da4426ff47d34467a485ba86db8e13c6bc90db0efade674835ddd8d06668442b

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 13:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe
Size

327KB
MD5

0179143b053e9cfd1bef9f1010533012
SHA1

d8e24c24ae8d3041699c68f9ce05854852c07fa3
SHA256

da4426ff47d34467a485ba86db8e13c6bc90db0efade674835ddd8d06668442b
SHA512

6e3e33b6a0efdb7f4921aa8726f53d678054b666dd46e49a38ca7f2f5a2b947cfcdfbc844ccc5f944bb2d6721cabf68e290235dc39a84911bd34c0d243a51b08
SSDEEP

6144:d00NrmYDHTMu2WRBBHf2qVmEoJ2aWOCbuIpVfNCLcQP9en:d00NKYDoYhZVmdtWOCbuYacQO

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1848	idarqy.exe
2600	idarqy.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe
2900	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D3EA3BE8-3C80-AD4F-223E-C0310034E32C} = "C:\\Users\\Admin\\AppData\\Roaming\\Irjo\\idarqy.exe"	idarqy.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1864 set thread context of 2900	1864	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	30
PID 1848 set thread context of 2600	1848	idarqy.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idarqy.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Privacy	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cmd.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe
2600	idarqy.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2900	1864	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2900	1864	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2900	1864	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2900	1864	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2900	1864	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2900	1864	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2900	1864	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2900	1864	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2900	1864	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	30
PID 2900 wrote to memory of 1848	2900	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	31
PID 2900 wrote to memory of 1848	2900	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	31
PID 2900 wrote to memory of 1848	2900	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	31
PID 2900 wrote to memory of 1848	2900	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	31
PID 1848 wrote to memory of 2600	1848	idarqy.exe	32
PID 1848 wrote to memory of 2600	1848	idarqy.exe	32
PID 1848 wrote to memory of 2600	1848	idarqy.exe	32
PID 1848 wrote to memory of 2600	1848	idarqy.exe	32
PID 1848 wrote to memory of 2600	1848	idarqy.exe	32
PID 1848 wrote to memory of 2600	1848	idarqy.exe	32
PID 1848 wrote to memory of 2600	1848	idarqy.exe	32
PID 1848 wrote to memory of 2600	1848	idarqy.exe	32
PID 1848 wrote to memory of 2600	1848	idarqy.exe	32
PID 2900 wrote to memory of 2700	2900	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	33
PID 2900 wrote to memory of 2700	2900	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	33
PID 2900 wrote to memory of 2700	2900	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	33
PID 2900 wrote to memory of 2700	2900	0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe	33
PID 2600 wrote to memory of 1044	2600	idarqy.exe	17
PID 2600 wrote to memory of 1044	2600	idarqy.exe	17
PID 2600 wrote to memory of 1044	2600	idarqy.exe	17
PID 2600 wrote to memory of 1044	2600	idarqy.exe	17
PID 2600 wrote to memory of 1044	2600	idarqy.exe	17
PID 2600 wrote to memory of 1068	2600	idarqy.exe	18
PID 2600 wrote to memory of 1068	2600	idarqy.exe	18
PID 2600 wrote to memory of 1068	2600	idarqy.exe	18
PID 2600 wrote to memory of 1068	2600	idarqy.exe	18
PID 2600 wrote to memory of 1068	2600	idarqy.exe	18
PID 2600 wrote to memory of 1128	2600	idarqy.exe	20
PID 2600 wrote to memory of 1128	2600	idarqy.exe	20
PID 2600 wrote to memory of 1128	2600	idarqy.exe	20
PID 2600 wrote to memory of 1128	2600	idarqy.exe	20
PID 2600 wrote to memory of 1128	2600	idarqy.exe	20
PID 2600 wrote to memory of 1996	2600	idarqy.exe	23
PID 2600 wrote to memory of 1996	2600	idarqy.exe	23
PID 2600 wrote to memory of 1996	2600	idarqy.exe	23
PID 2600 wrote to memory of 1996	2600	idarqy.exe	23
PID 2600 wrote to memory of 1996	2600	idarqy.exe	23
PID 2600 wrote to memory of 2700	2600	idarqy.exe	33
PID 2600 wrote to memory of 2700	2600	idarqy.exe	33
PID 2600 wrote to memory of 2700	2600	idarqy.exe	33
PID 2600 wrote to memory of 2700	2600	idarqy.exe	33
PID 2600 wrote to memory of 2700	2600	idarqy.exe	33
PID 2600 wrote to memory of 2772	2600	idarqy.exe	34
PID 2600 wrote to memory of 2772	2600	idarqy.exe	34
PID 2600 wrote to memory of 2772	2600	idarqy.exe	34
PID 2600 wrote to memory of 2772	2600	idarqy.exe	34
PID 2600 wrote to memory of 2772	2600	idarqy.exe	34

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1044

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1068

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1128
- C:\Users\Admin\AppData\Local\Temp\0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0179143b053e9cfd1bef9f1010533012_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Roaming\Irjo\idarqy.exe
      "C:\Users\Admin\AppData\Roaming\Irjo\idarqy.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Users\Admin\AppData\Roaming\Irjo\idarqy.exe
        
        "C:\Users\Admin\AppData\Roaming\Irjo\idarqy.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6724a44c.bat"
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2700

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1535875154545393133-462856394-1939856890-1944352967728850034-524358459-1154506341"
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6724a44c.bat

Filesize
271B

MD5
c7c0b2c6c9cf2fbedbc936f273c59e76

SHA1
7e1b90da8a68147afcae5761a134060e287ce7de

SHA256
618ee2025c609ba5e979b54c7ab09380a6f61074147725c7b5bfe2347ca8c59b

SHA512
390d07c666c4a6ace2f7332240faf66a26152cfef20cd483452014bf1364583ee8fe79b95a70ba6d9d8a3d10e7e1169566adbefd9e858b7808d666aabbc51cab

Download Submit
C:\Users\Admin\AppData\Roaming\Irjo\idarqy.exe

Filesize
327KB

MD5
2d40c13d069bb0f46c465eeae0908d59

SHA1
d106e4106ec8ab3996c00f8ed42b5cc7b78dc7ea

SHA256
db9c4c8cd55d02e671f1677482df510fe78cff0a4d7141fc59edce58f5213b09

SHA512
d45a9c8fe4f21404e616b3d1cba951120ed3cf98c22657b387debc45bcc2c11075a550458bc96921fb057f81ab99b9f9863ad8e06ea61ed4b96be49aed80d1d1

Download Submit
memory/1044-56-0x0000000002040000-0x0000000002084000-memory.dmp

Filesize
272KB

Download
memory/1044-58-0x0000000002040000-0x0000000002084000-memory.dmp

Filesize
272KB

Download
memory/1044-60-0x0000000002040000-0x0000000002084000-memory.dmp

Filesize
272KB

Download
memory/1044-62-0x0000000002040000-0x0000000002084000-memory.dmp

Filesize
272KB

Download
memory/1068-65-0x00000000022A0000-0x00000000022E4000-memory.dmp

Filesize
272KB

Download
memory/1068-66-0x00000000022A0000-0x00000000022E4000-memory.dmp

Filesize
272KB

Download
memory/1068-67-0x00000000022A0000-0x00000000022E4000-memory.dmp

Filesize
272KB

Download
memory/1068-68-0x00000000022A0000-0x00000000022E4000-memory.dmp

Filesize
272KB

Download
memory/1128-73-0x00000000024D0000-0x0000000002514000-memory.dmp

Filesize
272KB

Download
memory/1128-72-0x00000000024D0000-0x0000000002514000-memory.dmp

Filesize
272KB

Download
memory/1128-71-0x00000000024D0000-0x0000000002514000-memory.dmp

Filesize
272KB

Download
memory/1128-70-0x00000000024D0000-0x0000000002514000-memory.dmp

Filesize
272KB

Download
memory/1848-47-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1848-31-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1864-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1864-14-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1996-75-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1996-76-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1996-77-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1996-78-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/2600-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2600-51-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2700-82-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/2700-85-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/2700-83-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/2700-84-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/2700-80-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/2700-171-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2700-191-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/2700-81-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/2700-94-0x0000000077500000-0x0000000077501000-memory.dmp

Filesize
4KB

Download
memory/2700-86-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2900-28-0x0000000000490000-0x00000000004E7000-memory.dmp

Filesize
348KB

Download
memory/2900-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-29-0x0000000000490000-0x00000000004E7000-memory.dmp

Filesize
348KB

Download
memory/2900-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2900-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download