44baa5aaed9f78e17a1babbc05adc7c216d62094923e0d6a8e63cdb63639ebc5

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

022957615231378d6c11626438f6b289_JaffaCakes118.exe
Size

375KB
MD5

022957615231378d6c11626438f6b289
SHA1

12640c19e4aabb92b4ad8719b55c374773e2d8ac
SHA256

44baa5aaed9f78e17a1babbc05adc7c216d62094923e0d6a8e63cdb63639ebc5
SHA512

ebe713c7a7fa8f3db7dd547d81588d712a9a096f3dc8792c04ef4d13c875f495eee3025cd91ea3e07e8be3f467451d2a3f6eeefdd73ee9300e0103827be15433
SSDEEP

6144:ELCJXov/nbDRSVCdUgc6NW5pKpJK4g1lP0ukV/dE:RXU/HmL1jYK4g1lp5

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2016	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2344	ipycy.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe
2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D95D62C8-3C80-AD4F-B5A1-F2FF8485D1E2} = "C:\\Users\\Admin\\AppData\\Roaming\\Efboax\\ipycy.exe"	ipycy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 2016	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	022957615231378d6c11626438f6b289_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipycy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	022957615231378d6c11626438f6b289_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Privacy	022957615231378d6c11626438f6b289_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe
2344	ipycy.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe
2344	ipycy.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2344	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2344	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2344	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2344	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	30
PID 2344 wrote to memory of 1112	2344	ipycy.exe	19
PID 2344 wrote to memory of 1112	2344	ipycy.exe	19
PID 2344 wrote to memory of 1112	2344	ipycy.exe	19
PID 2344 wrote to memory of 1112	2344	ipycy.exe	19
PID 2344 wrote to memory of 1112	2344	ipycy.exe	19
PID 2344 wrote to memory of 1188	2344	ipycy.exe	20
PID 2344 wrote to memory of 1188	2344	ipycy.exe	20
PID 2344 wrote to memory of 1188	2344	ipycy.exe	20
PID 2344 wrote to memory of 1188	2344	ipycy.exe	20
PID 2344 wrote to memory of 1188	2344	ipycy.exe	20
PID 2344 wrote to memory of 1248	2344	ipycy.exe	21
PID 2344 wrote to memory of 1248	2344	ipycy.exe	21
PID 2344 wrote to memory of 1248	2344	ipycy.exe	21
PID 2344 wrote to memory of 1248	2344	ipycy.exe	21
PID 2344 wrote to memory of 1248	2344	ipycy.exe	21
PID 2344 wrote to memory of 608	2344	ipycy.exe	25
PID 2344 wrote to memory of 608	2344	ipycy.exe	25
PID 2344 wrote to memory of 608	2344	ipycy.exe	25
PID 2344 wrote to memory of 608	2344	ipycy.exe	25
PID 2344 wrote to memory of 608	2344	ipycy.exe	25
PID 2344 wrote to memory of 2092	2344	ipycy.exe	29
PID 2344 wrote to memory of 2092	2344	ipycy.exe	29
PID 2344 wrote to memory of 2092	2344	ipycy.exe	29
PID 2344 wrote to memory of 2092	2344	ipycy.exe	29
PID 2344 wrote to memory of 2092	2344	ipycy.exe	29
PID 2092 wrote to memory of 2016	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2016	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2016	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2016	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2016	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2016	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2016	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2016	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2016	2092	022957615231378d6c11626438f6b289_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\022957615231378d6c11626438f6b289_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\022957615231378d6c11626438f6b289_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Roaming\Efboax\ipycy.exe
    "C:\Users\Admin\AppData\Roaming\Efboax\ipycy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp901861a2.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2016

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp901861a2.bat

Filesize
271B

MD5
29b58d9ac74248eb6eb04651ce6381f2

SHA1
da7bd2113304cd8d95203b425e815e043b6856c7

SHA256
3d17a28c05a19adc2ba6494f6f8467ad3a0effeea110d7d300dbdf501e0829ef

SHA512
5b4a4cbcc71f7dde46e8c8fcb07e565a06fab1c948e9338af93d83b7193c99dae6ac562d7f44ac6004f730833f80c6ba52fd80b5c883f5f14e9b157ed4532bbf

Download Submit
C:\Users\Admin\AppData\Roaming\Efboax\ipycy.exe

Filesize
375KB

MD5
63297cb1cc047510b568cc9d6bf08594

SHA1
cb9a68a4910c9f95c2f3b3697c5875d19e70174a

SHA256
6655e43d4945b3106e4117695af94627a7255f38e42857adbc34d2fa8cacbe9c

SHA512
bd77a216704d0feed4b6c76ad9fa06cf17fdd74ea737f18d0fd347f05828cc4b0caf88410c44e85a54e769f7f004a0456c20e9b0a2e53c2432cf5f971dcf7737

Download Submit
memory/608-51-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/608-55-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/608-49-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/608-53-0x0000000001EB0000-0x0000000001EF4000-memory.dmp

Filesize
272KB

Download
memory/1112-23-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1112-19-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1112-27-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1112-25-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1112-21-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1188-32-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1188-35-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1188-31-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1188-33-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1248-39-0x00000000024C0000-0x0000000002504000-memory.dmp

Filesize
272KB

Download
memory/1248-45-0x00000000024C0000-0x0000000002504000-memory.dmp

Filesize
272KB

Download
memory/1248-41-0x00000000024C0000-0x0000000002504000-memory.dmp

Filesize
272KB

Download
memory/1248-43-0x00000000024C0000-0x0000000002504000-memory.dmp

Filesize
272KB

Download
memory/2092-65-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/2092-76-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2092-68-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2092-67-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/2092-78-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2092-63-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/2092-61-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/2092-59-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/2092-147-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2092-146-0x0000000077630000-0x0000000077631000-memory.dmp

Filesize
4KB

Download
memory/2092-80-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2092-72-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2092-74-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2092-70-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2092-0-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/2092-1-0x0000000000470000-0x00000000004D1000-memory.dmp

Filesize
388KB

Download
memory/2092-170-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/2092-171-0x0000000000470000-0x00000000004D1000-memory.dmp

Filesize
388KB

Download
memory/2092-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2092-172-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2344-16-0x0000000000470000-0x00000000004D1000-memory.dmp

Filesize
388KB

Download
memory/2344-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2344-15-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/2344-294-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download