120c24760fff974d67ae75bfbc2dba7cf583170cdf2a8c31adf9691cc77a0ef5

Analysis

max time kernel
151s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe
Size

98KB
MD5

f9a00dc4a9637fa216630f4d5e2c8b37
SHA1

58c2ea15ecab7eb1674fb3a29f0b72b222da826b
SHA256

120c24760fff974d67ae75bfbc2dba7cf583170cdf2a8c31adf9691cc77a0ef5
SHA512

15edf799761216a564d4872811a02dc3c269a2dc7a66f5fe399624e1524df16323c66434527a2f39be4784c85143dc57632f94e87afe640862eaef3186edb33a
SSDEEP

1536:9AuxfK6DOHpn2+3wc+TBsYu1fOc7kOi1mkCzzT/sX083Mkd3cklj:9AeAJ2+3YvyfOAsmkC3T/K5MEP

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3064	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2484	yxits.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe
2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4C8E1277-1FDE-9232-CA58-A489058D1F43} = "C:\\Users\\Admin\\AppData\\Roaming\\Dekyl\\yxits.exe"	yxits.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 3064	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yxits.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Privacy	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe
2484	yxits.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe
Token: SeSecurityPrivilege	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe
Token: SeSecurityPrivilege	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2484	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2484	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2484	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2484	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	31
PID 2484 wrote to memory of 1204	2484	yxits.exe	19
PID 2484 wrote to memory of 1204	2484	yxits.exe	19
PID 2484 wrote to memory of 1204	2484	yxits.exe	19
PID 2484 wrote to memory of 1204	2484	yxits.exe	19
PID 2484 wrote to memory of 1204	2484	yxits.exe	19
PID 2484 wrote to memory of 1308	2484	yxits.exe	20
PID 2484 wrote to memory of 1308	2484	yxits.exe	20
PID 2484 wrote to memory of 1308	2484	yxits.exe	20
PID 2484 wrote to memory of 1308	2484	yxits.exe	20
PID 2484 wrote to memory of 1308	2484	yxits.exe	20
PID 2484 wrote to memory of 1368	2484	yxits.exe	21
PID 2484 wrote to memory of 1368	2484	yxits.exe	21
PID 2484 wrote to memory of 1368	2484	yxits.exe	21
PID 2484 wrote to memory of 1368	2484	yxits.exe	21
PID 2484 wrote to memory of 1368	2484	yxits.exe	21
PID 2484 wrote to memory of 1448	2484	yxits.exe	25
PID 2484 wrote to memory of 1448	2484	yxits.exe	25
PID 2484 wrote to memory of 1448	2484	yxits.exe	25
PID 2484 wrote to memory of 1448	2484	yxits.exe	25
PID 2484 wrote to memory of 1448	2484	yxits.exe	25
PID 2484 wrote to memory of 2488	2484	yxits.exe	29
PID 2484 wrote to memory of 2488	2484	yxits.exe	29
PID 2484 wrote to memory of 2488	2484	yxits.exe	29
PID 2484 wrote to memory of 2488	2484	yxits.exe	29
PID 2484 wrote to memory of 2488	2484	yxits.exe	29
PID 2488 wrote to memory of 3064	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	32
PID 2488 wrote to memory of 3064	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	32
PID 2488 wrote to memory of 3064	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	32
PID 2488 wrote to memory of 3064	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	32
PID 2488 wrote to memory of 3064	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	32
PID 2488 wrote to memory of 3064	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	32
PID 2488 wrote to memory of 3064	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	32
PID 2488 wrote to memory of 3064	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	32
PID 2488 wrote to memory of 3064	2488	f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe	32
PID 2484 wrote to memory of 1132	2484	yxits.exe	34
PID 2484 wrote to memory of 1132	2484	yxits.exe	34
PID 2484 wrote to memory of 1132	2484	yxits.exe	34
PID 2484 wrote to memory of 1132	2484	yxits.exe	34
PID 2484 wrote to memory of 1132	2484	yxits.exe	34
PID 2484 wrote to memory of 2136	2484	yxits.exe	35
PID 2484 wrote to memory of 2136	2484	yxits.exe	35
PID 2484 wrote to memory of 2136	2484	yxits.exe	35
PID 2484 wrote to memory of 2136	2484	yxits.exe	35
PID 2484 wrote to memory of 2136	2484	yxits.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1204

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1308

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f9a00dc4a9637fa216630f4d5e2c8b37_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Roaming\Dekyl\yxits.exe
    "C:\Users\Admin\AppData\Roaming\Dekyl\yxits.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd2492cd7.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:3064

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1448

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1132

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd2492cd7.bat

Filesize
271B

MD5
e205711651cf59a59f3524f3be0966ed

SHA1
1dc8b3d67b6ca9aab9aca6d280cd75c8038e4f71

SHA256
3f3a44c2840eb9d666761357e49f1cf00c298815cc9828291a8f936e518a27d8

SHA512
155cbb027d70f8822c53a1b2c1f6983044216313c27b475eda33e13956e0e90c78749df32d3824c208323c93660e5a3ddf9d98fa02c8ecc8331448c84a0066fc

Download Submit
C:\Users\Admin\AppData\Roaming\Dekyl\yxits.exe

Filesize
98KB

MD5
fa6759bddaaaf4702be396e38960407f

SHA1
ea9d3f7f805e2e6c36abe0d061b93ad6e383d927

SHA256
857e23f1818a6719b356b6359bcff7f9dec4bb857f39803d7779fdbb1266a853

SHA512
ba5010c2a0f691615baf6ddf3dee8a42de8b224787be67f246633198057e818eff10a40db2a0b2ae2aa2f6e13592bebd33e67c34438b58226d03153d84515254

Download Submit
C:\Users\Admin\AppData\Roaming\Ylka\rogoy.yvo

Filesize
380B

MD5
46c019003fe424fab8f51a0b29e9f4ec

SHA1
b73b3b1785c9b58dc487a4cb886479f352c0c18d

SHA256
9a2d80b48f4b4d9088297635e8528c2367a294e9933d268f54e0f36d6ce6d54f

SHA512
86a99b6695a97d89064436690e83c1806c6bafd0934a47280a9105901aeb1d9e7e9c8781ae482c2f3b79921deb7ca83deb3df44064f501da19171f7d98596416

Download Submit
memory/1204-21-0x0000000001DD0000-0x0000000001DEF000-memory.dmp

Filesize
124KB

Download
memory/1204-23-0x0000000001DD0000-0x0000000001DEF000-memory.dmp

Filesize
124KB

Download
memory/1204-25-0x0000000001DD0000-0x0000000001DEF000-memory.dmp

Filesize
124KB

Download
memory/1204-27-0x0000000001DD0000-0x0000000001DEF000-memory.dmp

Filesize
124KB

Download
memory/1204-19-0x0000000001DD0000-0x0000000001DEF000-memory.dmp

Filesize
124KB

Download
memory/1308-35-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1308-31-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1308-33-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1308-37-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/1368-41-0x00000000025E0000-0x00000000025FF000-memory.dmp

Filesize
124KB

Download
memory/1368-40-0x00000000025E0000-0x00000000025FF000-memory.dmp

Filesize
124KB

Download
memory/1368-42-0x00000000025E0000-0x00000000025FF000-memory.dmp

Filesize
124KB

Download
memory/1368-43-0x00000000025E0000-0x00000000025FF000-memory.dmp

Filesize
124KB

Download
memory/1448-48-0x0000000002060000-0x000000000207F000-memory.dmp

Filesize
124KB

Download
memory/1448-45-0x0000000002060000-0x000000000207F000-memory.dmp

Filesize
124KB

Download
memory/1448-46-0x0000000002060000-0x000000000207F000-memory.dmp

Filesize
124KB

Download
memory/1448-47-0x0000000002060000-0x000000000207F000-memory.dmp

Filesize
124KB

Download
memory/2484-132-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2484-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2484-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2484-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2488-65-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-0-0x0000000000402000-0x0000000000405000-memory.dmp

Filesize
12KB

Download
memory/2488-59-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-57-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-55-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-53-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2488-52-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2488-51-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2488-50-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2488-63-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-67-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-71-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-73-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-75-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-77-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-61-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-81-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-79-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-69-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/2488-14-0x0000000000402000-0x0000000000405000-memory.dmp

Filesize
12KB

Download
memory/2488-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2488-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2488-101-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2488-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2488-54-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2488-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3064-129-0x00000000779D0000-0x00000000779D1000-memory.dmp

Filesize
4KB

Download
memory/3064-130-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3064-131-0x0000000000050000-0x000000000006F000-memory.dmp

Filesize
124KB

Download
memory/3064-103-0x0000000000050000-0x000000000006F000-memory.dmp

Filesize
124KB

Download