d4821b868eca163f5d645847bbf224003ea3479a4e3f6f3f408d9ac7f5420a69

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe
Size

142KB
MD5

e25dbd139b267dc08eb10c6e5a9e03ae
SHA1

daa0dbed95076fd223f02239ef71c4c679d1b923
SHA256

d4821b868eca163f5d645847bbf224003ea3479a4e3f6f3f408d9ac7f5420a69
SHA512

97a636cbd5f0628cd3723afb25feec0c6d09a07577a9126d1b49c63cc63e11e97fd542763512f3c6a8bc041bed648d81c8d5d64294879712bcc6bfafe69e2c77
SSDEEP

3072:3bnfJk5eMXmCQgxHgiTDXbpxWLTVqT6/X2YyQhIP0+pt3ImKSsTjnB:3bRkYCrHg6TfWfVYkmYV8t3cSsf

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2952	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1900	udag.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe
2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A3F6F898-D292-9675-AB66-51F843268974} = "C:\\Users\\Admin\\AppData\\Roaming\\Epox\\udag.exe"	udag.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2404 set thread context of 2952	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	udag.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Privacy	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\02BD2977-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe
1900	udag.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe
Token: SeSecurityPrivilege	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe
Token: SeSecurityPrivilege	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2576	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2576	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2576	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2576	WinMail.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1900	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	28
PID 2404 wrote to memory of 1900	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	28
PID 2404 wrote to memory of 1900	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	28
PID 2404 wrote to memory of 1900	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	28
PID 1900 wrote to memory of 1124	1900	udag.exe	19
PID 1900 wrote to memory of 1124	1900	udag.exe	19
PID 1900 wrote to memory of 1124	1900	udag.exe	19
PID 1900 wrote to memory of 1124	1900	udag.exe	19
PID 1900 wrote to memory of 1124	1900	udag.exe	19
PID 1900 wrote to memory of 1188	1900	udag.exe	20
PID 1900 wrote to memory of 1188	1900	udag.exe	20
PID 1900 wrote to memory of 1188	1900	udag.exe	20
PID 1900 wrote to memory of 1188	1900	udag.exe	20
PID 1900 wrote to memory of 1188	1900	udag.exe	20
PID 1900 wrote to memory of 1216	1900	udag.exe	21
PID 1900 wrote to memory of 1216	1900	udag.exe	21
PID 1900 wrote to memory of 1216	1900	udag.exe	21
PID 1900 wrote to memory of 1216	1900	udag.exe	21
PID 1900 wrote to memory of 1216	1900	udag.exe	21
PID 1900 wrote to memory of 1672	1900	udag.exe	23
PID 1900 wrote to memory of 1672	1900	udag.exe	23
PID 1900 wrote to memory of 1672	1900	udag.exe	23
PID 1900 wrote to memory of 1672	1900	udag.exe	23
PID 1900 wrote to memory of 1672	1900	udag.exe	23
PID 1900 wrote to memory of 2404	1900	udag.exe	27
PID 1900 wrote to memory of 2404	1900	udag.exe	27
PID 1900 wrote to memory of 2404	1900	udag.exe	27
PID 1900 wrote to memory of 2404	1900	udag.exe	27
PID 1900 wrote to memory of 2404	1900	udag.exe	27
PID 2404 wrote to memory of 2952	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2952	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2952	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2952	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2952	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2952	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2952	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2952	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	30
PID 2404 wrote to memory of 2952	2404	e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe	30
PID 1900 wrote to memory of 776	1900	udag.exe	34
PID 1900 wrote to memory of 776	1900	udag.exe	34
PID 1900 wrote to memory of 776	1900	udag.exe	34
PID 1900 wrote to memory of 776	1900	udag.exe	34
PID 1900 wrote to memory of 776	1900	udag.exe	34
PID 1900 wrote to memory of 1312	1900	udag.exe	35
PID 1900 wrote to memory of 1312	1900	udag.exe	35
PID 1900 wrote to memory of 1312	1900	udag.exe	35
PID 1900 wrote to memory of 1312	1900	udag.exe	35
PID 1900 wrote to memory of 1312	1900	udag.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e25dbd139b267dc08eb10c6e5a9e03ae_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Roaming\Epox\udag.exe
    "C:\Users\Admin\AppData\Roaming\Epox\udag.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf238fa9b.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1672

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
b50b2a7a73be1257d0f9213e0b4f11ba

SHA1
85f6b1fc6d84345c8a2c12db6be274fb68341391

SHA256
6556655e5fa0e3ff12c14f3673aca120d14b3cfe3242e98e01b1cc9cf6382e46

SHA512
13988cd0e0cbf759dfa5c50905434098a552fcf8f3108bd24d3be2382c7d41882e28b8390bc70068ee2c8cbb596a187488718a3dbe5296812457b8db1e0c3db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpf238fa9b.bat

Filesize
271B

MD5
8476ba0d917341d383ccf7ac0c54f0c0

SHA1
93e41885cdce71d838f058a63df35bda8559fb29

SHA256
d0038df605141520c0339eb21798e9e442df5d62b1a99a663415a24bb9997525

SHA512
a9892ec90abbb3a601778b960b2afb0fcdc1b6baa809494fbeb0cbdeb8849b355ede879764e6ab1bf566133519f150faf2a3237e23de8ce667169d9a934d7742

Download Submit
C:\Users\Admin\AppData\Roaming\Quiviv\azhy.buh

Filesize
380B

MD5
6caaf13000eec549e7677e8426fde5d7

SHA1
4e479cbc08a01f23a7afa39d41591f6dabe6723c

SHA256
a3de0299487bc3a3475bf12a9475dc9dab3040f74485c820c62ca1843c66207b

SHA512
cacc1fb83cfdfc4280362e88440a65a79235528cd3531aee48250b0e80203365423d63c53858aaf3feec745a6334130c1872b2d058d290b23bcf81b32988f8d9

Download Submit
\Users\Admin\AppData\Roaming\Epox\udag.exe

Filesize
142KB

MD5
e1585f01b3276ae48666e7040f99337f

SHA1
24cc44719a8b412f0d077ee6ff4f49e353e34d00

SHA256
7b6f7071977b439dfa5e0ebc82702d25e34319770fda386a3c636ceab944801a

SHA512
33069ea8c5afb051466bfb842e875ab525d27a5a66ed5a6fe6db0c27ff8e64416b49a61f5fefcd4e07129be7c699f496c369a62ca6dd9a4dd4dc135a8322c4c9

Download Submit
memory/1124-24-0x0000000002130000-0x0000000002157000-memory.dmp

Filesize
156KB

Download
memory/1124-22-0x0000000002130000-0x0000000002157000-memory.dmp

Filesize
156KB

Download
memory/1124-20-0x0000000002130000-0x0000000002157000-memory.dmp

Filesize
156KB

Download
memory/1124-18-0x0000000002130000-0x0000000002157000-memory.dmp

Filesize
156KB

Download
memory/1124-17-0x0000000002130000-0x0000000002157000-memory.dmp

Filesize
156KB

Download
memory/1188-32-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1188-28-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1188-30-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1188-34-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1216-38-0x0000000002E40000-0x0000000002E67000-memory.dmp

Filesize
156KB

Download
memory/1216-40-0x0000000002E40000-0x0000000002E67000-memory.dmp

Filesize
156KB

Download
memory/1216-39-0x0000000002E40000-0x0000000002E67000-memory.dmp

Filesize
156KB

Download
memory/1216-37-0x0000000002E40000-0x0000000002E67000-memory.dmp

Filesize
156KB

Download
memory/1672-45-0x0000000001F30000-0x0000000001F57000-memory.dmp

Filesize
156KB

Download
memory/1672-47-0x0000000001F30000-0x0000000001F57000-memory.dmp

Filesize
156KB

Download
memory/1672-49-0x0000000001F30000-0x0000000001F57000-memory.dmp

Filesize
156KB

Download
memory/1672-43-0x0000000001F30000-0x0000000001F57000-memory.dmp

Filesize
156KB

Download
memory/1900-13-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1900-174-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1900-14-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1900-16-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2404-79-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2404-52-0x0000000001C40000-0x0000000001C67000-memory.dmp

Filesize
156KB

Download
memory/2404-53-0x0000000001C40000-0x0000000001C67000-memory.dmp

Filesize
156KB

Download
memory/2404-54-0x0000000001C40000-0x0000000001C67000-memory.dmp

Filesize
156KB

Download
memory/2404-55-0x0000000001C40000-0x0000000001C67000-memory.dmp

Filesize
156KB

Download
memory/2404-56-0x0000000001C40000-0x0000000001C67000-memory.dmp

Filesize
156KB

Download
memory/2404-67-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2404-65-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2404-63-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2404-61-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2404-59-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2404-57-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2404-69-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2404-71-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2404-73-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2404-75-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2404-1-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2404-133-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2404-77-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2404-173-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/2404-3-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2404-224-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2404-2-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2404-0-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download