632d25ea7d63b8d55839bde5c14d925683392a84667a2fef80189e4831b153ec

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe
Size

151KB
MD5

e1a67ec853e196a09e9c88d0b71434dd
SHA1

b6cab77c17f42b2730d0bd6b5da3b6c9d17cbebc
SHA256

632d25ea7d63b8d55839bde5c14d925683392a84667a2fef80189e4831b153ec
SHA512

61c6d20ac964c4fae5caa8601ef0312f2d05e26a85e3d5464855f6843a8c4539f4d4bdb6b0b197d91f0ce47c48680a3fde11a2fa359fe4a7d78df2b17e61d548
SSDEEP

1536:q0LkQUCoQBl8nEvdaax5clE4EIi6aFfI6WtJKKD0SET4Bo7ouMLBcYfHGe6t7xwH:q6rsKtT4BE43HGNJyQkQDG1OxozJ2jKj

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
280	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2872	hazo.exe

Loads dropped DLL 2 IoCs

pid	Process
808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe
808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\{EAEFBACA-481E-C008-2EBE-B8F45B2EC203} = "C:\\Users\\Admin\\AppData\\Roaming\\Irik\\hazo.exe"	hazo.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 808 set thread context of 280	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	44

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hazo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Privacy	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\3CC87C34-00000001.eml:OECustomProperty	WinMail.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe
2872	hazo.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe
Token: SeSecurityPrivilege	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe
Token: SeSecurityPrivilege	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1216	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1216	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1216	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1216	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 3004	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	30
PID 808 wrote to memory of 3004	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	30
PID 808 wrote to memory of 3004	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	30
PID 808 wrote to memory of 3004	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2896	3004	net.exe	32
PID 3004 wrote to memory of 2896	3004	net.exe	32
PID 3004 wrote to memory of 2896	3004	net.exe	32
PID 3004 wrote to memory of 2896	3004	net.exe	32
PID 808 wrote to memory of 2808	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	33
PID 808 wrote to memory of 2808	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	33
PID 808 wrote to memory of 2808	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	33
PID 808 wrote to memory of 2808	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	33
PID 2808 wrote to memory of 1128	2808	net.exe	35
PID 2808 wrote to memory of 1128	2808	net.exe	35
PID 2808 wrote to memory of 1128	2808	net.exe	35
PID 2808 wrote to memory of 1128	2808	net.exe	35
PID 808 wrote to memory of 2872	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	36
PID 808 wrote to memory of 2872	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	36
PID 808 wrote to memory of 2872	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	36
PID 808 wrote to memory of 2872	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	36
PID 2872 wrote to memory of 2752	2872	hazo.exe	37
PID 2872 wrote to memory of 2752	2872	hazo.exe	37
PID 2872 wrote to memory of 2752	2872	hazo.exe	37
PID 2872 wrote to memory of 2752	2872	hazo.exe	37
PID 2752 wrote to memory of 2892	2752	net.exe	39
PID 2752 wrote to memory of 2892	2752	net.exe	39
PID 2752 wrote to memory of 2892	2752	net.exe	39
PID 2752 wrote to memory of 2892	2752	net.exe	39
PID 2872 wrote to memory of 3040	2872	hazo.exe	40
PID 2872 wrote to memory of 3040	2872	hazo.exe	40
PID 2872 wrote to memory of 3040	2872	hazo.exe	40
PID 2872 wrote to memory of 3040	2872	hazo.exe	40
PID 2872 wrote to memory of 1104	2872	hazo.exe	19
PID 2872 wrote to memory of 1104	2872	hazo.exe	19
PID 2872 wrote to memory of 1104	2872	hazo.exe	19
PID 2872 wrote to memory of 1104	2872	hazo.exe	19
PID 2872 wrote to memory of 1104	2872	hazo.exe	19
PID 2872 wrote to memory of 1184	2872	hazo.exe	20
PID 2872 wrote to memory of 1184	2872	hazo.exe	20
PID 2872 wrote to memory of 1184	2872	hazo.exe	20
PID 2872 wrote to memory of 1184	2872	hazo.exe	20
PID 2872 wrote to memory of 1184	2872	hazo.exe	20
PID 2872 wrote to memory of 1268	2872	hazo.exe	21
PID 2872 wrote to memory of 1268	2872	hazo.exe	21
PID 2872 wrote to memory of 1268	2872	hazo.exe	21
PID 2872 wrote to memory of 1268	2872	hazo.exe	21
PID 2872 wrote to memory of 1268	2872	hazo.exe	21
PID 2872 wrote to memory of 1336	2872	hazo.exe	23
PID 2872 wrote to memory of 1336	2872	hazo.exe	23
PID 2872 wrote to memory of 1336	2872	hazo.exe	23
PID 2872 wrote to memory of 1336	2872	hazo.exe	23
PID 2872 wrote to memory of 1336	2872	hazo.exe	23
PID 2872 wrote to memory of 808	2872	hazo.exe	29
PID 2872 wrote to memory of 808	2872	hazo.exe	29
PID 2872 wrote to memory of 808	2872	hazo.exe	29
PID 2872 wrote to memory of 808	2872	hazo.exe	29
PID 2872 wrote to memory of 808	2872	hazo.exe	29
PID 3040 wrote to memory of 2220	3040	net.exe	42
PID 3040 wrote to memory of 2220	3040	net.exe	42
PID 3040 wrote to memory of 2220	3040	net.exe	42
PID 3040 wrote to memory of 2220	3040	net.exe	42
PID 808 wrote to memory of 280	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	44
PID 808 wrote to memory of 280	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	44
PID 808 wrote to memory of 280	808	e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe	44

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e1a67ec853e196a09e9c88d0b71434dd_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\SysWOW64\net.exe
    net stop wscsvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop wscsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2896
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:1128
- - C:\Users\Admin\AppData\Roaming\Irik\hazo.exe
    "C:\Users\Admin\AppData\Roaming\Irik\hazo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\net.exe
      net stop wscsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wscsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
  - - C:\Windows\SysWOW64\net.exe
      net stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1cbe575d.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1336

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Network Share Discovery

T1135

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
1282da03242f45e7aa481cfc5005f341

SHA1
747d72cae967d0a895f15119e6b53687e337ebd7

SHA256
b8be0c6f3213ecb1162892582b1d2c29ada06956ca7891f5feea0ad0178bd0bd

SHA512
3ebb0316b390cbbccf85fb5a9f6407f61bc5bfe6baa2ffe47d4161e4700adebe1f42a3c9d49df56b37b18d02da6e257a3363f8e3c97af826f0dd78f45ec4756b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1cbe575d.bat

Filesize
271B

MD5
41efc9709eb4da29014700ae8f23f24a

SHA1
c3df044e8f9425cd5420b32b5c4d18ba0e1d5507

SHA256
c796ff77cefb97b8a2db7078acf27c6e4ef81c1110ed58cff15a2bf7a2fa4131

SHA512
8e1426250fbed819e127fa815cf7ee5fb03f3fcc00a6b142c3ede4018fc8fcfb36fb5b654d5b563cf94db46cecdc944bfe70cd2aa046af829f86980e68c89d54

Download Submit
C:\Users\Admin\AppData\Roaming\Gabaa\yvlik.ahu

Filesize
380B

MD5
5d468fa898f84bd5f2436d8a90a1b690

SHA1
5e9ca966b2f685d5c787375315edd72c9ecd0bf0

SHA256
545831b588deccb47824fc2f7bf46a67c948362461f08a8bfa44acdae9be3d05

SHA512
15c6ad6d983ba9c43b0e560ec5529ad7281c074cf3e25ccc0af0f2debf88d7962daaed7fc80d6b919172b83fc5ebe2baa1aa5cb13f35c82e69777318296b889e

Download Submit
\Users\Admin\AppData\Roaming\Irik\hazo.exe

Filesize
151KB

MD5
0056f84922c15d71f63857d61a82e727

SHA1
d051cb3a8766ad106aea978beb3bb3edeb6c8482

SHA256
314e65a7aaf6960dd515241260bed814fb82abd5a525d5e8af75679158d1ad2f

SHA512
264b5ed511411c5be055a8e1be3cbca941ed9f09f20c92e4e19964a27a58cf869006bac1d8a26ea88b18fceb0ead6171ef086fda046c4ff582fa01fde8c1cc74

Download Submit
memory/808-54-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/808-51-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/808-3-0x0000000001E00000-0x0000000001E20000-memory.dmp

Filesize
128KB

Download
memory/808-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/808-15-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/808-248-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/808-249-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/808-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/808-0-0x0000000001E00000-0x0000000001E20000-memory.dmp

Filesize
128KB

Download
memory/808-50-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/808-57-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-53-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/808-52-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/808-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/808-55-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-69-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-81-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-79-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-77-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-75-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-73-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-71-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-67-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-65-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-63-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-61-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/808-59-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1104-25-0x00000000021F0000-0x0000000002218000-memory.dmp

Filesize
160KB

Download
memory/1104-27-0x00000000021F0000-0x0000000002218000-memory.dmp

Filesize
160KB

Download
memory/1104-21-0x00000000021F0000-0x0000000002218000-memory.dmp

Filesize
160KB

Download
memory/1104-19-0x00000000021F0000-0x0000000002218000-memory.dmp

Filesize
160KB

Download
memory/1104-23-0x00000000021F0000-0x0000000002218000-memory.dmp

Filesize
160KB

Download
memory/1184-31-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1184-35-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1184-33-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1184-37-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1268-42-0x0000000002E10000-0x0000000002E38000-memory.dmp

Filesize
160KB

Download
memory/1268-40-0x0000000002E10000-0x0000000002E38000-memory.dmp

Filesize
160KB

Download
memory/1268-41-0x0000000002E10000-0x0000000002E38000-memory.dmp

Filesize
160KB

Download
memory/1268-43-0x0000000002E10000-0x0000000002E38000-memory.dmp

Filesize
160KB

Download
memory/1336-48-0x0000000001C30000-0x0000000001C58000-memory.dmp

Filesize
160KB

Download
memory/1336-45-0x0000000001C30000-0x0000000001C58000-memory.dmp

Filesize
160KB

Download
memory/1336-46-0x0000000001C30000-0x0000000001C58000-memory.dmp

Filesize
160KB

Download
memory/1336-47-0x0000000001C30000-0x0000000001C58000-memory.dmp

Filesize
160KB

Download
memory/2872-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2872-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2872-356-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2872-357-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download