c3e6584d25916d1d217ebb1f52f5789b49faf3b84b4c4073d7c85f87c41d3fe1

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 18:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe
Size

335KB
MD5

ff1da159e18030eac3d514abffded2d1
SHA1

0a2dff7a50b77230d87bfa82e3c59adc22900685
SHA256

c3e6584d25916d1d217ebb1f52f5789b49faf3b84b4c4073d7c85f87c41d3fe1
SHA512

548b93242d5afa7a7fa254135beddaac777cd05d6e90161e6d4d07fc36d3c41f0aa65684fd9531360feb23e7baf82094e6381b7a2eaab81c0a64e0aa3739c332
SSDEEP

6144:7DXD/LBcEG3tr5zppfdre1vYcCFU7z7zs0cPWwbAKrjN5LYLEDczC:7DXD/qEottNreLCF+XevN5LqE/

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2832	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2424	ynwama.exe
1252	ynwama.exe

Loads dropped DLL 3 IoCs

pid	Process
2420	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe
2420	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe
2424	ynwama.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D2BEAD48-3C80-AD4F-FE01-FCCCDCDBDFD1} = "C:\\Users\\Admin\\AppData\\Roaming\\Atvuil\\ynwama.exe"	ynwama.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1836 set thread context of 2420	1836	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	30
PID 2424 set thread context of 1252	2424	ynwama.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ynwama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe
1252	ynwama.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2420	1836	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2420	1836	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2420	1836	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2420	1836	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2420	1836	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2420	1836	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2420	1836	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2420	1836	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	30
PID 1836 wrote to memory of 2420	1836	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2424	2420	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2424	2420	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2424	2420	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2424	2420	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	31
PID 2424 wrote to memory of 1252	2424	ynwama.exe	32
PID 2424 wrote to memory of 1252	2424	ynwama.exe	32
PID 2424 wrote to memory of 1252	2424	ynwama.exe	32
PID 2424 wrote to memory of 1252	2424	ynwama.exe	32
PID 2424 wrote to memory of 1252	2424	ynwama.exe	32
PID 2424 wrote to memory of 1252	2424	ynwama.exe	32
PID 2424 wrote to memory of 1252	2424	ynwama.exe	32
PID 2424 wrote to memory of 1252	2424	ynwama.exe	32
PID 2424 wrote to memory of 1252	2424	ynwama.exe	32
PID 2420 wrote to memory of 2832	2420	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	33
PID 2420 wrote to memory of 2832	2420	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	33
PID 2420 wrote to memory of 2832	2420	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	33
PID 2420 wrote to memory of 2832	2420	ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe	33
PID 1252 wrote to memory of 1108	1252	ynwama.exe	19
PID 1252 wrote to memory of 1108	1252	ynwama.exe	19
PID 1252 wrote to memory of 1108	1252	ynwama.exe	19
PID 1252 wrote to memory of 1108	1252	ynwama.exe	19
PID 1252 wrote to memory of 1108	1252	ynwama.exe	19
PID 1252 wrote to memory of 1164	1252	ynwama.exe	20
PID 1252 wrote to memory of 1164	1252	ynwama.exe	20
PID 1252 wrote to memory of 1164	1252	ynwama.exe	20
PID 1252 wrote to memory of 1164	1252	ynwama.exe	20
PID 1252 wrote to memory of 1164	1252	ynwama.exe	20
PID 1252 wrote to memory of 1232	1252	ynwama.exe	21
PID 1252 wrote to memory of 1232	1252	ynwama.exe	21
PID 1252 wrote to memory of 1232	1252	ynwama.exe	21
PID 1252 wrote to memory of 1232	1252	ynwama.exe	21
PID 1252 wrote to memory of 1232	1252	ynwama.exe	21
PID 1252 wrote to memory of 1864	1252	ynwama.exe	25
PID 1252 wrote to memory of 1864	1252	ynwama.exe	25
PID 1252 wrote to memory of 1864	1252	ynwama.exe	25
PID 1252 wrote to memory of 1864	1252	ynwama.exe	25
PID 1252 wrote to memory of 1864	1252	ynwama.exe	25

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ff1da159e18030eac3d514abffded2d1_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Roaming\Atvuil\ynwama.exe
      "C:\Users\Admin\AppData\Roaming\Atvuil\ynwama.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Users\Admin\AppData\Roaming\Atvuil\ynwama.exe
        
        "C:\Users\Admin\AppData\Roaming\Atvuil\ynwama.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1252
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa12e2c4f.bat"
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:2832

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa12e2c4f.bat

Filesize
271B

MD5
a77729b7e0379e8b3af9ca11ca5381a4

SHA1
755c1bfd393dcdc15c974947b59ae503cb9c3305

SHA256
938949b4feb66e3a378102f07d6373e23a494f72fa0d28e27cc36f97c888cbf2

SHA512
bf873ec9b6db7ff4d7eeea769119a4d978d79a03aaa623cdbf501dd2ccfde4abdb8d1bcc9d5b2e478b220bad77ea9b74ee70004a5f551f58ff000c4bdeb9cf6f

Download Submit
\Users\Admin\AppData\Roaming\Atvuil\ynwama.exe

Filesize
335KB

MD5
b5d53b747108c04438dd1ede164828a1

SHA1
6ec22a6852953081e0fbe16aba5f44500c3dfd45

SHA256
3c9f9c967e7fdde193cd43585011fce9b2a755ea21473dbc2f25ab6d0708cf6d

SHA512
39aafd6024e066eac3009a9295e88c2af5d52145833e5e4c5bff6fffad988d46aa27e24d3380bc00619f69bc0b192b82ea1cd1e228b71e57fd6fc3b91bbc1b19

Download Submit
memory/1108-59-0x00000000021A0000-0x00000000021E4000-memory.dmp

Filesize
272KB

Download
memory/1108-56-0x00000000021A0000-0x00000000021E4000-memory.dmp

Filesize
272KB

Download
memory/1108-57-0x00000000021A0000-0x00000000021E4000-memory.dmp

Filesize
272KB

Download
memory/1108-58-0x00000000021A0000-0x00000000021E4000-memory.dmp

Filesize
272KB

Download
memory/1164-62-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1164-63-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1164-64-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1164-61-0x0000000001FA0000-0x0000000001FE4000-memory.dmp

Filesize
272KB

Download
memory/1232-71-0x0000000002490000-0x00000000024D4000-memory.dmp

Filesize
272KB

Download
memory/1232-67-0x0000000002490000-0x00000000024D4000-memory.dmp

Filesize
272KB

Download
memory/1232-69-0x0000000002490000-0x00000000024D4000-memory.dmp

Filesize
272KB

Download
memory/1232-73-0x0000000002490000-0x00000000024D4000-memory.dmp

Filesize
272KB

Download
memory/1252-50-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1252-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1836-14-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1836-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1836-4-0x0000000000320000-0x0000000000378000-memory.dmp

Filesize
352KB

Download
memory/1864-78-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/1864-76-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/1864-77-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/1864-79-0x0000000001E20000-0x0000000001E64000-memory.dmp

Filesize
272KB

Download
memory/2420-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-6-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2424-45-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2424-47-0x0000000000320000-0x0000000000378000-memory.dmp

Filesize
352KB

Download
memory/2424-95-0x0000000000320000-0x0000000000378000-memory.dmp

Filesize
352KB

Download