43b84b19a518850837a68b4fef8154acaa859a60aad052c872177346be0f1ff1

Analysis

max time kernel
145s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe
Size

85KB
MD5

ea7ee02e2f4c46062b37d80748ed5d86
SHA1

08c9caf57077a4e96d5cb0dff1a7ca02e3ea0283
SHA256

43b84b19a518850837a68b4fef8154acaa859a60aad052c872177346be0f1ff1
SHA512

49b20077e0a37183b514556ac7e155d3dcdd2c8022cdabf33313249d56eee5904e553e962d15f824bb5af818d80f21e4e84ee60ab0157d03b9dda9efe670e6f4
SSDEEP

1536:OvTu6HYjXgHgXfzao2fgUwr+PG0F0b2eo3MBdweVKY/UfoJ:AYMHgYc+f0b2H3MBd/r

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2860	co39e.exe

Loads dropped DLL 2 IoCs

pid	Process
2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe
2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\{82EFB4B7-B92F-B848-DD4C-3A868D0742BE} = "C:\\Users\\Admin\\AppData\\Roaming\\17488\\co39e.exe"	co39e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2292 set thread context of 2836	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe
2860	co39e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2860	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2860	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2860	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	31
PID 2292 wrote to memory of 2860	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	31
PID 2860 wrote to memory of 1104	2860	co39e.exe	19
PID 2860 wrote to memory of 1104	2860	co39e.exe	19
PID 2860 wrote to memory of 1104	2860	co39e.exe	19
PID 2860 wrote to memory of 1104	2860	co39e.exe	19
PID 2860 wrote to memory of 1104	2860	co39e.exe	19
PID 2860 wrote to memory of 1164	2860	co39e.exe	20
PID 2860 wrote to memory of 1164	2860	co39e.exe	20
PID 2860 wrote to memory of 1164	2860	co39e.exe	20
PID 2860 wrote to memory of 1164	2860	co39e.exe	20
PID 2860 wrote to memory of 1164	2860	co39e.exe	20
PID 2860 wrote to memory of 1192	2860	co39e.exe	21
PID 2860 wrote to memory of 1192	2860	co39e.exe	21
PID 2860 wrote to memory of 1192	2860	co39e.exe	21
PID 2860 wrote to memory of 1192	2860	co39e.exe	21
PID 2860 wrote to memory of 1192	2860	co39e.exe	21
PID 2860 wrote to memory of 1228	2860	co39e.exe	23
PID 2860 wrote to memory of 1228	2860	co39e.exe	23
PID 2860 wrote to memory of 1228	2860	co39e.exe	23
PID 2860 wrote to memory of 1228	2860	co39e.exe	23
PID 2860 wrote to memory of 1228	2860	co39e.exe	23
PID 2860 wrote to memory of 2292	2860	co39e.exe	29
PID 2860 wrote to memory of 2292	2860	co39e.exe	29
PID 2860 wrote to memory of 2292	2860	co39e.exe	29
PID 2860 wrote to memory of 2292	2860	co39e.exe	29
PID 2860 wrote to memory of 2292	2860	co39e.exe	29
PID 2292 wrote to memory of 2836	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2836	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2836	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2836	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2836	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2836	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2836	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2836	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	32
PID 2292 wrote to memory of 2836	2292	ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2332	2860	co39e.exe	34
PID 2860 wrote to memory of 2332	2860	co39e.exe	34
PID 2860 wrote to memory of 2332	2860	co39e.exe	34
PID 2860 wrote to memory of 2332	2860	co39e.exe	34
PID 2860 wrote to memory of 2332	2860	co39e.exe	34
PID 2860 wrote to memory of 1784	2860	co39e.exe	35
PID 2860 wrote to memory of 1784	2860	co39e.exe	35
PID 2860 wrote to memory of 1784	2860	co39e.exe	35
PID 2860 wrote to memory of 1784	2860	co39e.exe	35
PID 2860 wrote to memory of 1784	2860	co39e.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ea7ee02e2f4c46062b37d80748ed5d86_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Roaming\17488\co39e.exe
    "C:\Users\Admin\AppData\Roaming\17488\co39e.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp41039126.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2836

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1228

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp41039126.bat

Filesize
271B

MD5
6f18a9b6254cb125d9e1b371ab4ffec6

SHA1
7d2519dd4b69e738a433416267fe90aeb4f0686c

SHA256
09b33533e36eded2df209d21a93b551408f650df4e464e06d554f6859c51f4ec

SHA512
fa8d6b61cd986ce4cdd7efa9307e1742ee21f156de19ef58f146457b026e884edb9c43a7f3992c73fb6cae672f9ca832609df95f8219a07b00af193b914f49e4

Download Submit
\Users\Admin\AppData\Roaming\17488\co39e.exe

Filesize
85KB

MD5
85f94e83d3ded29a2d7447eaa8b57ef4

SHA1
df33fa9aa14448b0e79991a970c13c7c4ba9f542

SHA256
6fce25655e2c2d36b390cce43fd9c5ea6117f29029976915d4358a7684f61f77

SHA512
3073a31a6aeacb5fdafbd879bed92d50ae6f816dc75f48ae4744e0f105e1ab27c9cdfb18efaf4f33e450a0361f9e1e5e2766bbc8e3c78d2b23014380495c5d6d

Download Submit
memory/1104-20-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/1104-19-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/1104-21-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/1104-22-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/1104-18-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/1164-31-0x0000000001EA0000-0x0000000001EB4000-memory.dmp

Filesize
80KB

Download
memory/1164-27-0x0000000001EA0000-0x0000000001EB4000-memory.dmp

Filesize
80KB

Download
memory/1164-29-0x0000000001EA0000-0x0000000001EB4000-memory.dmp

Filesize
80KB

Download
memory/1164-25-0x0000000001EA0000-0x0000000001EB4000-memory.dmp

Filesize
80KB

Download
memory/1192-36-0x0000000002550000-0x0000000002564000-memory.dmp

Filesize
80KB

Download
memory/1192-34-0x0000000002550000-0x0000000002564000-memory.dmp

Filesize
80KB

Download
memory/1192-37-0x0000000002550000-0x0000000002564000-memory.dmp

Filesize
80KB

Download
memory/1192-35-0x0000000002550000-0x0000000002564000-memory.dmp

Filesize
80KB

Download
memory/1228-46-0x0000000001EA0000-0x0000000001EB4000-memory.dmp

Filesize
80KB

Download
memory/2292-56-0x00000000005F0000-0x0000000000604000-memory.dmp

Filesize
80KB

Download
memory/2292-76-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2292-15-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/2292-91-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2292-3-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2292-0-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/2292-58-0x00000000005F0000-0x0000000000604000-memory.dmp

Filesize
80KB

Download
memory/2292-54-0x00000000005F0000-0x0000000000604000-memory.dmp

Filesize
80KB

Download
memory/2292-53-0x00000000005F0000-0x0000000000604000-memory.dmp

Filesize
80KB

Download
memory/2292-50-0x00000000005F0000-0x0000000000604000-memory.dmp

Filesize
80KB

Download
memory/2292-2-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2292-82-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2292-80-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2292-78-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2292-59-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2292-74-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2292-72-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2292-70-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2292-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2292-67-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2292-65-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2292-63-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2292-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2836-94-0x0000000000050000-0x0000000000064000-memory.dmp

Filesize
80KB

Download
memory/2836-120-0x0000000000050000-0x0000000000064000-memory.dmp

Filesize
80KB

Download
memory/2836-119-0x0000000077660000-0x0000000077661000-memory.dmp

Filesize
4KB

Download
memory/2860-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2860-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2860-121-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2860-14-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download