8ca4b47ae9a0fad5b1aa4b3a2e368fa0938491945a70b888c5c4114914efe7d6

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe
Size

305KB
MD5

fb5500c06ed22a52c1ed34dc2b4c5372
SHA1

9a3574f6e77eba9f22aca8bc09a1cc0dadb86009
SHA256

8ca4b47ae9a0fad5b1aa4b3a2e368fa0938491945a70b888c5c4114914efe7d6
SHA512

e64687367b6ea1d6072d867214f1e59173661b0f62c310ec02097f2b17ff74d8bcdf7fe8c934811b8bd8442c25f7d0d475452e3bbec6b2a7f48343cde02e0df9
SSDEEP

6144:5GSztT72Y0SfzinYKTY1SQshfRPVQe1MZkIYSccr7wbstObPECYeixlYGicUn:5Gqh7SSGYsY1UMqMZJYSN7wbstOb8fvY

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2532	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2156	neypor.exe

Loads dropped DLL 1 IoCs

pid	Process
2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D9E5F948-3C80-AD4F-E7F9-6BD2C10548CF} = "C:\\Users\\Admin\\AppData\\Roaming\\Ledox\\neypor.exe"	neypor.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2868 set thread context of 2532	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neypor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Privacy	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe
2156	neypor.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2156	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2156	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2156	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2156	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	28
PID 2156 wrote to memory of 1104	2156	neypor.exe	19
PID 2156 wrote to memory of 1104	2156	neypor.exe	19
PID 2156 wrote to memory of 1104	2156	neypor.exe	19
PID 2156 wrote to memory of 1104	2156	neypor.exe	19
PID 2156 wrote to memory of 1104	2156	neypor.exe	19
PID 2156 wrote to memory of 1156	2156	neypor.exe	20
PID 2156 wrote to memory of 1156	2156	neypor.exe	20
PID 2156 wrote to memory of 1156	2156	neypor.exe	20
PID 2156 wrote to memory of 1156	2156	neypor.exe	20
PID 2156 wrote to memory of 1156	2156	neypor.exe	20
PID 2156 wrote to memory of 1184	2156	neypor.exe	21
PID 2156 wrote to memory of 1184	2156	neypor.exe	21
PID 2156 wrote to memory of 1184	2156	neypor.exe	21
PID 2156 wrote to memory of 1184	2156	neypor.exe	21
PID 2156 wrote to memory of 1184	2156	neypor.exe	21
PID 2156 wrote to memory of 1176	2156	neypor.exe	23
PID 2156 wrote to memory of 1176	2156	neypor.exe	23
PID 2156 wrote to memory of 1176	2156	neypor.exe	23
PID 2156 wrote to memory of 1176	2156	neypor.exe	23
PID 2156 wrote to memory of 1176	2156	neypor.exe	23
PID 2156 wrote to memory of 2868	2156	neypor.exe	27
PID 2156 wrote to memory of 2868	2156	neypor.exe	27
PID 2156 wrote to memory of 2868	2156	neypor.exe	27
PID 2156 wrote to memory of 2868	2156	neypor.exe	27
PID 2156 wrote to memory of 2868	2156	neypor.exe	27
PID 2868 wrote to memory of 2532	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2532	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2532	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2532	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2532	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2532	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2532	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2532	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2532	2868	fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe	29
PID 2156 wrote to memory of 3048	2156	neypor.exe	33
PID 2156 wrote to memory of 3048	2156	neypor.exe	33
PID 2156 wrote to memory of 3048	2156	neypor.exe	33
PID 2156 wrote to memory of 3048	2156	neypor.exe	33
PID 2156 wrote to memory of 3048	2156	neypor.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fb5500c06ed22a52c1ed34dc2b4c5372_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Roaming\Ledox\neypor.exe
    "C:\Users\Admin\AppData\Roaming\Ledox\neypor.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7d5a16e5.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2532

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1176

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7d5a16e5.bat

Filesize
271B

MD5
14ad625cfe9ee69fe94ecc445feb0a8b

SHA1
847c62435eb33b1bb7c093c594c47a011e97823a

SHA256
3e578f14f580438a1cf21563c7a4dfe31e23a03d0c6d010363a83121217ad65e

SHA512
afa58afb5c269f7080b3aa31555b020b0887dc7f8374406bbb1ea944ef72494c56310174fbf9eb91ad9765033ef7a0828ca2e15a33b5915ad7d64d5a6d88fceb

Download Submit
\Users\Admin\AppData\Roaming\Ledox\neypor.exe

Filesize
305KB

MD5
6ec4e34729d9e550fcde1918b4209b17

SHA1
97df85fde5834452bde49926b9d35e07721e7932

SHA256
bac97ecd56f3eb53a59a4b9aa33df7a7b5fbe3a8ac484674e3a59aa4ef296dad

SHA512
abe6ede9ae80ae79a3154efc2d977080e3ff8c18b2d9c939766eca96445695613a6cf387d95e09ae1ca19b0d0039c92fd1b2740956751475d9d3cea7385e3806

Download Submit
memory/1104-19-0x0000000002120000-0x0000000002164000-memory.dmp

Filesize
272KB

Download
memory/1104-18-0x0000000002120000-0x0000000002164000-memory.dmp

Filesize
272KB

Download
memory/1104-17-0x0000000002120000-0x0000000002164000-memory.dmp

Filesize
272KB

Download
memory/1104-16-0x0000000002120000-0x0000000002164000-memory.dmp

Filesize
272KB

Download
memory/1104-15-0x0000000002120000-0x0000000002164000-memory.dmp

Filesize
272KB

Download
memory/1156-24-0x0000000002020000-0x0000000002064000-memory.dmp

Filesize
272KB

Download
memory/1156-22-0x0000000002020000-0x0000000002064000-memory.dmp

Filesize
272KB

Download
memory/1156-21-0x0000000002020000-0x0000000002064000-memory.dmp

Filesize
272KB

Download
memory/1156-23-0x0000000002020000-0x0000000002064000-memory.dmp

Filesize
272KB

Download
memory/1176-32-0x0000000001E80000-0x0000000001EC4000-memory.dmp

Filesize
272KB

Download
memory/1176-34-0x0000000001E80000-0x0000000001EC4000-memory.dmp

Filesize
272KB

Download
memory/1176-33-0x0000000001E80000-0x0000000001EC4000-memory.dmp

Filesize
272KB

Download
memory/1176-31-0x0000000001E80000-0x0000000001EC4000-memory.dmp

Filesize
272KB

Download
memory/1184-27-0x00000000024E0000-0x0000000002524000-memory.dmp

Filesize
272KB

Download
memory/1184-26-0x00000000024E0000-0x0000000002524000-memory.dmp

Filesize
272KB

Download
memory/1184-28-0x00000000024E0000-0x0000000002524000-memory.dmp

Filesize
272KB

Download
memory/1184-29-0x00000000024E0000-0x0000000002524000-memory.dmp

Filesize
272KB

Download
memory/2156-281-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2156-12-0x0000000001360000-0x00000000013B0000-memory.dmp

Filesize
320KB

Download
memory/2156-13-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2156-289-0x0000000001360000-0x00000000013B0000-memory.dmp

Filesize
320KB

Download
memory/2868-49-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-67-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-57-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-55-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-51-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-61-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-47-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-45-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-43-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-41-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-40-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/2868-39-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/2868-38-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/2868-37-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/2868-36-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/2868-63-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-65-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-59-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-158-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/2868-157-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2868-156-0x0000000000B80000-0x0000000000BD0000-memory.dmp

Filesize
320KB

Download
memory/2868-69-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-71-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-73-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-75-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-132-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2868-133-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-130-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/2868-131-0x0000000077540000-0x0000000077541000-memory.dmp

Filesize
4KB

Download
memory/2868-53-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-11-0x0000000000200000-0x0000000000250000-memory.dmp

Filesize
320KB

Download
memory/2868-4-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2868-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2868-3-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2868-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2868-0-0x0000000000B80000-0x0000000000BD0000-memory.dmp

Filesize
320KB

Download