eaf379c7bb44002244315442db65ec3962012830cde6b91c6a5bc9d6558376ea

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 09:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe
Size

294KB
MD5

fc0c70e06cc0732f512d98f7a1c2903a
SHA1

e22bca430808a19afdecfb2f8e487fae23bffb7b
SHA256

eaf379c7bb44002244315442db65ec3962012830cde6b91c6a5bc9d6558376ea
SHA512

2ebcdce2f045cdf4ea2f6ae3c304f73930d136cdb586303653ae200fe4c162ac115cc17c165eb52df14dc1412d5828c02232de8dcc42299cdd08fbba4b5f890c
SSDEEP

6144:SiGtsLmMAlqNC+P+1PTG/qm/PgCnmUSFMhl4C+M/oI294Ki:pGtsLkt+W1PTEn/iUSFM8C+rI2ri

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2972	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2020	juwo.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe
1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D95BC468-3C80-AD4F-F4E3-EFE6C1B1CCFB} = "C:\\Users\\Admin\\AppData\\Roaming\\Ciyrig\\juwo.exe"	juwo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 2972	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	juwo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Privacy	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe
2020	juwo.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe
2020	juwo.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2020	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2020	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2020	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2020	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	30
PID 2020 wrote to memory of 1104	2020	juwo.exe	19
PID 2020 wrote to memory of 1104	2020	juwo.exe	19
PID 2020 wrote to memory of 1104	2020	juwo.exe	19
PID 2020 wrote to memory of 1104	2020	juwo.exe	19
PID 2020 wrote to memory of 1104	2020	juwo.exe	19
PID 2020 wrote to memory of 1168	2020	juwo.exe	20
PID 2020 wrote to memory of 1168	2020	juwo.exe	20
PID 2020 wrote to memory of 1168	2020	juwo.exe	20
PID 2020 wrote to memory of 1168	2020	juwo.exe	20
PID 2020 wrote to memory of 1168	2020	juwo.exe	20
PID 2020 wrote to memory of 1200	2020	juwo.exe	21
PID 2020 wrote to memory of 1200	2020	juwo.exe	21
PID 2020 wrote to memory of 1200	2020	juwo.exe	21
PID 2020 wrote to memory of 1200	2020	juwo.exe	21
PID 2020 wrote to memory of 1200	2020	juwo.exe	21
PID 2020 wrote to memory of 636	2020	juwo.exe	25
PID 2020 wrote to memory of 636	2020	juwo.exe	25
PID 2020 wrote to memory of 636	2020	juwo.exe	25
PID 2020 wrote to memory of 636	2020	juwo.exe	25
PID 2020 wrote to memory of 636	2020	juwo.exe	25
PID 2020 wrote to memory of 1732	2020	juwo.exe	29
PID 2020 wrote to memory of 1732	2020	juwo.exe	29
PID 2020 wrote to memory of 1732	2020	juwo.exe	29
PID 2020 wrote to memory of 1732	2020	juwo.exe	29
PID 2020 wrote to memory of 1732	2020	juwo.exe	29
PID 1732 wrote to memory of 2972	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2972	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2972	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2972	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2972	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2972	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2972	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2972	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2972	1732	fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fc0c70e06cc0732f512d98f7a1c2903a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Roaming\Ciyrig\juwo.exe
    "C:\Users\Admin\AppData\Roaming\Ciyrig\juwo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7ce454e8.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2972

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7ce454e8.bat

Filesize
271B

MD5
78a352c19ba4ef732f8d342579cad5d3

SHA1
8e5d1d4671151f3ff1ed324198aa78761e8d91f1

SHA256
fa5aaf8b805a489f374012be7fd3074cbade4555f2829dd173af56d00d9c4b10

SHA512
3fe00aab5751b6b8fc84a37007fac63276b650ba36fcb47e3873a4de9f1235a49e25aa956b2187535686f9cfb708e37572f30d0c0fda9b30ddb88004c77db86f

Download Submit
C:\Users\Admin\AppData\Roaming\Ciyrig\juwo.exe

Filesize
294KB

MD5
54228d7e600b9f6ba5437b13c47b9976

SHA1
da48e4bfe58ec373a348f1a5bdeeb34f783a37a7

SHA256
dd69a80057149df2092526c25bf69a2d695b212fc492260d03490f9dc728aebe

SHA512
0898c2978d63bcf72d46978df9fb2bed4fa04f95cadaf0577f8434ddf716c786ed8fdaee83a58d6979add1bb559e0d65eae0231debc5c718d301f844797004a5

Download Submit
memory/636-41-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/636-44-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/636-43-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/636-42-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/1104-16-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/1104-18-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/1104-20-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/1104-22-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/1104-24-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/1168-27-0x0000000002070000-0x00000000020B4000-memory.dmp

Filesize
272KB

Download
memory/1168-33-0x0000000002070000-0x00000000020B4000-memory.dmp

Filesize
272KB

Download
memory/1168-31-0x0000000002070000-0x00000000020B4000-memory.dmp

Filesize
272KB

Download
memory/1168-29-0x0000000002070000-0x00000000020B4000-memory.dmp

Filesize
272KB

Download
memory/1200-36-0x0000000002470000-0x00000000024B4000-memory.dmp

Filesize
272KB

Download
memory/1200-38-0x0000000002470000-0x00000000024B4000-memory.dmp

Filesize
272KB

Download
memory/1200-39-0x0000000002470000-0x00000000024B4000-memory.dmp

Filesize
272KB

Download
memory/1200-37-0x0000000002470000-0x00000000024B4000-memory.dmp

Filesize
272KB

Download
memory/1732-76-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-139-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-58-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-56-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-54-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1732-0-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/1732-163-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1732-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1732-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1732-62-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-50-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1732-49-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1732-48-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1732-47-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1732-46-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1732-64-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-66-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-68-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-70-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-74-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-1-0x0000000000390000-0x00000000003DD000-memory.dmp

Filesize
308KB

Download
memory/1732-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-80-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-137-0x0000000001F60000-0x0000000001FA4000-memory.dmp

Filesize
272KB

Download
memory/1732-60-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-138-0x00000000770F0000-0x00000000770F1000-memory.dmp

Filesize
4KB

Download
memory/1732-72-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1732-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1732-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2020-51-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/2020-52-0x00000000002E0000-0x000000000032D000-memory.dmp

Filesize
308KB

Download
memory/2020-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2020-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download