742177d870475f601c0813ec66829b562f90b9ff94522db0d4504b952d2392e9

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe
Size

321KB
MD5

e9d2513226f067473b8a7be8fb3690a9
SHA1

026be9126ffd39591f39c9e06bda3a07d95db95c
SHA256

742177d870475f601c0813ec66829b562f90b9ff94522db0d4504b952d2392e9
SHA512

ff05cb41808d26862f2920797fa12af5f104547e7cff4d2a43ed9302c0bd3eda6f354552021d9b563503fff388e30b59f48b6e0128ca89ff61f9f6865e36db8c
SSDEEP

6144:/T+FQotd7PswMHScIOq1G/PFRnC2CkErfoW:SFhtgycBqwFRC2gcW

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1736	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
560	yvoci.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe
1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\{15320D28-6FEE-AD4F-3AAA-40C7281D63DA} = "C:\\Users\\Admin\\AppData\\Roaming\\Vuuv\\yvoci.exe"	yvoci.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1952 set thread context of 1736	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvoci.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe
560	yvoci.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe
560	yvoci.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 560	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	30
PID 1952 wrote to memory of 560	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	30
PID 1952 wrote to memory of 560	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	30
PID 1952 wrote to memory of 560	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	30
PID 560 wrote to memory of 1108	560	yvoci.exe	19
PID 560 wrote to memory of 1108	560	yvoci.exe	19
PID 560 wrote to memory of 1108	560	yvoci.exe	19
PID 560 wrote to memory of 1108	560	yvoci.exe	19
PID 560 wrote to memory of 1108	560	yvoci.exe	19
PID 560 wrote to memory of 1156	560	yvoci.exe	20
PID 560 wrote to memory of 1156	560	yvoci.exe	20
PID 560 wrote to memory of 1156	560	yvoci.exe	20
PID 560 wrote to memory of 1156	560	yvoci.exe	20
PID 560 wrote to memory of 1156	560	yvoci.exe	20
PID 560 wrote to memory of 1188	560	yvoci.exe	21
PID 560 wrote to memory of 1188	560	yvoci.exe	21
PID 560 wrote to memory of 1188	560	yvoci.exe	21
PID 560 wrote to memory of 1188	560	yvoci.exe	21
PID 560 wrote to memory of 1188	560	yvoci.exe	21
PID 560 wrote to memory of 1552	560	yvoci.exe	25
PID 560 wrote to memory of 1552	560	yvoci.exe	25
PID 560 wrote to memory of 1552	560	yvoci.exe	25
PID 560 wrote to memory of 1552	560	yvoci.exe	25
PID 560 wrote to memory of 1552	560	yvoci.exe	25
PID 560 wrote to memory of 1952	560	yvoci.exe	29
PID 560 wrote to memory of 1952	560	yvoci.exe	29
PID 560 wrote to memory of 1952	560	yvoci.exe	29
PID 560 wrote to memory of 1952	560	yvoci.exe	29
PID 560 wrote to memory of 1952	560	yvoci.exe	29
PID 1952 wrote to memory of 1736	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	31
PID 1952 wrote to memory of 1736	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	31
PID 1952 wrote to memory of 1736	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	31
PID 1952 wrote to memory of 1736	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	31
PID 1952 wrote to memory of 1736	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	31
PID 1952 wrote to memory of 1736	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	31
PID 1952 wrote to memory of 1736	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	31
PID 1952 wrote to memory of 1736	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	31
PID 1952 wrote to memory of 1736	1952	e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe	31
PID 560 wrote to memory of 2680	560	yvoci.exe	34
PID 560 wrote to memory of 2680	560	yvoci.exe	34
PID 560 wrote to memory of 2680	560	yvoci.exe	34
PID 560 wrote to memory of 2680	560	yvoci.exe	34
PID 560 wrote to memory of 2680	560	yvoci.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e9d2513226f067473b8a7be8fb3690a9_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Roaming\Vuuv\yvoci.exe
    "C:\Users\Admin\AppData\Roaming\Vuuv\yvoci.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe65521a2.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe65521a2.bat

Filesize
271B

MD5
8db14a567125c54185661c14c8d2ee02

SHA1
ac6818074320080b6a71ca984fa7e79b1fd01900

SHA256
3a953a537ad0554ae8fc9f0d953accb8d7439423576294ecfdc6aae45f4c6dc5

SHA512
2f67c5ccd4f9ea5c3192a38451517fb4b333d900f7b88ff2068f35ef9e63a24fdeb646ffe54c71123cff92d324d267c0ff8afda66de1527a729916aea20e2989

Download Submit
\Users\Admin\AppData\Roaming\Vuuv\yvoci.exe

Filesize
321KB

MD5
38e3fd9fd9f084f6ca0e337f7c139f67

SHA1
fe910e293f57568edbe95495cf4774c8ee16412a

SHA256
70f100e5db2dfae771aebc3f83f5fb146ad00a1529f088da154c1d97498f3d5c

SHA512
fcc3896b15a80bd3a07a363efa3cbf76140c042345f09c908ce7fd805d9e54bf9402889a84e8c2b2254352c4d7a7023e7ecf56dddeb3b6c21e080501fb2143e6

Download Submit
memory/560-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/560-16-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/560-17-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/560-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1108-19-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1108-20-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1108-21-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1108-22-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1108-23-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1156-26-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1156-28-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1156-30-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1156-32-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1188-38-0x0000000002590000-0x00000000025D4000-memory.dmp

Filesize
272KB

Download
memory/1188-35-0x0000000002590000-0x00000000025D4000-memory.dmp

Filesize
272KB

Download
memory/1188-36-0x0000000002590000-0x00000000025D4000-memory.dmp

Filesize
272KB

Download
memory/1188-37-0x0000000002590000-0x00000000025D4000-memory.dmp

Filesize
272KB

Download
memory/1552-43-0x0000000001EA0000-0x0000000001EE4000-memory.dmp

Filesize
272KB

Download
memory/1552-40-0x0000000001EA0000-0x0000000001EE4000-memory.dmp

Filesize
272KB

Download
memory/1552-41-0x0000000001EA0000-0x0000000001EE4000-memory.dmp

Filesize
272KB

Download
memory/1552-42-0x0000000001EA0000-0x0000000001EE4000-memory.dmp

Filesize
272KB

Download
memory/1952-158-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1952-77-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-57-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-55-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-54-0x0000000000600000-0x0000000000644000-memory.dmp

Filesize
272KB

Download
memory/1952-52-0x0000000000600000-0x0000000000644000-memory.dmp

Filesize
272KB

Download
memory/1952-50-0x0000000000600000-0x0000000000644000-memory.dmp

Filesize
272KB

Download
memory/1952-48-0x0000000000600000-0x0000000000644000-memory.dmp

Filesize
272KB

Download
memory/1952-63-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-65-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-67-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-69-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-71-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-73-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-75-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-59-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-157-0x0000000000370000-0x00000000003C6000-memory.dmp

Filesize
344KB

Download
memory/1952-1-0x0000000000370000-0x00000000003C6000-memory.dmp

Filesize
344KB

Download
memory/1952-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1952-79-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-139-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-138-0x0000000077070000-0x0000000077071000-memory.dmp

Filesize
4KB

Download
memory/1952-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-46-0x0000000000600000-0x0000000000644000-memory.dmp

Filesize
272KB

Download
memory/1952-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1952-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1952-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1952-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1952-0-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download