dca89b7b45e972dff06dfa24d2e3b74b42c3b28398f0e56caa9703f882291818

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe
Size

351KB
MD5

0b49af01e1f10f569c7991803dc4e9cb
SHA1

918c236ba677f8f2bd6b9644b9af860534d474f4
SHA256

dca89b7b45e972dff06dfa24d2e3b74b42c3b28398f0e56caa9703f882291818
SHA512

c05e18433a13632fea0e8ffd54549054aaa3002219c0522f544d001b3fec54b0d6c5557e5f4432c61683202f703b8f2e7462f884bb34198d1699de73a4bd061d
SSDEEP

6144:Zs6XtQFiH4SgDfi5lAWAm4WYuQzbq59R18f9n6JD/pE4DjH:Zs6HYpfickYDbq59R181A/pE4DjH

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
680	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3004	aporap.exe
2632	aporap.exe

Loads dropped DLL 3 IoCs

pid	Process
2740	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe
2740	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe
3004	aporap.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D5718048-3C80-AD4F-91EC-8CC98FD5AFD4} = "C:\\Users\\Admin\\AppData\\Roaming\\Ehkux\\aporap.exe"	aporap.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2840 set thread context of 2740	2840	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	30
PID 3004 set thread context of 2632	3004	aporap.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aporap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe
2632	aporap.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2740	2840	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2740	2840	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2740	2840	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2740	2840	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2740	2840	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2740	2840	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2740	2840	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2740	2840	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2740	2840	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	30
PID 2740 wrote to memory of 3004	2740	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	31
PID 2740 wrote to memory of 3004	2740	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	31
PID 2740 wrote to memory of 3004	2740	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	31
PID 2740 wrote to memory of 3004	2740	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2632	3004	aporap.exe	32
PID 3004 wrote to memory of 2632	3004	aporap.exe	32
PID 3004 wrote to memory of 2632	3004	aporap.exe	32
PID 3004 wrote to memory of 2632	3004	aporap.exe	32
PID 3004 wrote to memory of 2632	3004	aporap.exe	32
PID 3004 wrote to memory of 2632	3004	aporap.exe	32
PID 3004 wrote to memory of 2632	3004	aporap.exe	32
PID 3004 wrote to memory of 2632	3004	aporap.exe	32
PID 3004 wrote to memory of 2632	3004	aporap.exe	32
PID 2632 wrote to memory of 1116	2632	aporap.exe	19
PID 2632 wrote to memory of 1116	2632	aporap.exe	19
PID 2632 wrote to memory of 1116	2632	aporap.exe	19
PID 2632 wrote to memory of 1116	2632	aporap.exe	19
PID 2632 wrote to memory of 1116	2632	aporap.exe	19
PID 2632 wrote to memory of 1168	2632	aporap.exe	20
PID 2632 wrote to memory of 1168	2632	aporap.exe	20
PID 2632 wrote to memory of 1168	2632	aporap.exe	20
PID 2632 wrote to memory of 1168	2632	aporap.exe	20
PID 2632 wrote to memory of 1168	2632	aporap.exe	20
PID 2632 wrote to memory of 1212	2632	aporap.exe	21
PID 2632 wrote to memory of 1212	2632	aporap.exe	21
PID 2632 wrote to memory of 1212	2632	aporap.exe	21
PID 2632 wrote to memory of 1212	2632	aporap.exe	21
PID 2632 wrote to memory of 1212	2632	aporap.exe	21
PID 2632 wrote to memory of 848	2632	aporap.exe	25
PID 2632 wrote to memory of 848	2632	aporap.exe	25
PID 2632 wrote to memory of 848	2632	aporap.exe	25
PID 2632 wrote to memory of 848	2632	aporap.exe	25
PID 2632 wrote to memory of 848	2632	aporap.exe	25
PID 2632 wrote to memory of 2740	2632	aporap.exe	30
PID 2632 wrote to memory of 2740	2632	aporap.exe	30
PID 2632 wrote to memory of 2740	2632	aporap.exe	30
PID 2632 wrote to memory of 2740	2632	aporap.exe	30
PID 2632 wrote to memory of 2740	2632	aporap.exe	30
PID 2740 wrote to memory of 680	2740	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	33
PID 2740 wrote to memory of 680	2740	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	33
PID 2740 wrote to memory of 680	2740	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	33
PID 2740 wrote to memory of 680	2740	0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe	33

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0b49af01e1f10f569c7991803dc4e9cb_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Roaming\Ehkux\aporap.exe
      "C:\Users\Admin\AppData\Roaming\Ehkux\aporap.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Users\Admin\AppData\Roaming\Ehkux\aporap.exe
        
        "C:\Users\Admin\AppData\Roaming\Ehkux\aporap.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2632
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8d2ce0e6.bat"
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:680

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8d2ce0e6.bat

Filesize
271B

MD5
cadb7f98be6a0a127e0f5d5c960a8544

SHA1
cf4b756f26d3b2af3245a1cdcf81d1bc1e2da764

SHA256
ac404c5a978a7188e2316473b7c3daa4a327bcf87ee8bcd88875d34db97f442a

SHA512
78fa39618965af3a863f1b1c0719ba29472f40658ae22fe156d04ae66d25f79adb9db9c3e26d9336938eec78d0bef16e820368d7efcea8e96bb0ba61ad26e268

Download Submit
C:\Users\Admin\AppData\Roaming\Ehkux\aporap.exe

Filesize
351KB

MD5
388f83db113c71eb280a8f6510f06f0b

SHA1
daa72baef1d8c688af853ccb595d36f795cbbc33

SHA256
32817db01ef82dbf90c19a8f39a4597d9c0eeff4bf6fea098d20e6e79b4ae571

SHA512
a4072c273a40a4c7000a135773cb0faccacdb59f6c4a28f25b5f55b79333ea3eb8f24f6defe169492f937762946065530bb852cb9f0679fd9f116b6e3b233e17

Download Submit
memory/848-71-0x0000000001D30000-0x0000000001D7C000-memory.dmp

Filesize
304KB

Download
memory/848-73-0x0000000001D30000-0x0000000001D7C000-memory.dmp

Filesize
304KB

Download
memory/848-74-0x0000000001D30000-0x0000000001D7C000-memory.dmp

Filesize
304KB

Download
memory/848-72-0x0000000001D30000-0x0000000001D7C000-memory.dmp

Filesize
304KB

Download
memory/1116-54-0x0000000002250000-0x000000000229C000-memory.dmp

Filesize
304KB

Download
memory/1116-58-0x0000000002250000-0x000000000229C000-memory.dmp

Filesize
304KB

Download
memory/1116-56-0x0000000002250000-0x000000000229C000-memory.dmp

Filesize
304KB

Download
memory/1116-52-0x0000000002250000-0x000000000229C000-memory.dmp

Filesize
304KB

Download
memory/1168-63-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/1168-61-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/1168-62-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/1168-64-0x00000000001B0000-0x00000000001FC000-memory.dmp

Filesize
304KB

Download
memory/1212-68-0x0000000002590000-0x00000000025DC000-memory.dmp

Filesize
304KB

Download
memory/1212-69-0x0000000002590000-0x00000000025DC000-memory.dmp

Filesize
304KB

Download
memory/1212-66-0x0000000002590000-0x00000000025DC000-memory.dmp

Filesize
304KB

Download
memory/1212-67-0x0000000002590000-0x00000000025DC000-memory.dmp

Filesize
304KB

Download
memory/2632-160-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2632-81-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2740-21-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2740-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-158-0x0000000000390000-0x00000000003DC000-memory.dmp

Filesize
304KB

Download
memory/2740-29-0x0000000000390000-0x00000000003ED000-memory.dmp

Filesize
372KB

Download
memory/2740-82-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2740-79-0x0000000000390000-0x00000000003DC000-memory.dmp

Filesize
304KB

Download
memory/2740-78-0x0000000000390000-0x00000000003DC000-memory.dmp

Filesize
304KB

Download
memory/2740-77-0x0000000000390000-0x00000000003DC000-memory.dmp

Filesize
304KB

Download
memory/2740-76-0x0000000000390000-0x00000000003DC000-memory.dmp

Filesize
304KB

Download
memory/2740-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2740-16-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2740-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2740-84-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2740-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2740-80-0x0000000000390000-0x00000000003DC000-memory.dmp

Filesize
304KB

Download
memory/2740-28-0x0000000000390000-0x00000000003ED000-memory.dmp

Filesize
372KB

Download
memory/2740-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2740-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2740-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2740-145-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2740-11-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2740-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2840-14-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2840-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3004-47-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download