82b1a0e82a39cd9103d44295460a1945771

SHA256
a4e9fb4e15fd2c8cc5d1b3a10e42df0694f34022e63e033d54ce24c131ba3eb1

SHA512
ba6bade4ef5ea0621dfb79e8f4799343a8a188efc93c752247bd92ac01a10895fd26353bc28a9d0cd9a0a420909f2baae981eca196257fbea74e13b469a884f5

Download Submit
\Users\Admin\AppData\Roaming\Amguta\igofx.exe

Filesize
112KB

MD5
26bfd06d36a5bb125fcdfbcfcd52f887

SHA1
c1c1126bf8e8e17b54cf58dedb0c33b0f9ff131b

SHA256
7d85abb445047cccdd096cfc1b959f2b4009c0ca2df33152f1dc7b42a352080f

SHA512
dbb60327cdb77b5c69f43ee3195c191c3b7786001ab6f98987602062ba392696b53266dc150217d93dcd39b4a20369fd31137e9471746592b4eeefc7bdcfa292

Download Submit
memory/1112-12-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1112-20-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1112-18-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1112-16-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1112-14-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/1172-30-0x00000000001C0000-0x00000000001E5000-memory.dmp

Filesize
148KB

Download
memory/1172-24-0x00000000001C0000-0x00000000001E5000-memory.dmp

Filesize
148KB

Download
memory/1172-28-0x00000000001C0000-0x00000000001E5000-memory.dmp

Filesize
148KB

Download
memory/1172-26-0x00000000001C0000-0x00000000001E5000-memory.dmp

Filesize
148KB

Download
memory/1196-35-0x0000000002480000-0x00000000024A5000-memory.dmp

Filesize
148KB

Download
memory/1196-33-0x0000000002480000-0x00000000024A5000-memory.dmp

Filesize
148KB

Download
memory/1196-34-0x0000000002480000-0x00000000024A5000-memory.dmp

Filesize
148KB

Download
memory/1196-36-0x0000000002480000-0x00000000024A5000-memory.dmp

Filesize
148KB

Download
memory/1308-43-0x0000000002170000-0x0000000002195000-memory.dmp

Filesize
148KB

Download
memory/1308-45-0x0000000002170000-0x0000000002195000-memory.dmp

Filesize
148KB

Download
memory/1308-39-0x0000000002170000-0x0000000002195000-memory.dmp

Filesize
148KB

Download
memory/1308-41-0x0000000002170000-0x0000000002195000-memory.dmp

Filesize
148KB

Download
memory/2344-9-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2344-10-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2344-266-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2496-71-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2496-48-0x00000000004A0000-0x00000000004C5000-memory.dmp

Filesize
148KB

Download
memory/2496-50-0x00000000004A0000-0x00000000004C5000-memory.dmp

Filesize
148KB

Download
memory/2496-52-0x00000000004A0000-0x00000000004C5000-memory.dmp

Filesize
148KB

Download
memory/2496-54-0x00000000004A0000-0x00000000004C5000-memory.dmp

Filesize
148KB

Download
memory/2496-56-0x00000000004A0000-0x00000000004C5000-memory.dmp

Filesize
148KB

Download
memory/2496-57-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2496-149-0x00000000001C0000-0x00000000001E5000-memory.dmp

Filesize
148KB

Download
memory/2496-61-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2496-150-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2496-63-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2496-65-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2496-67-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2496-69-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2496-0-0x00000000001C0000-0x00000000001E5000-memory.dmp

Filesize
148KB

Download
memory/2496-73-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2496-75-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2496-132-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2496-59-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2496-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2496-1-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download