a5f523a6a042bfbe234a1141ae3578f5e7dfc5231bb1fc9880b987f01c2d7989

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe
Size

357KB
MD5

ea9a88126afcd149ad360c12b5674054
SHA1

aa34b9ef3e74c03fb5e2dccb82effc3d0a1f54d7
SHA256

a5f523a6a042bfbe234a1141ae3578f5e7dfc5231bb1fc9880b987f01c2d7989
SHA512

3239c64e2707ab4d3da6e3a6cba9437d8b199f8952d99fa8aac23610bae309f0513c2225e694a642357c087b8a2ce19990de9bc8c6cb104711110e8f72d22b2e
SSDEEP

6144:14//SpBmqHs3czyOxW8RjSqjAvzxCaQHkRx0ZjOEd4xEtpzbpG:14CpB9Hs3czfxW8B7jAv1CaXPIGGbE

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1388	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2136	obew.exe

Loads dropped DLL 2 IoCs

pid	Process
2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe
2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\{15320D28-6FEE-AD4F-3AAA-40C7281D63DA} = "C:\\Users\\Admin\\AppData\\Roaming\\Kegoub\\obew.exe"	obew.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 1388	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obew.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe
2136	obew.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe
2136	obew.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2136	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2136	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2136	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2136	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	30
PID 2136 wrote to memory of 1116	2136	obew.exe	19
PID 2136 wrote to memory of 1116	2136	obew.exe	19
PID 2136 wrote to memory of 1116	2136	obew.exe	19
PID 2136 wrote to memory of 1116	2136	obew.exe	19
PID 2136 wrote to memory of 1116	2136	obew.exe	19
PID 2136 wrote to memory of 1164	2136	obew.exe	20
PID 2136 wrote to memory of 1164	2136	obew.exe	20
PID 2136 wrote to memory of 1164	2136	obew.exe	20
PID 2136 wrote to memory of 1164	2136	obew.exe	20
PID 2136 wrote to memory of 1164	2136	obew.exe	20
PID 2136 wrote to memory of 1200	2136	obew.exe	21
PID 2136 wrote to memory of 1200	2136	obew.exe	21
PID 2136 wrote to memory of 1200	2136	obew.exe	21
PID 2136 wrote to memory of 1200	2136	obew.exe	21
PID 2136 wrote to memory of 1200	2136	obew.exe	21
PID 2136 wrote to memory of 1624	2136	obew.exe	23
PID 2136 wrote to memory of 1624	2136	obew.exe	23
PID 2136 wrote to memory of 1624	2136	obew.exe	23
PID 2136 wrote to memory of 1624	2136	obew.exe	23
PID 2136 wrote to memory of 1624	2136	obew.exe	23
PID 2136 wrote to memory of 2360	2136	obew.exe	29
PID 2136 wrote to memory of 2360	2136	obew.exe	29
PID 2136 wrote to memory of 2360	2136	obew.exe	29
PID 2136 wrote to memory of 2360	2136	obew.exe	29
PID 2136 wrote to memory of 2360	2136	obew.exe	29
PID 2360 wrote to memory of 1388	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1388	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1388	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1388	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1388	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1388	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1388	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1388	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	31
PID 2360 wrote to memory of 1388	2360	ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe	31
PID 2136 wrote to memory of 2664	2136	obew.exe	34
PID 2136 wrote to memory of 2664	2136	obew.exe	34
PID 2136 wrote to memory of 2664	2136	obew.exe	34
PID 2136 wrote to memory of 2664	2136	obew.exe	34
PID 2136 wrote to memory of 2664	2136	obew.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ea9a88126afcd149ad360c12b5674054_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Roaming\Kegoub\obew.exe
    "C:\Users\Admin\AppData\Roaming\Kegoub\obew.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpac74e205.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1388

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpac74e205.bat

Filesize
271B

MD5
c6a38b47cf10c3bedf92bba619a43735

SHA1
f2e43b74793d78e3c490c29c7e2f26a178575762

SHA256
dbd50909882316420cbee9be4f8b8ee428b28363fdc05c421560fbea6a0b7050

SHA512
159df564d187895c5223d18ae8f44ae97ab04287dca29d9e331b7786560f5cd90ca3aee5fba7c10c7f59a31415e0525e700a3ace78ac9a7c6ccef59157d1c234

Download Submit
C:\Users\Admin\AppData\Roaming\Kegoub\obew.exe

Filesize
357KB

MD5
7c4693a7e5e898da199cef16c5d32c33

SHA1
829f015cbcbd8e7b341e75d2023d9331dcafb845

SHA256
8716eefde5046060c328246b2ff962c8caadddbd6294007de4f20ffe9a1b5b1e

SHA512
abbe8609dbd21fa9f6d8690049b33fc64cbff80b21d91d3819b302d07691cbdfc51df361503b61a92b0c2501dbba768ced1ca28844da15284930c4728378d8da

Download Submit
memory/1116-26-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1116-25-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1116-18-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1116-20-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1116-22-0x0000000002100000-0x0000000002144000-memory.dmp

Filesize
272KB

Download
memory/1164-36-0x0000000002180000-0x00000000021C4000-memory.dmp

Filesize
272KB

Download
memory/1164-30-0x0000000002180000-0x00000000021C4000-memory.dmp

Filesize
272KB

Download
memory/1164-34-0x0000000002180000-0x00000000021C4000-memory.dmp

Filesize
272KB

Download
memory/1164-32-0x0000000002180000-0x00000000021C4000-memory.dmp

Filesize
272KB

Download
memory/1200-40-0x0000000002E50000-0x0000000002E94000-memory.dmp

Filesize
272KB

Download
memory/1200-39-0x0000000002E50000-0x0000000002E94000-memory.dmp

Filesize
272KB

Download
memory/1200-41-0x0000000002E50000-0x0000000002E94000-memory.dmp

Filesize
272KB

Download
memory/1200-42-0x0000000002E50000-0x0000000002E94000-memory.dmp

Filesize
272KB

Download
memory/1624-44-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1624-47-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1624-45-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1624-46-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/2136-287-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2136-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2136-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2136-288-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-140-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-76-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-66-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-64-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-62-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-60-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-58-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-56-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-54-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-53-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/2360-51-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/2360-50-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/2360-49-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/2360-72-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-74-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-70-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-78-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-137-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/2360-163-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download
memory/2360-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-165-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/2360-139-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/2360-0-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/2360-138-0x0000000077710000-0x0000000077711000-memory.dmp

Filesize
4KB

Download
memory/2360-52-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/2360-68-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2360-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-1-0x0000000000350000-0x00000000003B0000-memory.dmp

Filesize
384KB

Download