d6a880cb56f54b8a2d1172fa34c9731c8afa738bc2299899d7eb17166939accd

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 15:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe
Size

116KB
MD5

eba0268af6b2db223efe4a91e4a150cf
SHA1

0ad1474892c4bfee4a9e05d9dcca0bc9db851924
SHA256

d6a880cb56f54b8a2d1172fa34c9731c8afa738bc2299899d7eb17166939accd
SHA512

197beceefd35ae52009656b2c010fee6fb41c8d00b36d186273b67d12382c1964f0e46bfa3e43be880c166296147729688c32a55133377bfd923c55a0e0c9bc0
SSDEEP

3072:3Nl5zhD+xJqpraouCgEFMFv5VA2fvTMVWRlZMV:f5d+2FhgE6FI2f+Ii

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1888	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	apef.exe

Loads dropped DLL 2 IoCs

pid	Process
2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe
2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2704-0-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/files/0x000c0000000186c8-6.dat	upx
behavioral1/memory/2840-14-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/2840-15-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F5B5FB9B-5E19-877B-9EE8-A47121254123} = "C:\\Users\\Admin\\AppData\\Roaming\\Maoxi\\apef.exe"	apef.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2704 set thread context of 1888	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Privacy	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe
2840	apef.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe
Token: SeSecurityPrivilege	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe
Token: SeSecurityPrivilege	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2840	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2840	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2840	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2840	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	30
PID 2840 wrote to memory of 1056	2840	apef.exe	18
PID 2840 wrote to memory of 1056	2840	apef.exe	18
PID 2840 wrote to memory of 1056	2840	apef.exe	18
PID 2840 wrote to memory of 1056	2840	apef.exe	18
PID 2840 wrote to memory of 1056	2840	apef.exe	18
PID 2840 wrote to memory of 1152	2840	apef.exe	20
PID 2840 wrote to memory of 1152	2840	apef.exe	20
PID 2840 wrote to memory of 1152	2840	apef.exe	20
PID 2840 wrote to memory of 1152	2840	apef.exe	20
PID 2840 wrote to memory of 1152	2840	apef.exe	20
PID 2840 wrote to memory of 1184	2840	apef.exe	21
PID 2840 wrote to memory of 1184	2840	apef.exe	21
PID 2840 wrote to memory of 1184	2840	apef.exe	21
PID 2840 wrote to memory of 1184	2840	apef.exe	21
PID 2840 wrote to memory of 1184	2840	apef.exe	21
PID 2840 wrote to memory of 1556	2840	apef.exe	25
PID 2840 wrote to memory of 1556	2840	apef.exe	25
PID 2840 wrote to memory of 1556	2840	apef.exe	25
PID 2840 wrote to memory of 1556	2840	apef.exe	25
PID 2840 wrote to memory of 1556	2840	apef.exe	25
PID 2840 wrote to memory of 2704	2840	apef.exe	29
PID 2840 wrote to memory of 2704	2840	apef.exe	29
PID 2840 wrote to memory of 2704	2840	apef.exe	29
PID 2840 wrote to memory of 2704	2840	apef.exe	29
PID 2840 wrote to memory of 2704	2840	apef.exe	29
PID 2704 wrote to memory of 1888	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	31
PID 2704 wrote to memory of 1888	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	31
PID 2704 wrote to memory of 1888	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	31
PID 2704 wrote to memory of 1888	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	31
PID 2704 wrote to memory of 1888	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	31
PID 2704 wrote to memory of 1888	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	31
PID 2704 wrote to memory of 1888	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	31
PID 2704 wrote to memory of 1888	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	31
PID 2704 wrote to memory of 1888	2704	eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe	31
PID 2840 wrote to memory of 1620	2840	apef.exe	33
PID 2840 wrote to memory of 1620	2840	apef.exe	33
PID 2840 wrote to memory of 1620	2840	apef.exe	33
PID 2840 wrote to memory of 1620	2840	apef.exe	33
PID 2840 wrote to memory of 1620	2840	apef.exe	33
PID 2840 wrote to memory of 2352	2840	apef.exe	34
PID 2840 wrote to memory of 2352	2840	apef.exe	34
PID 2840 wrote to memory of 2352	2840	apef.exe	34
PID 2840 wrote to memory of 2352	2840	apef.exe	34
PID 2840 wrote to memory of 2352	2840	apef.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1056

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\eba0268af6b2db223efe4a91e4a150cf_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Roaming\Maoxi\apef.exe
    "C:\Users\Admin\AppData\Roaming\Maoxi\apef.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3b3574d0.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1888

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3b3574d0.bat

Filesize
271B

MD5
cea35f0de4dead345ca3a593af7c71cd

SHA1
b118df221fb227d62b0d5179edd21e5a49ab5cca

SHA256
e3052790d2d2ad2e1de285668ff8f657f6ce4e99c8ce8a8acc81aeee8fbe34c7

SHA512
655c8e989f6136edb3cc05f08afdae788b06582ff9d152250160b999cf9d308c7f5857f9632528b3c55643a710d8917ddcc19a72db6aa8b9b64437a5c2fe9e44

Download Submit
C:\Users\Admin\AppData\Roaming\Owuzez\gacut.kea

Filesize
380B

MD5
5338cfa5b255ad7c816136b8fbd8a1a1

SHA1
2b228e3e74e34c8864841c4ffdd5f719ea084ee1

SHA256
01c573bb21876e0f5a67649d339317863e67ff486e381eddac43999cb8889dc0

SHA512
5d8a7636f4097328d626cefcc482ace82e547539697003f6d0081b74cefaafe68559be1ea9d8522696f707c5755ec5e4d89c2009f528a911ad1426a6a7081c2d

Download Submit
\Users\Admin\AppData\Roaming\Maoxi\apef.exe

Filesize
116KB

MD5
001ea94a1fe401a2fec718b4a9589e29

SHA1
b46574e1f09cb1db08bc0347b69f719a149ef568

SHA256
84f347bb34035f535ea6b5d12c7101cb846a634fb634c3733ea5619d688e962e

SHA512
98cd43bfee05d03b96eae9f820d125e9ca2b71e8808d06cd2de42592228434b7bbb928b0329c7173128c6941d6cad1e10ebf6e3b20606fe1c494e94b2d17de63

Download Submit
memory/1056-18-0x0000000001FF0000-0x0000000002015000-memory.dmp

Filesize
148KB

Download
memory/1056-20-0x0000000001FF0000-0x0000000002015000-memory.dmp

Filesize
148KB

Download
memory/1056-22-0x0000000001FF0000-0x0000000002015000-memory.dmp

Filesize
148KB

Download
memory/1056-25-0x0000000001FF0000-0x0000000002015000-memory.dmp

Filesize
148KB

Download
memory/1056-26-0x0000000001FF0000-0x0000000002015000-memory.dmp

Filesize
148KB

Download
memory/1152-29-0x0000000001DA0000-0x0000000001DC5000-memory.dmp

Filesize
148KB

Download
memory/1152-30-0x0000000001DA0000-0x0000000001DC5000-memory.dmp

Filesize
148KB

Download
memory/1152-31-0x0000000001DA0000-0x0000000001DC5000-memory.dmp

Filesize
148KB

Download
memory/1152-32-0x0000000001DA0000-0x0000000001DC5000-memory.dmp

Filesize
148KB

Download
memory/1184-37-0x0000000002990000-0x00000000029B5000-memory.dmp

Filesize
148KB

Download
memory/1184-34-0x0000000002990000-0x00000000029B5000-memory.dmp

Filesize
148KB

Download
memory/1184-35-0x0000000002990000-0x00000000029B5000-memory.dmp

Filesize
148KB

Download
memory/1184-36-0x0000000002990000-0x00000000029B5000-memory.dmp

Filesize
148KB

Download
memory/1556-42-0x0000000001D80000-0x0000000001DA5000-memory.dmp

Filesize
148KB

Download
memory/1556-43-0x0000000001D80000-0x0000000001DA5000-memory.dmp

Filesize
148KB

Download
memory/1556-41-0x0000000001D80000-0x0000000001DA5000-memory.dmp

Filesize
148KB

Download
memory/1556-40-0x0000000001D80000-0x0000000001DA5000-memory.dmp

Filesize
148KB

Download
memory/2704-58-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-65-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-46-0x0000000000250000-0x0000000000275000-memory.dmp

Filesize
148KB

Download
memory/2704-47-0x0000000000250000-0x0000000000275000-memory.dmp

Filesize
148KB

Download
memory/2704-1-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2704-2-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2704-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2704-12-0x00000000003A0000-0x00000000003D8000-memory.dmp

Filesize
224KB

Download
memory/2704-67-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-81-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-79-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-77-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-75-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-73-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-45-0x0000000000250000-0x0000000000275000-memory.dmp

Filesize
148KB

Download
memory/2704-71-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-3-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2704-69-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-63-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-61-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2704-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2704-56-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-54-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-52-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-50-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2704-49-0x0000000000250000-0x0000000000275000-memory.dmp

Filesize
148KB

Download
memory/2704-48-0x0000000000250000-0x0000000000275000-memory.dmp

Filesize
148KB

Download
memory/2840-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2840-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2840-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2840-251-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download