db53f0d7876e7cf4e6843711fd282832ce7987d37a993ef6aa77a709e91d1605

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe
Size

355KB
MD5

eb5b151df085704648435c745b8f0fc5
SHA1

21352d3bf7234f5bec6afb58e99f642a9e35c5cc
SHA256

db53f0d7876e7cf4e6843711fd282832ce7987d37a993ef6aa77a709e91d1605
SHA512

0b68bc9bdf9066f53274724e1600927fe0b1cc9c00b4542e5f1a737989551af4f9faf6235cc49ad0d9e048f273bbedd8f7a43e29ba999362752d94fa02873d08
SSDEEP

6144:HWwMPKotB9uFq/4X0OQ6iQHWSRpjvpyoWlRlDqDjl4AFyO7QB79VulTweZQx:bEPB95/4g6ifSRPFWlRl2t4AyiQpA8ei

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1124	cuog.exe
2472	cuog.exe

Loads dropped DLL 2 IoCs

pid	Process
1700	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe
1700	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\{15320D28-6FEE-AD4F-3AAA-40C7281D63DA} = "C:\\Users\\Admin\\AppData\\Roaming\\Imqi\\cuog.exe"	cuog.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1676 set thread context of 1700	1676	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	30
PID 1124 set thread context of 2472	1124	cuog.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe
2472	cuog.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1700	1676	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	30
PID 1676 wrote to memory of 1700	1676	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	30
PID 1676 wrote to memory of 1700	1676	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	30
PID 1676 wrote to memory of 1700	1676	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	30
PID 1676 wrote to memory of 1700	1676	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	30
PID 1676 wrote to memory of 1700	1676	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	30
PID 1676 wrote to memory of 1700	1676	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	30
PID 1676 wrote to memory of 1700	1676	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	30
PID 1676 wrote to memory of 1700	1676	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	30
PID 1700 wrote to memory of 1124	1700	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	31
PID 1700 wrote to memory of 1124	1700	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	31
PID 1700 wrote to memory of 1124	1700	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	31
PID 1700 wrote to memory of 1124	1700	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	31
PID 1124 wrote to memory of 2472	1124	cuog.exe	32
PID 1124 wrote to memory of 2472	1124	cuog.exe	32
PID 1124 wrote to memory of 2472	1124	cuog.exe	32
PID 1124 wrote to memory of 2472	1124	cuog.exe	32
PID 1124 wrote to memory of 2472	1124	cuog.exe	32
PID 1124 wrote to memory of 2472	1124	cuog.exe	32
PID 1124 wrote to memory of 2472	1124	cuog.exe	32
PID 1124 wrote to memory of 2472	1124	cuog.exe	32
PID 1124 wrote to memory of 2472	1124	cuog.exe	32
PID 1700 wrote to memory of 2760	1700	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	33
PID 1700 wrote to memory of 2760	1700	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	33
PID 1700 wrote to memory of 2760	1700	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	33
PID 1700 wrote to memory of 2760	1700	eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe	33
PID 2472 wrote to memory of 1100	2472	cuog.exe	19
PID 2472 wrote to memory of 1100	2472	cuog.exe	19
PID 2472 wrote to memory of 1100	2472	cuog.exe	19
PID 2472 wrote to memory of 1100	2472	cuog.exe	19
PID 2472 wrote to memory of 1100	2472	cuog.exe	19
PID 2472 wrote to memory of 1164	2472	cuog.exe	20
PID 2472 wrote to memory of 1164	2472	cuog.exe	20
PID 2472 wrote to memory of 1164	2472	cuog.exe	20
PID 2472 wrote to memory of 1164	2472	cuog.exe	20
PID 2472 wrote to memory of 1164	2472	cuog.exe	20
PID 2472 wrote to memory of 1200	2472	cuog.exe	21
PID 2472 wrote to memory of 1200	2472	cuog.exe	21
PID 2472 wrote to memory of 1200	2472	cuog.exe	21
PID 2472 wrote to memory of 1200	2472	cuog.exe	21
PID 2472 wrote to memory of 1200	2472	cuog.exe	21
PID 2472 wrote to memory of 1020	2472	cuog.exe	25
PID 2472 wrote to memory of 1020	2472	cuog.exe	25
PID 2472 wrote to memory of 1020	2472	cuog.exe	25
PID 2472 wrote to memory of 1020	2472	cuog.exe	25
PID 2472 wrote to memory of 1020	2472	cuog.exe	25
PID 2472 wrote to memory of 2760	2472	cuog.exe	33
PID 2472 wrote to memory of 2760	2472	cuog.exe	33
PID 2472 wrote to memory of 2760	2472	cuog.exe	33
PID 2472 wrote to memory of 2760	2472	cuog.exe	33
PID 2472 wrote to memory of 2760	2472	cuog.exe	33
PID 2472 wrote to memory of 2132	2472	cuog.exe	34
PID 2472 wrote to memory of 2132	2472	cuog.exe	34
PID 2472 wrote to memory of 2132	2472	cuog.exe	34
PID 2472 wrote to memory of 2132	2472	cuog.exe	34
PID 2472 wrote to memory of 2132	2472	cuog.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eb5b151df085704648435c745b8f0fc5_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\AppData\Roaming\Imqi\cuog.exe
      "C:\Users\Admin\AppData\Roaming\Imqi\cuog.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1124
    - - C:\Users\Admin\AppData\Roaming\Imqi\cuog.exe
        
        "C:\Users\Admin\AppData\Roaming\Imqi\cuog.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6b8beef0.bat"
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:2760

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3652173771026720966-1818207092-2037999855-18856998522017659003-17711428-493320444"
1⤵
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6b8beef0.bat

Filesize
271B

MD5
9411393a51b7a301bdfd9119b7df47d0

SHA1
bc180fa7dd682a87391820d948dfad54b104b409

SHA256
a1ca28312d7a09576efd5d84865555de7a379611f12fef2586fe0cc284b8c4d4

SHA512
ccdfcc16627718f05de922f81169284d421b3d67aeb5d8eea0815fa412deba66e0a9669cd2962f37e66a17263418fcd4142e8df6bf0e1dfa8f5ed0b767dd61b0

Download Submit
C:\Users\Admin\AppData\Roaming\Imqi\cuog.exe

Filesize
355KB

MD5
896f5d76d95ccd1584248d47dd69dc3a

SHA1
71bed32e67e1ca1c7f3522b58f221f5da36d62fb

SHA256
fc8e83d7f3efe268e6dcde6e434834e21e4a62baca43182d21eef79b7017ac01

SHA512
e2987d21e122d6933880aa76d97b60f5fcbd88238c30500e5607035d84bf72635c0b3c990184662e6a2a4a19bb9ee8c3739c031ba4030aa405840ab08777b730

Download Submit
memory/1020-82-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1020-83-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1020-81-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1020-84-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1100-63-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1100-60-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1100-57-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1100-61-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1124-46-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1124-32-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1164-73-0x00000000020C0000-0x0000000002104000-memory.dmp

Filesize
272KB

Download
memory/1164-67-0x00000000020C0000-0x0000000002104000-memory.dmp

Filesize
272KB

Download
memory/1164-69-0x00000000020C0000-0x0000000002104000-memory.dmp

Filesize
272KB

Download
memory/1164-71-0x00000000020C0000-0x0000000002104000-memory.dmp

Filesize
272KB

Download
memory/1200-79-0x0000000002460000-0x00000000024A4000-memory.dmp

Filesize
272KB

Download
memory/1200-78-0x0000000002460000-0x00000000024A4000-memory.dmp

Filesize
272KB

Download
memory/1200-77-0x0000000002460000-0x00000000024A4000-memory.dmp

Filesize
272KB

Download
memory/1200-76-0x0000000002460000-0x00000000024A4000-memory.dmp

Filesize
272KB

Download
memory/1676-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1676-14-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1676-15-0x00000000005B0000-0x000000000060E000-memory.dmp

Filesize
376KB

Download
memory/1676-113-0x00000000005B0000-0x000000000060E000-memory.dmp

Filesize
376KB

Download
memory/1700-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-25-0x0000000000390000-0x00000000003EE000-memory.dmp

Filesize
376KB

Download
memory/1700-31-0x0000000000390000-0x00000000003EE000-memory.dmp

Filesize
376KB

Download
memory/1700-22-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1700-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2472-105-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2472-54-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-86-0x00000000000F0000-0x0000000000134000-memory.dmp

Filesize
272KB

Download