785b00696c27b02b78947f8d87e25882e7d09c82415e5d5e85a7240b4c95bfe1

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 17:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe
Size

227KB
MD5

ebdd7b7071ff7b986e435a04a24e52b5
SHA1

26f103331c03722cedd82fc6eda52b269ff4db98
SHA256

785b00696c27b02b78947f8d87e25882e7d09c82415e5d5e85a7240b4c95bfe1
SHA512

ff78017896bb7040aa57fe35a7c64a4cd8b34897335e41c94f254ae65b4a53d149129da4edde8a4163ea9f9609a5775ceb15eacd937fe30014044a44fa5e4e5b
SSDEEP

3072:h6NDlMLzm/FdDgIkLfrCEXfBhBkiUFht/e3vp6c8K90s+c+WJbiZ90ufzy12vbGs:h6kvocI4x3UFhw/D0su0mX5fuCDF

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2680	netsh.exe

Deletes itself 1 IoCs

pid	Process
1688	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2568	ohewoz.exe
2432	ohewoz.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe
2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\{26ED9385-6E5C-F9A6-37F2-7F02FCF32B65} = "C:\\Users\\Admin\\AppData\\Roaming\\Layw\\ohewoz.exe"	ohewoz.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 2732	2132	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	30
PID 2568 set thread context of 2432	2568	ohewoz.exe	35

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohewoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohewoz.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe
2432	ohewoz.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2732	2132	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2732	2132	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2732	2132	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2732	2132	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2732	2132	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2732	2132	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2732	2132	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2732	2132	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2732	2132	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2804	2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2804	2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2804	2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2804	2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2568	2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	33
PID 2732 wrote to memory of 2568	2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	33
PID 2732 wrote to memory of 2568	2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	33
PID 2732 wrote to memory of 2568	2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	33
PID 2804 wrote to memory of 2680	2804	cmd.exe	34
PID 2804 wrote to memory of 2680	2804	cmd.exe	34
PID 2804 wrote to memory of 2680	2804	cmd.exe	34
PID 2804 wrote to memory of 2680	2804	cmd.exe	34
PID 2568 wrote to memory of 2432	2568	ohewoz.exe	35
PID 2568 wrote to memory of 2432	2568	ohewoz.exe	35
PID 2568 wrote to memory of 2432	2568	ohewoz.exe	35
PID 2568 wrote to memory of 2432	2568	ohewoz.exe	35
PID 2568 wrote to memory of 2432	2568	ohewoz.exe	35
PID 2568 wrote to memory of 2432	2568	ohewoz.exe	35
PID 2568 wrote to memory of 2432	2568	ohewoz.exe	35
PID 2568 wrote to memory of 2432	2568	ohewoz.exe	35
PID 2568 wrote to memory of 2432	2568	ohewoz.exe	35
PID 2732 wrote to memory of 1688	2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	36
PID 2732 wrote to memory of 1688	2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	36
PID 2732 wrote to memory of 1688	2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	36
PID 2732 wrote to memory of 1688	2732	ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe	36
PID 2432 wrote to memory of 1100	2432	ohewoz.exe	19
PID 2432 wrote to memory of 1100	2432	ohewoz.exe	19
PID 2432 wrote to memory of 1100	2432	ohewoz.exe	19
PID 2432 wrote to memory of 1100	2432	ohewoz.exe	19
PID 2432 wrote to memory of 1100	2432	ohewoz.exe	19
PID 2432 wrote to memory of 1176	2432	ohewoz.exe	20
PID 2432 wrote to memory of 1176	2432	ohewoz.exe	20
PID 2432 wrote to memory of 1176	2432	ohewoz.exe	20
PID 2432 wrote to memory of 1176	2432	ohewoz.exe	20
PID 2432 wrote to memory of 1176	2432	ohewoz.exe	20
PID 2432 wrote to memory of 1212	2432	ohewoz.exe	21
PID 2432 wrote to memory of 1212	2432	ohewoz.exe	21
PID 2432 wrote to memory of 1212	2432	ohewoz.exe	21
PID 2432 wrote to memory of 1212	2432	ohewoz.exe	21
PID 2432 wrote to memory of 1212	2432	ohewoz.exe	21
PID 2432 wrote to memory of 1284	2432	ohewoz.exe	25
PID 2432 wrote to memory of 1284	2432	ohewoz.exe	25
PID 2432 wrote to memory of 1284	2432	ohewoz.exe	25
PID 2432 wrote to memory of 1284	2432	ohewoz.exe	25
PID 2432 wrote to memory of 1284	2432	ohewoz.exe	25
PID 2432 wrote to memory of 1688	2432	ohewoz.exe	36
PID 2432 wrote to memory of 1688	2432	ohewoz.exe	36
PID 2432 wrote to memory of 1688	2432	ohewoz.exe	36
PID 2432 wrote to memory of 1688	2432	ohewoz.exe	36
PID 2432 wrote to memory of 1688	2432	ohewoz.exe	36
PID 2432 wrote to memory of 2596	2432	ohewoz.exe	37
PID 2432 wrote to memory of 2596	2432	ohewoz.exe	37
PID 2432 wrote to memory of 2596	2432	ohewoz.exe	37
PID 2432 wrote to memory of 2596	2432	ohewoz.exe	37
PID 2432 wrote to memory of 2596	2432	ohewoz.exe	37

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\ebdd7b7071ff7b986e435a04a24e52b5_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpaa5382d4.bat"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Layw\ohewoz.exe"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2680
  - - C:\Users\Admin\AppData\Roaming\Layw\ohewoz.exe
      "C:\Users\Admin\AppData\Roaming\Layw\ohewoz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Users\Admin\AppData\Roaming\Layw\ohewoz.exe
        
        C:\Users\Admin\AppData\Roaming\Layw\ohewoz.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2432
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd874ec0d.bat"
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:1688

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "114767333013063631312462874504339364191057909241-981133408-1099539243-926451167"
1⤵
PID:2596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpaa5382d4.bat

Filesize
200B

MD5
69d23473a332fab5de8641b4baa8b645

SHA1
a6eb410e1b655c534b18826d51564d6c425bb6b7

SHA256
f9d63facf7a7bd2713b29ef8147b454e92da2faaea74f22ed71728479155a3f2

SHA512
27c4daeb22d661513e1c23f9bfe889e26f69147fb194a0e8313da3eeb4e77446181a557321e468c6d86dc1d283e5e5b441ef9aec26e3914c3bf32c14319aa471

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpd874ec0d.bat

Filesize
271B

MD5
757c4e51301e51f91bfeae9b202fe257

SHA1
aa782c372530085878c543b2a0e92697d8af05ad

SHA256
00423fa5de343a938c0a4fef2137047bc896030ffce8c6a5af13dcc6fd055cf8

SHA512
8fa1a20a422ef169502d1ba454870a6d196f6ec6e388bdf29956b9ad8b8bc72587ad4e090675ecb1c8392bbaacd465bc2b2a5f4107e6e4f0871494e9894bb389

Download Submit
\Users\Admin\AppData\Roaming\Layw\ohewoz.exe

Filesize
227KB

MD5
5d5f81c510f987062a69562a1534549f

SHA1
c29e59c5230dc8ae86385d7f642e7eccc1d8122c

SHA256
c0e3794504da3d813c27c8ce2b888c3f6530c135f30553d316b86fe91b7ccd86

SHA512
e0e182d0ac0026c737477448df007cf83968991023a6e6cd9a238dd8ffd00b0189de11b73ca0720b9e6c47270b97af9c5bfdee3d1cb738f87d9aca5b2e4bf02f

Download Submit
memory/1100-53-0x0000000002080000-0x00000000020A8000-memory.dmp

Filesize
160KB

Download
memory/1100-57-0x0000000002080000-0x00000000020A8000-memory.dmp

Filesize
160KB

Download
memory/1100-51-0x0000000002080000-0x00000000020A8000-memory.dmp

Filesize
160KB

Download
memory/1100-55-0x0000000002080000-0x00000000020A8000-memory.dmp

Filesize
160KB

Download
memory/1176-67-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1176-63-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1176-61-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1176-65-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/1212-75-0x0000000002EB0000-0x0000000002ED8000-memory.dmp

Filesize
160KB

Download
memory/1212-77-0x0000000002EB0000-0x0000000002ED8000-memory.dmp

Filesize
160KB

Download
memory/1212-73-0x0000000002EB0000-0x0000000002ED8000-memory.dmp

Filesize
160KB

Download
memory/1212-71-0x0000000002EB0000-0x0000000002ED8000-memory.dmp

Filesize
160KB

Download
memory/1284-81-0x0000000001D50000-0x0000000001D78000-memory.dmp

Filesize
160KB

Download
memory/2132-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2432-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2432-130-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2568-41-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2732-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2732-48-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2732-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2732-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2732-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2732-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2732-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2732-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2732-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2732-6-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2732-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download