a65d733a1b72befa4b7e458b5088c4429955300c4576adb964bf65e2b30b8ea5

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
Size

262KB
MD5

ee0adcbb4c9e73acff811a53a736a175
SHA1

9d28c12722a4fcb3309911ee08ad0c30a8fbcbfd
SHA256

a65d733a1b72befa4b7e458b5088c4429955300c4576adb964bf65e2b30b8ea5
SHA512

bbafd6c51867ba8f484379d80c9d7a16af76d373698d079725af7f86c23a09a5e821789cdac8b6f9e950a2e4870b51cb8d0c4bc4fb6e13c9c2df9fd620c10bbe
SSDEEP

6144:SX8Gp+df0afmVTRMd0dpn94sLrNXel9rb98+MAnN:g8YkfXf4TRM094svNuzrb9ZP

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1940 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

siak.exe

pid process

2544 siak.exe
Loads dropped DLL 1 IoCs

Processes:

ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe

pid process

2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe

pid	process
1940	cmd.exe

pid	process
2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

siak.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\{278F5008-6814-AD4F-E8EF-460FE6556512} = "C:\\Users\\Admin\\AppData\\Roaming\\Acabut\\siak.exe"	siak.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe

description pid process target process

PID 2092 set thread context of 1940 2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe cmd.exe

description	pid	process	target process
PID 2092 set thread context of 1940	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

siak.exe

pid	process
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe
2544	siak.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe

description	pid	process
Token: SeSecurityPrivilege	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
Token: SeSecurityPrivilege	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
Token: SeSecurityPrivilege	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exesiak.exe

pid process

2092 ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
2544 siak.exe

pid	process
2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
2544	siak.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exesiak.exe

description	pid	process	target process
PID 2092 wrote to memory of 2544	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	siak.exe
PID 2092 wrote to memory of 2544	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	siak.exe
PID 2092 wrote to memory of 2544	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	siak.exe
PID 2092 wrote to memory of 2544	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	siak.exe
PID 2544 wrote to memory of 1128	2544	siak.exe	taskhost.exe
PID 2544 wrote to memory of 1128	2544	siak.exe	taskhost.exe
PID 2544 wrote to memory of 1128	2544	siak.exe	taskhost.exe
PID 2544 wrote to memory of 1128	2544	siak.exe	taskhost.exe
PID 2544 wrote to memory of 1128	2544	siak.exe	taskhost.exe
PID 2544 wrote to memory of 1180	2544	siak.exe	Dwm.exe
PID 2544 wrote to memory of 1180	2544	siak.exe	Dwm.exe
PID 2544 wrote to memory of 1180	2544	siak.exe	Dwm.exe
PID 2544 wrote to memory of 1180	2544	siak.exe	Dwm.exe
PID 2544 wrote to memory of 1180	2544	siak.exe	Dwm.exe
PID 2544 wrote to memory of 1216	2544	siak.exe	Explorer.EXE
PID 2544 wrote to memory of 1216	2544	siak.exe	Explorer.EXE
PID 2544 wrote to memory of 1216	2544	siak.exe	Explorer.EXE
PID 2544 wrote to memory of 1216	2544	siak.exe	Explorer.EXE
PID 2544 wrote to memory of 1216	2544	siak.exe	Explorer.EXE
PID 2544 wrote to memory of 1764	2544	siak.exe	DllHost.exe
PID 2544 wrote to memory of 1764	2544	siak.exe	DllHost.exe
PID 2544 wrote to memory of 1764	2544	siak.exe	DllHost.exe
PID 2544 wrote to memory of 1764	2544	siak.exe	DllHost.exe
PID 2544 wrote to memory of 1764	2544	siak.exe	DllHost.exe
PID 2544 wrote to memory of 2092	2544	siak.exe	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
PID 2544 wrote to memory of 2092	2544	siak.exe	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
PID 2544 wrote to memory of 2092	2544	siak.exe	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
PID 2544 wrote to memory of 2092	2544	siak.exe	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
PID 2544 wrote to memory of 2092	2544	siak.exe	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
PID 2092 wrote to memory of 1940	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 1940	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 1940	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 1940	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 1940	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 1940	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 1940	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 1940	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 1940	2092	ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee0adcbb4c9e73acff811a53a736a175_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Roaming\Acabut\siak.exe
"C:\Users\Admin\AppData\Roaming\Acabut\siak.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8d941466.bat"
3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1940

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8d941466.bat

Filesize
271B

MD5
df95362b915599b6881e248b642524b7

SHA1
e72bba3d222d6a681717a1683727007fd5ec0ed2

SHA256
9f5e6fa0d1a03d913e1d053c789f59c552843b30b860561a3de10bb67aa38757

SHA512
e6ac5515ecba75f100a361b5677f341a0a68c929144df625ce94149a4827d92a5ce23aaeab3557d335d96ba441bf87b9564c3f34ddd19ede505e764eb54cbf21

Download Submit
C:\Users\Admin\AppData\Roaming\Qiexet\kozo.tut

Filesize
380B

MD5
82bc0bd0a072603d23fcc83eb2364d05

SHA1
618cf75cabb799040fcd442a15770eec39313e4f

SHA256
8db2fcbda0c4074bc8b466582ca5b6ee65f8451a81549d1ebb2880fd89e6b357

SHA512
70ccdedf561f33a0ba0674263e900f05775c52648482c34e6ff9904aec7c59d504a90563e3216681f98ad2e4109af18209155fbe4c4a9109ef3cd6e5a93ab309

Download Submit
\Users\Admin\AppData\Roaming\Acabut\siak.exe

Filesize
262KB

MD5
7d5f9f44f45f4fa6bd6078c60cff4337

SHA1
1533fa29ec0441cbc119748358adf49fd77a1e6c

SHA256
4ad2066e00769744b131b0899a47ddb5ace51ec094148dc0073c641bc427cef3

SHA512
29ca1e62511abe44f86269dba1a0e287472f51a61cd9cbaf5e8ecf3a92c7290b62ac54de28dfe328ea8fc87780aa43db1787ec721a2e0b4d43f66d4d6cc97d11

Download Submit
memory/1128-20-0x00000000021E0000-0x0000000002221000-memory.dmp

Filesize
260KB

Download
memory/1128-22-0x00000000021E0000-0x0000000002221000-memory.dmp

Filesize
260KB

Download
memory/1128-24-0x00000000021E0000-0x0000000002221000-memory.dmp

Filesize
260KB

Download
memory/1128-16-0x00000000021E0000-0x0000000002221000-memory.dmp

Filesize
260KB

Download
memory/1128-18-0x00000000021E0000-0x0000000002221000-memory.dmp

Filesize
260KB

Download
memory/1180-27-0x0000000001EC0000-0x0000000001F01000-memory.dmp

Filesize
260KB

Download
memory/1180-28-0x0000000001EC0000-0x0000000001F01000-memory.dmp

Filesize
260KB

Download
memory/1180-29-0x0000000001EC0000-0x0000000001F01000-memory.dmp

Filesize
260KB

Download
memory/1180-30-0x0000000001EC0000-0x0000000001F01000-memory.dmp

Filesize
260KB

Download
memory/1216-32-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1216-33-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1216-34-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1216-35-0x0000000002D70000-0x0000000002DB1000-memory.dmp

Filesize
260KB

Download
memory/1764-37-0x0000000001BF0000-0x0000000001C31000-memory.dmp

Filesize
260KB

Download
memory/1764-39-0x0000000001BF0000-0x0000000001C31000-memory.dmp

Filesize
260KB

Download
memory/1764-38-0x0000000001BF0000-0x0000000001C31000-memory.dmp

Filesize
260KB

Download
memory/1764-40-0x0000000001BF0000-0x0000000001C31000-memory.dmp

Filesize
260KB

Download
memory/2092-130-0x0000000076FB0000-0x0000000076FB1000-memory.dmp

Filesize
4KB

Download
memory/2092-43-0x00000000022B0000-0x00000000022F1000-memory.dmp

Filesize
260KB

Download
memory/2092-155-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/2092-73-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-71-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-69-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-67-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-65-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-63-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-61-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-59-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-57-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-55-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-53-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-51-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-49-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-47-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-45-0x00000000022B0000-0x00000000022F1000-memory.dmp

Filesize
260KB

Download
memory/2092-44-0x00000000022B0000-0x00000000022F1000-memory.dmp

Filesize
260KB

Download
memory/2092-156-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2092-42-0x00000000022B0000-0x00000000022F1000-memory.dmp

Filesize
260KB

Download
memory/2092-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-158-0x00000000022B0000-0x00000000022F1000-memory.dmp

Filesize
260KB

Download
memory/2092-75-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-129-0x00000000022B0000-0x00000000022F1000-memory.dmp

Filesize
260KB

Download
memory/2092-0-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2092-131-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-77-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2092-46-0x00000000022B0000-0x00000000022F1000-memory.dmp

Filesize
260KB

Download
memory/2092-1-0x00000000002D0000-0x0000000000315000-memory.dmp

Filesize
276KB

Download
memory/2092-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-3-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-4-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2544-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2544-14-0x0000000000370000-0x00000000003B5000-memory.dmp

Filesize
276KB

Download
memory/2544-13-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/2544-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download