bb319959ba3c77be2a484c3ddc1204f23d3f26e4959a09ed5e63a0bb9cdc7882

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe
Size

311KB
MD5

ff3f8d8d534839490b926ba04857a27a
SHA1

d9382317b6dbc1d71554dc807a6de8e8b909546d
SHA256

bb319959ba3c77be2a484c3ddc1204f23d3f26e4959a09ed5e63a0bb9cdc7882
SHA512

84dda57515832e16ffba35d8d7e1e2311d69528cc35161f41717fa963c8decb7ef3b0cae6ca8e24309a93c69fafff92fe0f68f75593a98c5b3f9622dc2ec1a87
SSDEEP

6144:nS/3wVyBel40pP1MHLdL1hALe+2NirdrQdZnwUKD0F:nm3myO4w1MdoLT2NKcVws

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
264	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	huyc.exe

Loads dropped DLL 1 IoCs

pid	Process
2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D5718048-3C80-AD4F-91EC-8CC98FD5AFD4} = "C:\\Users\\Admin\\AppData\\Roaming\\Enidc\\huyc.exe"	huyc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2396 set thread context of 264	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Privacy	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe
2116	huyc.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2116	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2116	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2116	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2116	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1104	2116	huyc.exe	19
PID 2116 wrote to memory of 1104	2116	huyc.exe	19
PID 2116 wrote to memory of 1104	2116	huyc.exe	19
PID 2116 wrote to memory of 1104	2116	huyc.exe	19
PID 2116 wrote to memory of 1104	2116	huyc.exe	19
PID 2116 wrote to memory of 1160	2116	huyc.exe	20
PID 2116 wrote to memory of 1160	2116	huyc.exe	20
PID 2116 wrote to memory of 1160	2116	huyc.exe	20
PID 2116 wrote to memory of 1160	2116	huyc.exe	20
PID 2116 wrote to memory of 1160	2116	huyc.exe	20
PID 2116 wrote to memory of 1192	2116	huyc.exe	21
PID 2116 wrote to memory of 1192	2116	huyc.exe	21
PID 2116 wrote to memory of 1192	2116	huyc.exe	21
PID 2116 wrote to memory of 1192	2116	huyc.exe	21
PID 2116 wrote to memory of 1192	2116	huyc.exe	21
PID 2116 wrote to memory of 1736	2116	huyc.exe	25
PID 2116 wrote to memory of 1736	2116	huyc.exe	25
PID 2116 wrote to memory of 1736	2116	huyc.exe	25
PID 2116 wrote to memory of 1736	2116	huyc.exe	25
PID 2116 wrote to memory of 1736	2116	huyc.exe	25
PID 2116 wrote to memory of 2396	2116	huyc.exe	29
PID 2116 wrote to memory of 2396	2116	huyc.exe	29
PID 2116 wrote to memory of 2396	2116	huyc.exe	29
PID 2116 wrote to memory of 2396	2116	huyc.exe	29
PID 2116 wrote to memory of 2396	2116	huyc.exe	29
PID 2396 wrote to memory of 264	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	31
PID 2396 wrote to memory of 264	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	31
PID 2396 wrote to memory of 264	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	31
PID 2396 wrote to memory of 264	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	31
PID 2396 wrote to memory of 264	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	31
PID 2396 wrote to memory of 264	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	31
PID 2396 wrote to memory of 264	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	31
PID 2396 wrote to memory of 264	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	31
PID 2396 wrote to memory of 264	2396	ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ff3f8d8d534839490b926ba04857a27a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Roaming\Enidc\huyc.exe
    "C:\Users\Admin\AppData\Roaming\Enidc\huyc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe180b465.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:264

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe180b465.bat

Filesize
271B

MD5
ac40c65eff74b46fdb6c159104bf0188

SHA1
163e8f85530725b0f169b8d6d9e1962ef51c0893

SHA256
9e39999bd58f33d6c7afa4e82d7784f5bf52ecb03d406219e8e54397193eda87

SHA512
9d1095c287ab295ec1d885adf0712ed55487ab140ebd06c90ff3c5682783903feb2bda18de55aefc5ad383889d966132e590599128faaaada48ca96670bbef87

Download Submit
\Users\Admin\AppData\Roaming\Enidc\huyc.exe

Filesize
311KB

MD5
0930689f7c475ca8071b746dcf1f6047

SHA1
b6c13a5f72c863fca1d1c2d8ec8dc0405ba8691f

SHA256
df98eb5a5993e02e517bab3b922de945bcf802c965f757abe406033c5e00534e

SHA512
3b714faca7a1b7c828ea9cf38ea9e309652ce343c778b415535a06a48afb5e6e4303d6185fe583a67a4b8886e1740bb93d0da6c5eb2c3c5d0f64bc45fb9ca490

Download Submit
memory/1104-18-0x00000000021A0000-0x00000000021E4000-memory.dmp

Filesize
272KB

Download
memory/1104-17-0x00000000021A0000-0x00000000021E4000-memory.dmp

Filesize
272KB

Download
memory/1104-16-0x00000000021A0000-0x00000000021E4000-memory.dmp

Filesize
272KB

Download
memory/1104-19-0x00000000021A0000-0x00000000021E4000-memory.dmp

Filesize
272KB

Download
memory/1104-15-0x00000000021A0000-0x00000000021E4000-memory.dmp

Filesize
272KB

Download
memory/1160-23-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/1160-21-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/1160-22-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/1192-28-0x0000000002CF0000-0x0000000002D34000-memory.dmp

Filesize
272KB

Download
memory/1192-26-0x0000000002CF0000-0x0000000002D34000-memory.dmp

Filesize
272KB

Download
memory/1192-27-0x0000000002CF0000-0x0000000002D34000-memory.dmp

Filesize
272KB

Download
memory/1192-29-0x0000000002CF0000-0x0000000002D34000-memory.dmp

Filesize
272KB

Download
memory/1736-34-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1736-31-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1736-32-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/1736-33-0x0000000001BE0000-0x0000000001C24000-memory.dmp

Filesize
272KB

Download
memory/2116-280-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2116-288-0x0000000001380000-0x00000000013D9000-memory.dmp

Filesize
356KB

Download
memory/2116-12-0x0000000001380000-0x00000000013D9000-memory.dmp

Filesize
356KB

Download
memory/2116-13-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2396-130-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/2396-67-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-57-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-55-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-51-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-49-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-47-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-45-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-43-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-41-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-40-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/2396-39-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/2396-37-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/2396-36-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/2396-61-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-63-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-65-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-59-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-69-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-71-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-73-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-75-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-0-0x00000000009B0000-0x0000000000A09000-memory.dmp

Filesize
356KB

Download
memory/2396-132-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-131-0x0000000077E80000-0x0000000077E81000-memory.dmp

Filesize
4KB

Download
memory/2396-53-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2396-38-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/2396-6-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2396-11-0x0000000000160000-0x00000000001B9000-memory.dmp

Filesize
356KB

Download
memory/2396-157-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/2396-156-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2396-155-0x00000000009B0000-0x0000000000A09000-memory.dmp

Filesize
356KB

Download
memory/2396-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2396-3-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2396-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download