8b77ce8598009e0cc925eb527e43cd7d246aadaf4ab11ad0568e3815c9150979

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 11:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe
Size

304KB
MD5

0a5ebf792be2e1d1f5d9265e9f610dc0
SHA1

49f3dcc8f3057729e4f7a5c508783362c2543ce0
SHA256

8b77ce8598009e0cc925eb527e43cd7d246aadaf4ab11ad0568e3815c9150979
SHA512

71fb5053872d8568beb5ba2df4168a93d888ad56d1d012209d60fd424f6d5fa6c45618ec2e46b59bfe8503ce5f4fa18834bf03547d4f31472a18ff922cb499e9
SSDEEP

6144:f/N8wtbIilChnoT449QVz74Yf7h7OYS0pG4fE8uv5j9:Xqwl3lChoc49WkgKYS0pfERX

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
436	oxawi.exe

Loads dropped DLL 2 IoCs

pid	Process
1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe
1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\{ED60B7C8-3C80-AD4F-2955-D827011AFB3A} = "C:\\Users\\Admin\\AppData\\Roaming\\Vayf\\oxawi.exe"	oxawi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1428 set thread context of 2836	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oxawi.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe
436	oxawi.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 436	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	30
PID 1428 wrote to memory of 436	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	30
PID 1428 wrote to memory of 436	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	30
PID 1428 wrote to memory of 436	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	30
PID 436 wrote to memory of 1104	436	oxawi.exe	19
PID 436 wrote to memory of 1104	436	oxawi.exe	19
PID 436 wrote to memory of 1104	436	oxawi.exe	19
PID 436 wrote to memory of 1104	436	oxawi.exe	19
PID 436 wrote to memory of 1104	436	oxawi.exe	19
PID 436 wrote to memory of 1168	436	oxawi.exe	20
PID 436 wrote to memory of 1168	436	oxawi.exe	20
PID 436 wrote to memory of 1168	436	oxawi.exe	20
PID 436 wrote to memory of 1168	436	oxawi.exe	20
PID 436 wrote to memory of 1168	436	oxawi.exe	20
PID 436 wrote to memory of 1212	436	oxawi.exe	21
PID 436 wrote to memory of 1212	436	oxawi.exe	21
PID 436 wrote to memory of 1212	436	oxawi.exe	21
PID 436 wrote to memory of 1212	436	oxawi.exe	21
PID 436 wrote to memory of 1212	436	oxawi.exe	21
PID 436 wrote to memory of 856	436	oxawi.exe	23
PID 436 wrote to memory of 856	436	oxawi.exe	23
PID 436 wrote to memory of 856	436	oxawi.exe	23
PID 436 wrote to memory of 856	436	oxawi.exe	23
PID 436 wrote to memory of 856	436	oxawi.exe	23
PID 436 wrote to memory of 1428	436	oxawi.exe	29
PID 436 wrote to memory of 1428	436	oxawi.exe	29
PID 436 wrote to memory of 1428	436	oxawi.exe	29
PID 436 wrote to memory of 1428	436	oxawi.exe	29
PID 436 wrote to memory of 1428	436	oxawi.exe	29
PID 1428 wrote to memory of 2836	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	31
PID 1428 wrote to memory of 2836	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	31
PID 1428 wrote to memory of 2836	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	31
PID 1428 wrote to memory of 2836	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	31
PID 1428 wrote to memory of 2836	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	31
PID 1428 wrote to memory of 2836	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	31
PID 1428 wrote to memory of 2836	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	31
PID 1428 wrote to memory of 2836	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	31
PID 1428 wrote to memory of 2836	1428	0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe	31
PID 436 wrote to memory of 1688	436	oxawi.exe	34
PID 436 wrote to memory of 1688	436	oxawi.exe	34
PID 436 wrote to memory of 1688	436	oxawi.exe	34
PID 436 wrote to memory of 1688	436	oxawi.exe	34
PID 436 wrote to memory of 1688	436	oxawi.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0a5ebf792be2e1d1f5d9265e9f610dc0_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Roaming\Vayf\oxawi.exe
    "C:\Users\Admin\AppData\Roaming\Vayf\oxawi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp96f3d76c.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2836

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:856

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp96f3d76c.bat

Filesize
271B

MD5
0c7a102974242a719c0256242c7f76c7

SHA1
c3fa812db69efe0d6278f02f376fd68fd247a926

SHA256
ee93d7e710fe1bd5794826a1c4eeb119f4dea7d7b88a8b4803915cc0b740c644

SHA512
17cedfe135a1892e4e80980230f1edf24d286afaf583e0525270869c29719e145bc4711edf439606c9f17e6369780d0379f42a67d576bf65efd54852073ee944

Download Submit
C:\Users\Admin\AppData\Roaming\Vayf\oxawi.exe

Filesize
304KB

MD5
2c1f63dc73a5a56154716bd038776202

SHA1
076e0068e60bfcd3edd3cd8e57dbca44ce3d940d

SHA256
ebbf23cb5990c9461425da2b8fa601bbbdb3b5ee27bee9c807f63cedd4635cf5

SHA512
c05bcda188de4936dd05d765de0a27e84171fa78c505269cb51b4ed0c4761a6b30dc7f129c4ba8022b16731501ab924900b4c502d0406891a5e98a2ffbcf21dc

Download Submit
memory/436-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/436-84-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/436-12-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/436-82-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/436-73-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/436-75-0x00000000050E0000-0x00000000050F1000-memory.dmp

Filesize
68KB

Download
memory/436-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/436-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/436-76-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/436-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/856-32-0x0000000001C50000-0x0000000001C9C000-memory.dmp

Filesize
304KB

Download
memory/856-34-0x0000000001C50000-0x0000000001C9C000-memory.dmp

Filesize
304KB

Download
memory/856-33-0x0000000001C50000-0x0000000001C9C000-memory.dmp

Filesize
304KB

Download
memory/856-31-0x0000000001C50000-0x0000000001C9C000-memory.dmp

Filesize
304KB

Download
memory/1104-15-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download
memory/1104-18-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download
memory/1104-16-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download
memory/1104-17-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download
memory/1104-19-0x0000000001E40000-0x0000000001E8C000-memory.dmp

Filesize
304KB

Download
memory/1168-22-0x0000000001AD0000-0x0000000001B1C000-memory.dmp

Filesize
304KB

Download
memory/1168-23-0x0000000001AD0000-0x0000000001B1C000-memory.dmp

Filesize
304KB

Download
memory/1168-24-0x0000000001AD0000-0x0000000001B1C000-memory.dmp

Filesize
304KB

Download
memory/1168-21-0x0000000001AD0000-0x0000000001B1C000-memory.dmp

Filesize
304KB

Download
memory/1212-26-0x0000000002B00000-0x0000000002B4C000-memory.dmp

Filesize
304KB

Download
memory/1212-27-0x0000000002B00000-0x0000000002B4C000-memory.dmp

Filesize
304KB

Download
memory/1212-28-0x0000000002B00000-0x0000000002B4C000-memory.dmp

Filesize
304KB

Download
memory/1212-29-0x0000000002B00000-0x0000000002B4C000-memory.dmp

Filesize
304KB

Download
memory/1428-43-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1428-47-0x0000000001D80000-0x0000000001DCC000-memory.dmp

Filesize
304KB

Download
memory/1428-42-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1428-41-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1428-40-0x0000000001D80000-0x0000000001DCC000-memory.dmp

Filesize
304KB

Download
memory/1428-38-0x0000000001D80000-0x0000000001DCC000-memory.dmp

Filesize
304KB

Download
memory/1428-37-0x0000000001D80000-0x0000000001DCC000-memory.dmp

Filesize
304KB

Download
memory/1428-36-0x0000000001D80000-0x0000000001DCC000-memory.dmp

Filesize
304KB

Download
memory/1428-44-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1428-39-0x0000000001D80000-0x0000000001DCC000-memory.dmp

Filesize
304KB

Download
memory/1428-1-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/1428-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1428-45-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1428-49-0x0000000001D80000-0x0000000001DCC000-memory.dmp

Filesize
304KB

Download
memory/1428-48-0x00000000779E0000-0x00000000779E1000-memory.dmp

Filesize
4KB

Download
memory/1428-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1428-59-0x00000000050E0000-0x00000000050F1000-memory.dmp

Filesize
68KB

Download
memory/1428-58-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2836-62-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2836-66-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2836-70-0x00000000779E0000-0x00000000779E1000-memory.dmp

Filesize
4KB

Download
memory/2836-65-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2836-71-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/2836-67-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/2836-64-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2836-63-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2836-57-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/2836-61-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2836-60-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/2836-56-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/2836-55-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download
memory/2836-53-0x0000000000050000-0x000000000009C000-memory.dmp

Filesize
304KB

Download