721778ca9d9c2a547e534f7b3ec2c3064f27d689a331b7e51e7fd191ea141ba1

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe
Size

295KB
MD5

eb1be45ca74b636121d6feb21fced212
SHA1

05b5d2d50ad24a19fd66e4eaf3170442635b2e8e
SHA256

721778ca9d9c2a547e534f7b3ec2c3064f27d689a331b7e51e7fd191ea141ba1
SHA512

d4752e10f2a0abc4052af1a8061926fa9b921d7c8b8e7e4b9744680bd17bae611e43d2b549ce1847cb218e017064e14f9e3b977591a7451d12ddbadc4319db33
SSDEEP

6144:PiGtsLNAlqNC+M+1PTG/qm/PgCnmUSFMhl4b+M/oI29uKw:6GtsLKt+x1PTEn/iUSFM8b+rI25w

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3040	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1540	ylxu.exe

Loads dropped DLL 2 IoCs

pid	Process
1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe
1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D82C35C8-3C80-AD4F-E5F4-3B51F60A184C} = "C:\\Users\\Admin\\AppData\\Roaming\\Ewidpy\\ylxu.exe"	ylxu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 3040	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ylxu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Privacy	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe
1540	ylxu.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe
1540	ylxu.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1540	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	28
PID 1364 wrote to memory of 1540	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	28
PID 1364 wrote to memory of 1540	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	28
PID 1364 wrote to memory of 1540	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	28
PID 1540 wrote to memory of 1100	1540	ylxu.exe	19
PID 1540 wrote to memory of 1100	1540	ylxu.exe	19
PID 1540 wrote to memory of 1100	1540	ylxu.exe	19
PID 1540 wrote to memory of 1100	1540	ylxu.exe	19
PID 1540 wrote to memory of 1100	1540	ylxu.exe	19
PID 1540 wrote to memory of 1140	1540	ylxu.exe	20
PID 1540 wrote to memory of 1140	1540	ylxu.exe	20
PID 1540 wrote to memory of 1140	1540	ylxu.exe	20
PID 1540 wrote to memory of 1140	1540	ylxu.exe	20
PID 1540 wrote to memory of 1140	1540	ylxu.exe	20
PID 1540 wrote to memory of 1204	1540	ylxu.exe	21
PID 1540 wrote to memory of 1204	1540	ylxu.exe	21
PID 1540 wrote to memory of 1204	1540	ylxu.exe	21
PID 1540 wrote to memory of 1204	1540	ylxu.exe	21
PID 1540 wrote to memory of 1204	1540	ylxu.exe	21
PID 1540 wrote to memory of 1212	1540	ylxu.exe	23
PID 1540 wrote to memory of 1212	1540	ylxu.exe	23
PID 1540 wrote to memory of 1212	1540	ylxu.exe	23
PID 1540 wrote to memory of 1212	1540	ylxu.exe	23
PID 1540 wrote to memory of 1212	1540	ylxu.exe	23
PID 1540 wrote to memory of 1364	1540	ylxu.exe	27
PID 1540 wrote to memory of 1364	1540	ylxu.exe	27
PID 1540 wrote to memory of 1364	1540	ylxu.exe	27
PID 1540 wrote to memory of 1364	1540	ylxu.exe	27
PID 1540 wrote to memory of 1364	1540	ylxu.exe	27
PID 1364 wrote to memory of 3040	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	29
PID 1364 wrote to memory of 3040	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	29
PID 1364 wrote to memory of 3040	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	29
PID 1364 wrote to memory of 3040	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	29
PID 1364 wrote to memory of 3040	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	29
PID 1364 wrote to memory of 3040	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	29
PID 1364 wrote to memory of 3040	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	29
PID 1364 wrote to memory of 3040	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	29
PID 1364 wrote to memory of 3040	1364	eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1140

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eb1be45ca74b636121d6feb21fced212_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Roaming\Ewidpy\ylxu.exe
    "C:\Users\Admin\AppData\Roaming\Ewidpy\ylxu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp286f364d.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:3040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp286f364d.bat

Filesize
271B

MD5
ff430c80d1dedbd0e95a144585e4dbff

SHA1
efa99edce7128f4aeba896548b14fa9316ac6a77

SHA256
82266cfa83734411d21b863b257cbb8ab3f6546ac47aafa22e8e027c292a171f

SHA512
36bdc87c64d87692dfdd655b5934c3744c9a30080067de42271805df10b2bb53cc42b8fd073f8207a2c147640c30f9e0dc9f0ab1b14a54bf13fc51f0293d15ea

Download Submit
C:\Users\Admin\AppData\Roaming\Ewidpy\ylxu.exe

Filesize
295KB

MD5
f8519be9477a14d4e4b89773a5c71640

SHA1
14bddbc8b445a400db20078a9d0dec9a5f106308

SHA256
fdeb032c316976ee8e2cb9e8ff22a49a8c69c284e33f58d3ea27695f797bf632

SHA512
7a0271de4dae9cc8895f7c02e02fb103ac90481352324c8fb76062d6f8cc19a43ab4f1273f4ba559981435d86dfb6eee439d1a29e2f59ce8314f90e57ba27b5b

Download Submit
memory/1100-22-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1100-18-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1100-19-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1100-20-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1100-21-0x0000000001FB0000-0x0000000001FF4000-memory.dmp

Filesize
272KB

Download
memory/1140-29-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1140-25-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1140-31-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1140-27-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1204-34-0x0000000002D70000-0x0000000002DB4000-memory.dmp

Filesize
272KB

Download
memory/1204-35-0x0000000002D70000-0x0000000002DB4000-memory.dmp

Filesize
272KB

Download
memory/1204-36-0x0000000002D70000-0x0000000002DB4000-memory.dmp

Filesize
272KB

Download
memory/1204-37-0x0000000002D70000-0x0000000002DB4000-memory.dmp

Filesize
272KB

Download
memory/1212-42-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/1212-39-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/1212-40-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/1212-41-0x0000000001DE0000-0x0000000001E24000-memory.dmp

Filesize
272KB

Download
memory/1364-81-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1364-77-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-75-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-73-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-71-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-69-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-67-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-61-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-59-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-57-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1364-55-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-53-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-51-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-49-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-47-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1364-46-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1364-45-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1364-158-0x0000000001C40000-0x0000000001C8E000-memory.dmp

Filesize
312KB

Download
memory/1364-79-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-160-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1364-135-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-1-0x0000000001C40000-0x0000000001C8E000-memory.dmp

Filesize
312KB

Download
memory/1364-65-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-63-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1364-58-0x0000000077800000-0x0000000077801000-memory.dmp

Filesize
4KB

Download
memory/1364-48-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1364-0-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1364-44-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1364-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1364-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1364-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1364-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1540-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1540-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1540-282-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1540-283-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download