68fa0f7a449e7df16b57ebd727ce1081c81a1a4d6980a680e03f730b4836d44b

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe
Size

163KB
MD5

0961737a83eb09be3ae6d2facf66585b
SHA1

a173534e27843fda1d43770e145d157cbe35f911
SHA256

68fa0f7a449e7df16b57ebd727ce1081c81a1a4d6980a680e03f730b4836d44b
SHA512

47e2a21b31a3ebf26be791374d38bbff1605e707965ab3dcdc935b9c07d7d9d5604207441c802fc8e55ad8cb3de1265a1b1dc93e8bd77c002fe948d1cbe377ae
SSDEEP

3072:R5Qs1OAoJgp6z22G/wTa7lDyr/vzq2/P2I1k3U+BTNLIK1yZj73833xWfZ:RNcgg24el2bvO2/P2jTNLIyyZ8O

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2344	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2548	udag.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe
2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7C82AFB3-67CB-EC09-037D-EDB098D60130} = "C:\\Users\\Admin\\AppData\\Roaming\\Epox\\udag.exe"	udag.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 2344	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	31

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-0-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/files/0x000800000001925c-6.dat	upx
behavioral1/memory/2504-12-0x00000000004D0000-0x000000000052F000-memory.dmp	upx
behavioral1/memory/2548-15-0x0000000000400000-0x000000000045F000-memory.dmp	upx
behavioral1/memory/2548-16-0x0000000000400000-0x000000000045F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	udag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Privacy	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe
2548	udag.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe
Token: SeSecurityPrivilege	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe
Token: SeSecurityPrivilege	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2548	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2548	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2548	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2548	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	30
PID 2548 wrote to memory of 1104	2548	udag.exe	19
PID 2548 wrote to memory of 1104	2548	udag.exe	19
PID 2548 wrote to memory of 1104	2548	udag.exe	19
PID 2548 wrote to memory of 1104	2548	udag.exe	19
PID 2548 wrote to memory of 1104	2548	udag.exe	19
PID 2548 wrote to memory of 1160	2548	udag.exe	20
PID 2548 wrote to memory of 1160	2548	udag.exe	20
PID 2548 wrote to memory of 1160	2548	udag.exe	20
PID 2548 wrote to memory of 1160	2548	udag.exe	20
PID 2548 wrote to memory of 1160	2548	udag.exe	20
PID 2548 wrote to memory of 1192	2548	udag.exe	21
PID 2548 wrote to memory of 1192	2548	udag.exe	21
PID 2548 wrote to memory of 1192	2548	udag.exe	21
PID 2548 wrote to memory of 1192	2548	udag.exe	21
PID 2548 wrote to memory of 1192	2548	udag.exe	21
PID 2548 wrote to memory of 1736	2548	udag.exe	25
PID 2548 wrote to memory of 1736	2548	udag.exe	25
PID 2548 wrote to memory of 1736	2548	udag.exe	25
PID 2548 wrote to memory of 1736	2548	udag.exe	25
PID 2548 wrote to memory of 1736	2548	udag.exe	25
PID 2548 wrote to memory of 2504	2548	udag.exe	29
PID 2548 wrote to memory of 2504	2548	udag.exe	29
PID 2548 wrote to memory of 2504	2548	udag.exe	29
PID 2548 wrote to memory of 2504	2548	udag.exe	29
PID 2548 wrote to memory of 2504	2548	udag.exe	29
PID 2504 wrote to memory of 2344	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2344	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2344	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2344	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2344	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2344	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2344	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2344	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	31
PID 2504 wrote to memory of 2344	2504	0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe	31
PID 2548 wrote to memory of 1872	2548	udag.exe	33
PID 2548 wrote to memory of 1872	2548	udag.exe	33
PID 2548 wrote to memory of 1872	2548	udag.exe	33
PID 2548 wrote to memory of 1872	2548	udag.exe	33
PID 2548 wrote to memory of 1872	2548	udag.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0961737a83eb09be3ae6d2facf66585b_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Roaming\Epox\udag.exe
    "C:\Users\Admin\AppData\Roaming\Epox\udag.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp12589912.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp12589912.bat

Filesize
271B

MD5
8f981d8f1f1c83dbffb3b6eacd27a5f5

SHA1
4ec3e2a7e60a6c7d03dbb9025a86c84be56f5348

SHA256
6f4aa4a78255e224096131bb5021bc8bdff1b2663bd4acee3d85abdce2c4284c

SHA512
72c42dd7c28cd94b28c1b8f5c85b157fbfb0ae40450bb90bf799f698b84f2d3b7a7e753ae33b504d74374c6cc0107ea64f4a49d0763cf4a6416266351a3535e8

Download Submit
C:\Users\Admin\AppData\Roaming\Quiviv\wiun.buh

Filesize
380B

MD5
4db9edc9a8112582eb4fa0686d18b7f5

SHA1
c24129e5ae60c478ae2983e2fae537794df688ef

SHA256
31970c25237c2dccbfa641c23cee3548ece5840cefd328813cc19560114cfa93

SHA512
392dcd3d17b2ae8c24cf9320d01e9b35090bc66130830875c3422df242bc369696a3321808a68875bc3af5fbd59cdf491b0ca92f9b53acc803aed70d95d8dcfd

Download Submit
\Users\Admin\AppData\Roaming\Epox\udag.exe

Filesize
163KB

MD5
1e4a027e8973d40105c6af16fef1f4c2

SHA1
36ef0878f4d9980a8f25e8a80c9aba1443517ff9

SHA256
d8aec70da57fb4e99efddf24c974a31d03c36e05e77f5c169aeea6aa0a76b3b6

SHA512
cfed6b3dd39332306d059965d9602be033fec521b181f170af42aa18ff32a77323f785f3b0d88e57a1de52805bdefe6233ee9f0f0c9af80331122b018700fe6d

Download Submit
memory/1104-20-0x0000000002070000-0x0000000002095000-memory.dmp

Filesize
148KB

Download
memory/1104-26-0x0000000002070000-0x0000000002095000-memory.dmp

Filesize
148KB

Download
memory/1104-28-0x0000000002070000-0x0000000002095000-memory.dmp

Filesize
148KB

Download
memory/1104-22-0x0000000002070000-0x0000000002095000-memory.dmp

Filesize
148KB

Download
memory/1104-24-0x0000000002070000-0x0000000002095000-memory.dmp

Filesize
148KB

Download
memory/1160-32-0x00000000002C0000-0x00000000002E5000-memory.dmp

Filesize
148KB

Download
memory/1160-31-0x00000000002C0000-0x00000000002E5000-memory.dmp

Filesize
148KB

Download
memory/1160-33-0x00000000002C0000-0x00000000002E5000-memory.dmp

Filesize
148KB

Download
memory/1160-34-0x00000000002C0000-0x00000000002E5000-memory.dmp

Filesize
148KB

Download
memory/1192-36-0x0000000002D00000-0x0000000002D25000-memory.dmp

Filesize
148KB

Download
memory/1192-37-0x0000000002D00000-0x0000000002D25000-memory.dmp

Filesize
148KB

Download
memory/1192-38-0x0000000002D00000-0x0000000002D25000-memory.dmp

Filesize
148KB

Download
memory/1192-39-0x0000000002D00000-0x0000000002D25000-memory.dmp

Filesize
148KB

Download
memory/1736-43-0x0000000001F30000-0x0000000001F55000-memory.dmp

Filesize
148KB

Download
memory/1736-44-0x0000000001F30000-0x0000000001F55000-memory.dmp

Filesize
148KB

Download
memory/1736-41-0x0000000001F30000-0x0000000001F55000-memory.dmp

Filesize
148KB

Download
memory/1736-42-0x0000000001F30000-0x0000000001F55000-memory.dmp

Filesize
148KB

Download
memory/2504-49-0x00000000004D0000-0x00000000004F5000-memory.dmp

Filesize
148KB

Download
memory/2504-82-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-66-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-53-0x00000000004D0000-0x00000000004F5000-memory.dmp

Filesize
148KB

Download
memory/2504-52-0x00000000004D0000-0x00000000004F5000-memory.dmp

Filesize
148KB

Download
memory/2504-0-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2504-47-0x00000000004D0000-0x00000000004F5000-memory.dmp

Filesize
148KB

Download
memory/2504-70-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-72-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-74-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-76-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-78-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-80-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-149-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2504-17-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2504-68-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-64-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-62-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-60-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-58-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-56-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2504-55-0x00000000004D0000-0x00000000004F5000-memory.dmp

Filesize
148KB

Download
memory/2504-1-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2504-13-0x00000000004D0000-0x000000000052F000-memory.dmp

Filesize
380KB

Download
memory/2504-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2504-12-0x00000000004D0000-0x000000000052F000-memory.dmp

Filesize
380KB

Download
memory/2504-3-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2504-150-0x00000000004D0000-0x00000000004F5000-memory.dmp

Filesize
148KB

Download
memory/2548-18-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2548-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2548-16-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2548-266-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download