60d944fc9d35d169fd198227eb7e9798433f4fbdd0fd6fe1a5ab19d5aa5951c7

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe
Size

351KB
MD5

03ba0d5523356aa0fd71fa7968f379b8
SHA1

da21a08cfdad488dd5efe50fc5d6968f177cb1ff
SHA256

60d944fc9d35d169fd198227eb7e9798433f4fbdd0fd6fe1a5ab19d5aa5951c7
SHA512

0b88231bb2b51008ceed877234bf299ef9d9e44544eb96650ea729e62311a7250751dbb5af62d99e149bd8edd305aef0d64fef0e108c068400129fe2cca514d2
SSDEEP

6144:78lhUbjntPDo/OQlpKz8O6KEO+MTKbJ4RQjjJxEI0Xh7PblyzY:Awt7oPaz8Vtxy4jFQ7jlys

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2764	uhba.exe

Loads dropped DLL 1 IoCs

pid	Process
2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\{ED60B7C8-3C80-AD4F-2955-D827011AFB3A} = "C:\\Users\\Admin\\AppData\\Roaming\\Utfuej\\uhba.exe"	uhba.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 2616	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uhba.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe
2764	uhba.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe
2764	uhba.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2764	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	29
PID 2000 wrote to memory of 2764	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	29
PID 2000 wrote to memory of 2764	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	29
PID 2000 wrote to memory of 2764	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	29
PID 2764 wrote to memory of 1128	2764	uhba.exe	18
PID 2764 wrote to memory of 1128	2764	uhba.exe	18
PID 2764 wrote to memory of 1128	2764	uhba.exe	18
PID 2764 wrote to memory of 1128	2764	uhba.exe	18
PID 2764 wrote to memory of 1128	2764	uhba.exe	18
PID 2764 wrote to memory of 1172	2764	uhba.exe	19
PID 2764 wrote to memory of 1172	2764	uhba.exe	19
PID 2764 wrote to memory of 1172	2764	uhba.exe	19
PID 2764 wrote to memory of 1172	2764	uhba.exe	19
PID 2764 wrote to memory of 1172	2764	uhba.exe	19
PID 2764 wrote to memory of 1200	2764	uhba.exe	20
PID 2764 wrote to memory of 1200	2764	uhba.exe	20
PID 2764 wrote to memory of 1200	2764	uhba.exe	20
PID 2764 wrote to memory of 1200	2764	uhba.exe	20
PID 2764 wrote to memory of 1200	2764	uhba.exe	20
PID 2764 wrote to memory of 1628	2764	uhba.exe	22
PID 2764 wrote to memory of 1628	2764	uhba.exe	22
PID 2764 wrote to memory of 1628	2764	uhba.exe	22
PID 2764 wrote to memory of 1628	2764	uhba.exe	22
PID 2764 wrote to memory of 1628	2764	uhba.exe	22
PID 2764 wrote to memory of 2000	2764	uhba.exe	28
PID 2764 wrote to memory of 2000	2764	uhba.exe	28
PID 2764 wrote to memory of 2000	2764	uhba.exe	28
PID 2764 wrote to memory of 2000	2764	uhba.exe	28
PID 2764 wrote to memory of 2000	2764	uhba.exe	28
PID 2000 wrote to memory of 2616	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2616	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2616	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2616	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2616	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2616	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2616	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2616	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	30
PID 2000 wrote to memory of 2616	2000	03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe	30

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\03ba0d5523356aa0fd71fa7968f379b8_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Roaming\Utfuej\uhba.exe
    "C:\Users\Admin\AppData\Roaming\Utfuej\uhba.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc51bd73f.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc51bd73f.bat

Filesize
271B

MD5
eb9b6dd7c45bb29f97c908b99a93c3df

SHA1
f72ba1a96ffae7afaba59c9f6ef8d936d30def4a

SHA256
1e6c59879955bcaa16779b04a8620d8ba19df51fb780b193eb8aa1b8f0177526

SHA512
fdcb082bf842a96d51bf734c0506229d4dcb5a8575f6802ef57f52cc3e1146aa87d966b5a5b42a2eecaa77e9ba5bb0391fde778d73708f37cefedb63d5a05149

Download Submit
\Users\Admin\AppData\Roaming\Utfuej\uhba.exe

Filesize
351KB

MD5
07e0b593bca36b05219b2dc0a0cfc075

SHA1
0fa25d969bf0e0a203bb3726a753bd446d420114

SHA256
71061baf1643258a99328d1c4570fdd51075ebb0cd46c214f2463c8321ee7834

SHA512
57b6d6f9b4d8579a3ccfcaef6de2df7d41c9dfe127a143b525a7c2114dff0cfdbb620c55e9e5647f60f4aa8766ac3efb34ba6bb7543bcab8447fd9167661483b

Download Submit
memory/1128-14-0x0000000001E10000-0x0000000001E57000-memory.dmp

Filesize
284KB

Download
memory/1128-16-0x0000000001E10000-0x0000000001E57000-memory.dmp

Filesize
284KB

Download
memory/1128-18-0x0000000001E10000-0x0000000001E57000-memory.dmp

Filesize
284KB

Download
memory/1128-15-0x0000000001E10000-0x0000000001E57000-memory.dmp

Filesize
284KB

Download
memory/1128-17-0x0000000001E10000-0x0000000001E57000-memory.dmp

Filesize
284KB

Download
memory/1172-20-0x0000000000120000-0x0000000000167000-memory.dmp

Filesize
284KB

Download
memory/1172-23-0x0000000000120000-0x0000000000167000-memory.dmp

Filesize
284KB

Download
memory/1172-22-0x0000000000120000-0x0000000000167000-memory.dmp

Filesize
284KB

Download
memory/1172-21-0x0000000000120000-0x0000000000167000-memory.dmp

Filesize
284KB

Download
memory/1200-25-0x0000000002AC0000-0x0000000002B07000-memory.dmp

Filesize
284KB

Download
memory/1200-28-0x0000000002AC0000-0x0000000002B07000-memory.dmp

Filesize
284KB

Download
memory/1200-27-0x0000000002AC0000-0x0000000002B07000-memory.dmp

Filesize
284KB

Download
memory/1200-26-0x0000000002AC0000-0x0000000002B07000-memory.dmp

Filesize
284KB

Download
memory/1628-35-0x00000000021E0000-0x0000000002227000-memory.dmp

Filesize
284KB

Download
memory/1628-33-0x00000000021E0000-0x0000000002227000-memory.dmp

Filesize
284KB

Download
memory/1628-31-0x00000000021E0000-0x0000000002227000-memory.dmp

Filesize
284KB

Download
memory/1628-37-0x00000000021E0000-0x0000000002227000-memory.dmp

Filesize
284KB

Download
memory/2000-52-0x0000000001F60000-0x0000000001FA7000-memory.dmp

Filesize
284KB

Download
memory/2000-48-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2000-40-0x0000000001F60000-0x0000000001FA7000-memory.dmp

Filesize
284KB

Download
memory/2000-1-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2000-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2000-54-0x0000000001F60000-0x0000000001FA7000-memory.dmp

Filesize
284KB

Download
memory/2000-3-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2000-41-0x0000000001F60000-0x0000000001FA7000-memory.dmp

Filesize
284KB

Download
memory/2000-66-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2000-65-0x0000000000270000-0x00000000002C0000-memory.dmp

Filesize
320KB

Download
memory/2000-44-0x0000000001F60000-0x0000000001FA7000-memory.dmp

Filesize
284KB

Download
memory/2000-53-0x00000000778C0000-0x00000000778C1000-memory.dmp

Filesize
4KB

Download
memory/2000-4-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2000-42-0x0000000001F60000-0x0000000001FA7000-memory.dmp

Filesize
284KB

Download
memory/2000-43-0x0000000001F60000-0x0000000001FA7000-memory.dmp

Filesize
284KB

Download
memory/2000-45-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2000-46-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2000-47-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2000-49-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2000-50-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2000-0-0x0000000000270000-0x00000000002C0000-memory.dmp

Filesize
320KB

Download
memory/2616-82-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/2616-75-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2616-60-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/2616-62-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/2616-64-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/2616-71-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2616-72-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2616-73-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2616-74-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2616-63-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/2616-76-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2616-77-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2616-78-0x0000000000050000-0x0000000000097000-memory.dmp

Filesize
284KB

Download
memory/2616-79-0x00000000778C0000-0x00000000778C1000-memory.dmp

Filesize
4KB

Download
memory/2764-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2764-67-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2764-57-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2764-11-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2764-84-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2764-85-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download