bd14c899dcd941ffd5b470adb3400396849a471627b2d7797544ece5c054211f

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe
Size

290KB
MD5

ea8458b36abbb60451fd69f1f096de6f
SHA1

962d8e39de78f7f39175c3d3e892a1680a3feb3e
SHA256

bd14c899dcd941ffd5b470adb3400396849a471627b2d7797544ece5c054211f
SHA512

a576fa09af1c7c2ab9beb1089aa5ad92659852bde6b7f862ea4f7054f022ad09e000de42b9219b8fb6f348226707dd25273b120f00849352a9fa10e96a6c2ff3
SSDEEP

6144:BXklvdqWLqOKp/B5RyaynzgvGq6JhW7xQgtm0DTiUWJ:BXk/zL8/B5YzFHWtmDB

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1368	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2808	yzkoi.exe

Loads dropped DLL 2 IoCs

pid	Process
2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe
2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\{278F5008-6814-AD4F-E8EF-460FE6556512} = "C:\\Users\\Admin\\AppData\\Roaming\\Afoc\\yzkoi.exe"	yzkoi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2312 set thread context of 1368	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe
2808	yzkoi.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe
2808	yzkoi.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2808	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	30
PID 2312 wrote to memory of 2808	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	30
PID 2312 wrote to memory of 2808	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	30
PID 2312 wrote to memory of 2808	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	30
PID 2808 wrote to memory of 1116	2808	yzkoi.exe	19
PID 2808 wrote to memory of 1116	2808	yzkoi.exe	19
PID 2808 wrote to memory of 1116	2808	yzkoi.exe	19
PID 2808 wrote to memory of 1116	2808	yzkoi.exe	19
PID 2808 wrote to memory of 1116	2808	yzkoi.exe	19
PID 2808 wrote to memory of 1168	2808	yzkoi.exe	20
PID 2808 wrote to memory of 1168	2808	yzkoi.exe	20
PID 2808 wrote to memory of 1168	2808	yzkoi.exe	20
PID 2808 wrote to memory of 1168	2808	yzkoi.exe	20
PID 2808 wrote to memory of 1168	2808	yzkoi.exe	20
PID 2808 wrote to memory of 1236	2808	yzkoi.exe	21
PID 2808 wrote to memory of 1236	2808	yzkoi.exe	21
PID 2808 wrote to memory of 1236	2808	yzkoi.exe	21
PID 2808 wrote to memory of 1236	2808	yzkoi.exe	21
PID 2808 wrote to memory of 1236	2808	yzkoi.exe	21
PID 2808 wrote to memory of 1636	2808	yzkoi.exe	25
PID 2808 wrote to memory of 1636	2808	yzkoi.exe	25
PID 2808 wrote to memory of 1636	2808	yzkoi.exe	25
PID 2808 wrote to memory of 1636	2808	yzkoi.exe	25
PID 2808 wrote to memory of 1636	2808	yzkoi.exe	25
PID 2808 wrote to memory of 2312	2808	yzkoi.exe	29
PID 2808 wrote to memory of 2312	2808	yzkoi.exe	29
PID 2808 wrote to memory of 2312	2808	yzkoi.exe	29
PID 2808 wrote to memory of 2312	2808	yzkoi.exe	29
PID 2808 wrote to memory of 2312	2808	yzkoi.exe	29
PID 2312 wrote to memory of 1368	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	31
PID 2312 wrote to memory of 1368	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	31
PID 2312 wrote to memory of 1368	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	31
PID 2312 wrote to memory of 1368	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	31
PID 2312 wrote to memory of 1368	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	31
PID 2312 wrote to memory of 1368	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	31
PID 2312 wrote to memory of 1368	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	31
PID 2312 wrote to memory of 1368	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	31
PID 2312 wrote to memory of 1368	2312	ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1236
- C:\Users\Admin\AppData\Local\Temp\ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ea8458b36abbb60451fd69f1f096de6f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Users\Admin\AppData\Roaming\Afoc\yzkoi.exe
    "C:\Users\Admin\AppData\Roaming\Afoc\yzkoi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe09715e0.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe09715e0.bat

Filesize
271B

MD5
23d6d38cc667bc3e5746e4d32752d55d

SHA1
53f3bd65d591bdca6efd42ac7f504940a2a01905

SHA256
69ffd2798cd7a02879041c3a9da4ddc93d7559da4e19845e4d9eddb3d585a595

SHA512
18d9a370ab97cc5b0a73f33d3ec28248ecfe1e1e9583cb45a80e2a8f5e4962e942d1fb00ae1863b5da095b98bf5fd8f0e1b0337f91e166d9902e69e38c65cede

Download Submit
C:\Users\Admin\AppData\Roaming\Afoc\yzkoi.exe

Filesize
290KB

MD5
e27c80c51573245a91cd89b9abd73c88

SHA1
2b63a17ac1ade1959aa41bb47a162ca4ecce83c3

SHA256
f1ce1bec5823e15785f82d0be5054481e4cc2d025958e371b37f4b19bea54633

SHA512
2bd1149ff1c11546a60ada557026db4a580a33bdcbe609d7ec71260a901c0f757f92a52cd723a86808788fa4e7e6667e2d3af659302bb5778939ec8bdb334fde

Download Submit
C:\Users\Admin\AppData\Roaming\Nayfi\okqyp.ylp

Filesize
380B

MD5
e5335292ef00eb10864aae6faee9de74

SHA1
cfe1356ee631f1e30d2d4a2ef5e8e9260a0a1471

SHA256
0ba48b87863cccb93b31f6c44afb8e90d50d0f25a8192b42440ad65d6756e3ae

SHA512
e0003b6d0f71b60cc1eb051d899d29d9d76d1ab79f1b31ee87d4bebb9e728b6def632e08506f640db98fba19955ae09c9dfbdff7cb92df49166dfdf9ae9006d1

Download Submit
memory/1116-17-0x0000000002010000-0x0000000002051000-memory.dmp

Filesize
260KB

Download
memory/1116-19-0x0000000002010000-0x0000000002051000-memory.dmp

Filesize
260KB

Download
memory/1116-22-0x0000000002010000-0x0000000002051000-memory.dmp

Filesize
260KB

Download
memory/1116-27-0x0000000002010000-0x0000000002051000-memory.dmp

Filesize
260KB

Download
memory/1116-24-0x0000000002010000-0x0000000002051000-memory.dmp

Filesize
260KB

Download
memory/1168-37-0x0000000001DC0000-0x0000000001E01000-memory.dmp

Filesize
260KB

Download
memory/1168-35-0x0000000001DC0000-0x0000000001E01000-memory.dmp

Filesize
260KB

Download
memory/1168-33-0x0000000001DC0000-0x0000000001E01000-memory.dmp

Filesize
260KB

Download
memory/1168-31-0x0000000001DC0000-0x0000000001E01000-memory.dmp

Filesize
260KB

Download
memory/1236-40-0x0000000002490000-0x00000000024D1000-memory.dmp

Filesize
260KB

Download
memory/1236-41-0x0000000002490000-0x00000000024D1000-memory.dmp

Filesize
260KB

Download
memory/1236-42-0x0000000002490000-0x00000000024D1000-memory.dmp

Filesize
260KB

Download
memory/1236-43-0x0000000002490000-0x00000000024D1000-memory.dmp

Filesize
260KB

Download
memory/1636-49-0x0000000001E00000-0x0000000001E41000-memory.dmp

Filesize
260KB

Download
memory/1636-46-0x0000000001E00000-0x0000000001E41000-memory.dmp

Filesize
260KB

Download
memory/1636-47-0x0000000001E00000-0x0000000001E41000-memory.dmp

Filesize
260KB

Download
memory/1636-48-0x0000000001E00000-0x0000000001E41000-memory.dmp

Filesize
260KB

Download
memory/2312-80-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-78-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-72-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/2312-70-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-68-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-66-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-64-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-62-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-60-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-58-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-56-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-54-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/2312-53-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/2312-52-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/2312-51-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/2312-74-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-76-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-73-0x0000000077190000-0x0000000077191000-memory.dmp

Filesize
4KB

Download
memory/2312-162-0x00000000002E0000-0x000000000032D000-memory.dmp

Filesize
308KB

Download
memory/2312-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-164-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/2312-1-0x00000000002E0000-0x000000000032D000-memory.dmp

Filesize
308KB

Download
memory/2312-138-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-82-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2312-55-0x0000000001E90000-0x0000000001ED1000-memory.dmp

Filesize
260KB

Download
memory/2312-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-0-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2312-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2808-20-0x0000000001C60000-0x0000000001CAD000-memory.dmp

Filesize
308KB

Download
memory/2808-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2808-16-0x0000000001C10000-0x0000000001C51000-memory.dmp

Filesize
260KB

Download
memory/2808-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download