e1045c48554afe84cffcf7cbcd26f435269d6f419bb9255a71f39e50bc2c3a2e

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe
Size

297KB
MD5

f5efbee9d2ec391369463f54d305aceb
SHA1

7e34efc45141a017cbf4c8e1a2080bae289ad67f
SHA256

e1045c48554afe84cffcf7cbcd26f435269d6f419bb9255a71f39e50bc2c3a2e
SHA512

950f65471ac9174aa8706854f86f1501c1ec9bad5c0f00e6742bab9720e02c7694694093e9808c9bfa7a760d235c998332e367372ebec5ce07bf3bd3863a7ce9
SSDEEP

6144:Pch5remK3mpw027zTuHDVlVKD+YhGlaSGExpYG6YKJcVpZCO3lljh:85rdNpw0EyOTgoSGExC4KJIjh

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2500	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1396	yghu.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe
3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D2BEAD48-3C80-AD4F-FE01-FCCCDCDBDFD1} = "C:\\Users\\Admin\\AppData\\Roaming\\Ehjee\\yghu.exe"	yghu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2500	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	32

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3040-0-0x0000000000400000-0x00000000007FF000-memory.dmp	upx
behavioral1/files/0x0009000000016276-12.dat	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Privacy	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe
1396	yghu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe
Token: SeSecurityPrivilege	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe
Token: SeSecurityPrivilege	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1396	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1396	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1396	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	30
PID 3040 wrote to memory of 1396	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	30
PID 1396 wrote to memory of 1112	1396	yghu.exe	19
PID 1396 wrote to memory of 1112	1396	yghu.exe	19
PID 1396 wrote to memory of 1112	1396	yghu.exe	19
PID 1396 wrote to memory of 1112	1396	yghu.exe	19
PID 1396 wrote to memory of 1112	1396	yghu.exe	19
PID 1396 wrote to memory of 1164	1396	yghu.exe	20
PID 1396 wrote to memory of 1164	1396	yghu.exe	20
PID 1396 wrote to memory of 1164	1396	yghu.exe	20
PID 1396 wrote to memory of 1164	1396	yghu.exe	20
PID 1396 wrote to memory of 1164	1396	yghu.exe	20
PID 1396 wrote to memory of 1192	1396	yghu.exe	21
PID 1396 wrote to memory of 1192	1396	yghu.exe	21
PID 1396 wrote to memory of 1192	1396	yghu.exe	21
PID 1396 wrote to memory of 1192	1396	yghu.exe	21
PID 1396 wrote to memory of 1192	1396	yghu.exe	21
PID 1396 wrote to memory of 2036	1396	yghu.exe	23
PID 1396 wrote to memory of 2036	1396	yghu.exe	23
PID 1396 wrote to memory of 2036	1396	yghu.exe	23
PID 1396 wrote to memory of 2036	1396	yghu.exe	23
PID 1396 wrote to memory of 2036	1396	yghu.exe	23
PID 1396 wrote to memory of 3040	1396	yghu.exe	29
PID 1396 wrote to memory of 3040	1396	yghu.exe	29
PID 1396 wrote to memory of 3040	1396	yghu.exe	29
PID 1396 wrote to memory of 3040	1396	yghu.exe	29
PID 1396 wrote to memory of 3040	1396	yghu.exe	29
PID 3040 wrote to memory of 2500	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2500	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2500	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2500	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2500	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2500	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2500	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2500	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2500	3040	f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f5efbee9d2ec391369463f54d305aceb_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Roaming\Ehjee\yghu.exe
    "C:\Users\Admin\AppData\Roaming\Ehjee\yghu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa4979993.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2500

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa4979993.bat

Filesize
271B

MD5
dae8a749e9e9561e2f11f8dac4a47405

SHA1
e14b09c8fab745bc673bfbf57161f6669396f740

SHA256
f4504c37903dfecb151a61b8005df2e9d8b0ebf5ce6178f59fc316a7ffbe945f

SHA512
7ab280cba9e3a93ce9688e80b2a76206888b4b13ca29e2cbd268b9ca59f2e71b8141b41615ab427703c4f1f11fffbd71a4f4bd8228154e1f57907899d67862b4

Download Submit
C:\Users\Admin\AppData\Roaming\Ehjee\yghu.exe

Filesize
297KB

MD5
400a674da7f1354553364797d0ed53d3

SHA1
f9c0a473e1fefd99651cd51e963764983547ad04

SHA256
fef7e5346408eed39a24f2bd406c769789015e568dd71a3cfc0ae3f3dc4c2770

SHA512
69e9073dc6f6e465d5b35da7c77ec8981b17dbd1a47d0a46aaaa56feb83cb3ad020524e68ff2af7af78bc635076879ba4a6124f6827d44961a56257a8282447d

Download Submit
C:\Users\Admin\AppData\Roaming\Koro\ybri.elo

Filesize
380B

MD5
5c52613eeb027aedb1032eb4deca99ca

SHA1
9aae31349c9670edf3688161e58cbac5fd132877

SHA256
a839c7847c5c826343f91b96ff30d8ee92de12485846fb482de577f47bd96930

SHA512
25c007c45eba78395d313ef47fc93c27d80860c1f6670f531b307b734991a1f83488fce7f5f41870e75790f2efacad166e05c780609b7e3c92c6ff49a81168c3

Download Submit
memory/1112-22-0x0000000000420000-0x000000000045D000-memory.dmp

Filesize
244KB

Download
memory/1112-24-0x0000000000420000-0x000000000045D000-memory.dmp

Filesize
244KB

Download
memory/1112-16-0x0000000000420000-0x000000000045D000-memory.dmp

Filesize
244KB

Download
memory/1112-18-0x0000000000420000-0x000000000045D000-memory.dmp

Filesize
244KB

Download
memory/1112-20-0x0000000000420000-0x000000000045D000-memory.dmp

Filesize
244KB

Download
memory/1164-27-0x0000000001DA0000-0x0000000001DDD000-memory.dmp

Filesize
244KB

Download
memory/1164-29-0x0000000001DA0000-0x0000000001DDD000-memory.dmp

Filesize
244KB

Download
memory/1164-30-0x0000000001DA0000-0x0000000001DDD000-memory.dmp

Filesize
244KB

Download
memory/1164-28-0x0000000001DA0000-0x0000000001DDD000-memory.dmp

Filesize
244KB

Download
memory/1192-34-0x00000000024E0000-0x000000000251D000-memory.dmp

Filesize
244KB

Download
memory/1192-32-0x00000000024E0000-0x000000000251D000-memory.dmp

Filesize
244KB

Download
memory/1192-36-0x00000000024E0000-0x000000000251D000-memory.dmp

Filesize
244KB

Download
memory/1192-38-0x00000000024E0000-0x000000000251D000-memory.dmp

Filesize
244KB

Download
memory/1396-274-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/1396-52-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/1396-51-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/2036-44-0x0000000001F50000-0x0000000001F8D000-memory.dmp

Filesize
244KB

Download
memory/2036-41-0x0000000001F50000-0x0000000001F8D000-memory.dmp

Filesize
244KB

Download
memory/2036-42-0x0000000001F50000-0x0000000001F8D000-memory.dmp

Filesize
244KB

Download
memory/2036-43-0x0000000001F50000-0x0000000001F8D000-memory.dmp

Filesize
244KB

Download
memory/3040-67-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-71-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-48-0x00000000002C0000-0x00000000002FD000-memory.dmp

Filesize
244KB

Download
memory/3040-47-0x00000000002C0000-0x00000000002FD000-memory.dmp

Filesize
244KB

Download
memory/3040-46-0x00000000002C0000-0x00000000002FD000-memory.dmp

Filesize
244KB

Download
memory/3040-50-0x00000000002C0000-0x00000000002FD000-memory.dmp

Filesize
244KB

Download
memory/3040-53-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-55-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-57-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-59-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-61-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-63-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-65-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3040-69-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-49-0x00000000002C0000-0x00000000002FD000-memory.dmp

Filesize
244KB

Download
memory/3040-73-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-75-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-77-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-79-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-81-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3040-15-0x0000000002790000-0x0000000002B8F000-memory.dmp

Filesize
4.0MB

Download
memory/3040-137-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/3040-13-0x0000000002790000-0x0000000002B8F000-memory.dmp

Filesize
4.0MB

Download
memory/3040-5-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/3040-155-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/3040-156-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/3040-0-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/3040-2-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download