e4b6fbc234ec4d39af97575c2ece95013bee0fc4b5c048a3973dad1e05208846

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 23:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe
Size

307KB
MD5

0cecfe58f0a6eb2060b764de7b5d4d25
SHA1

059931810b670e242a5a34fba8944700c3fa38b0
SHA256

e4b6fbc234ec4d39af97575c2ece95013bee0fc4b5c048a3973dad1e05208846
SHA512

c7367a50ab369c13722bb02bc41f7662a779ebc6a89c45345ef03675782993113109b102106ed9c683c6ef6f9c82911e82d682efbc624da13ba7da72401007e1
SSDEEP

6144:EjTjr7rLrLrLrbrrrxB0pBlVdfheBOt2dSsYxzWmgI6rJwfXFq2rV4wl5r8ynX/D:Gnr7rLrLrLrbrrrxB0blV5EOtfsYxzgV

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	nyqoos.exe

Loads dropped DLL 2 IoCs

pid	Process
2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe
2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nyqoos = "C:\\Users\\Admin\\AppData\\Roaming\\Magu\\nyqoos.exe"	nyqoos.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 3004	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nyqoos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe
2696	nyqoos.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2696	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2696	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2696	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2696	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	30
PID 2696 wrote to memory of 1124	2696	nyqoos.exe	19
PID 2696 wrote to memory of 1124	2696	nyqoos.exe	19
PID 2696 wrote to memory of 1124	2696	nyqoos.exe	19
PID 2696 wrote to memory of 1124	2696	nyqoos.exe	19
PID 2696 wrote to memory of 1124	2696	nyqoos.exe	19
PID 2696 wrote to memory of 1172	2696	nyqoos.exe	20
PID 2696 wrote to memory of 1172	2696	nyqoos.exe	20
PID 2696 wrote to memory of 1172	2696	nyqoos.exe	20
PID 2696 wrote to memory of 1172	2696	nyqoos.exe	20
PID 2696 wrote to memory of 1172	2696	nyqoos.exe	20
PID 2696 wrote to memory of 1268	2696	nyqoos.exe	21
PID 2696 wrote to memory of 1268	2696	nyqoos.exe	21
PID 2696 wrote to memory of 1268	2696	nyqoos.exe	21
PID 2696 wrote to memory of 1268	2696	nyqoos.exe	21
PID 2696 wrote to memory of 1268	2696	nyqoos.exe	21
PID 2696 wrote to memory of 1536	2696	nyqoos.exe	25
PID 2696 wrote to memory of 1536	2696	nyqoos.exe	25
PID 2696 wrote to memory of 1536	2696	nyqoos.exe	25
PID 2696 wrote to memory of 1536	2696	nyqoos.exe	25
PID 2696 wrote to memory of 1536	2696	nyqoos.exe	25
PID 2696 wrote to memory of 2644	2696	nyqoos.exe	29
PID 2696 wrote to memory of 2644	2696	nyqoos.exe	29
PID 2696 wrote to memory of 2644	2696	nyqoos.exe	29
PID 2696 wrote to memory of 2644	2696	nyqoos.exe	29
PID 2696 wrote to memory of 2644	2696	nyqoos.exe	29
PID 2644 wrote to memory of 3004	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	31
PID 2644 wrote to memory of 3004	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	31
PID 2644 wrote to memory of 3004	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	31
PID 2644 wrote to memory of 3004	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	31
PID 2644 wrote to memory of 3004	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	31
PID 2644 wrote to memory of 3004	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	31
PID 2644 wrote to memory of 3004	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	31
PID 2644 wrote to memory of 3004	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	31
PID 2644 wrote to memory of 3004	2644	0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0cecfe58f0a6eb2060b764de7b5d4d25_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Roaming\Magu\nyqoos.exe
    "C:\Users\Admin\AppData\Roaming\Magu\nyqoos.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\QZZB85E.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:3004

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QZZB85E.bat

Filesize
267B

MD5
f89a4e45307bdf92a3a8fb7872f88520

SHA1
e93077ccc1ee4e75d0656c6a95241ee3a360bd23

SHA256
0e67d8027e4068ce4a4577661446a3c5c609896214271923873523d63d215964

SHA512
929be37d541f838f3b571c78e8bf50b299ac4be5c153b15c4b0ac015af5e8de8fed85675994a15d89cb78fc2530cb23e0314db0332f567d97f3dda374c63f895

Download Submit
\Users\Admin\AppData\Roaming\Magu\nyqoos.exe

Filesize
307KB

MD5
fe91a63c3d2b69fb40e1124f1d2315b7

SHA1
d88d16c57b3c0325a04c653e52310f7cee0db91b

SHA256
8b9f67484b8b3da3f9510d12bc589d246039a830b0f813f448da966c58f14a11

SHA512
adf7eb5a04b59b3934129c0b4272f0ff9c0fefffca6d0b484f99cd4e66ac993e70cab2c565071d71b5d5f1b3e45301f5d11105203726aa679e7cb7cb9ed13d8f

Download Submit
memory/1124-18-0x0000000000310000-0x0000000000359000-memory.dmp

Filesize
292KB

Download
memory/1124-17-0x0000000000310000-0x0000000000359000-memory.dmp

Filesize
292KB

Download
memory/1124-19-0x0000000000310000-0x0000000000359000-memory.dmp

Filesize
292KB

Download
memory/1124-16-0x0000000000310000-0x0000000000359000-memory.dmp

Filesize
292KB

Download
memory/1124-20-0x0000000000310000-0x0000000000359000-memory.dmp

Filesize
292KB

Download
memory/1172-23-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1172-24-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1172-26-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1172-25-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1268-30-0x00000000040A0000-0x00000000040E9000-memory.dmp

Filesize
292KB

Download
memory/1268-31-0x00000000040A0000-0x00000000040E9000-memory.dmp

Filesize
292KB

Download
memory/1268-29-0x00000000040A0000-0x00000000040E9000-memory.dmp

Filesize
292KB

Download
memory/1268-28-0x00000000040A0000-0x00000000040E9000-memory.dmp

Filesize
292KB

Download
memory/1536-33-0x0000000002380000-0x00000000023C9000-memory.dmp

Filesize
292KB

Download
memory/1536-36-0x0000000002380000-0x00000000023C9000-memory.dmp

Filesize
292KB

Download
memory/1536-35-0x0000000002380000-0x00000000023C9000-memory.dmp

Filesize
292KB

Download
memory/1536-34-0x0000000002380000-0x00000000023C9000-memory.dmp

Filesize
292KB

Download
memory/2644-43-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2644-39-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/2644-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2644-41-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/2644-42-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/2644-44-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2644-51-0x0000000077B20000-0x0000000077B21000-memory.dmp

Filesize
4KB

Download
memory/2644-50-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/2644-49-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2644-48-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2644-47-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2644-46-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2644-45-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/2644-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2644-40-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/2644-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2644-38-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/2644-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2644-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2644-52-0x00000000003B0000-0x00000000003F9000-memory.dmp

Filesize
292KB

Download
memory/2696-83-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2696-82-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2696-81-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2696-12-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2696-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2696-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2696-79-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2696-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2696-77-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2696-76-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2696-75-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3004-56-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/3004-62-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3004-65-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3004-73-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/3004-63-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3004-64-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3004-66-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3004-68-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3004-69-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/3004-70-0x0000000077B20000-0x0000000077B21000-memory.dmp

Filesize
4KB

Download
memory/3004-67-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3004-58-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/3004-60-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/3004-59-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download