a8b0dcfbb2b9569817c56b294dea3b4133f604c731394699978c087887a68caf

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe
Size

119KB
MD5

0ede8327bcb476283e689965ef2f4032
SHA1

3ef913cf59c939533aff6dff1410ab3f54d08eb3
SHA256

a8b0dcfbb2b9569817c56b294dea3b4133f604c731394699978c087887a68caf
SHA512

9fbbb5771e3c7cd3b19117457e5cef528329e8ce29029f6c302297cf6ebfaf8b3a66bc1b99ad25fc9391e78bd1c3fc598b10b0ebca69e6385665539e2ff443b2
SSDEEP

1536:FD3IQqxdm4CGUtl2PgkSxrm/c4bMMeS/nVjWyCmc5SGVkm4Xxfpj+NreMp:d38xd7Cfl2PDamJb3eS/AJovPE

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2576	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2056	iwnea.exe

Loads dropped DLL 2 IoCs

pid	Process
2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe
2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\{79C65DB7-1FDE-9232-9D89-98E45B01232E} = "C:\\Users\\Admin\\AppData\\Roaming\\Owyqba\\iwnea.exe"	iwnea.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 2576	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwnea.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Privacy	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe
2056	iwnea.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe
Token: SeSecurityPrivilege	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe
Token: SeSecurityPrivilege	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2056	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	31
PID 2464 wrote to memory of 2056	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	31
PID 2464 wrote to memory of 2056	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	31
PID 2464 wrote to memory of 2056	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	31
PID 2056 wrote to memory of 1112	2056	iwnea.exe	19
PID 2056 wrote to memory of 1112	2056	iwnea.exe	19
PID 2056 wrote to memory of 1112	2056	iwnea.exe	19
PID 2056 wrote to memory of 1112	2056	iwnea.exe	19
PID 2056 wrote to memory of 1112	2056	iwnea.exe	19
PID 2056 wrote to memory of 1168	2056	iwnea.exe	20
PID 2056 wrote to memory of 1168	2056	iwnea.exe	20
PID 2056 wrote to memory of 1168	2056	iwnea.exe	20
PID 2056 wrote to memory of 1168	2056	iwnea.exe	20
PID 2056 wrote to memory of 1168	2056	iwnea.exe	20
PID 2056 wrote to memory of 1216	2056	iwnea.exe	21
PID 2056 wrote to memory of 1216	2056	iwnea.exe	21
PID 2056 wrote to memory of 1216	2056	iwnea.exe	21
PID 2056 wrote to memory of 1216	2056	iwnea.exe	21
PID 2056 wrote to memory of 1216	2056	iwnea.exe	21
PID 2056 wrote to memory of 1340	2056	iwnea.exe	23
PID 2056 wrote to memory of 1340	2056	iwnea.exe	23
PID 2056 wrote to memory of 1340	2056	iwnea.exe	23
PID 2056 wrote to memory of 1340	2056	iwnea.exe	23
PID 2056 wrote to memory of 1340	2056	iwnea.exe	23
PID 2056 wrote to memory of 2464	2056	iwnea.exe	30
PID 2056 wrote to memory of 2464	2056	iwnea.exe	30
PID 2056 wrote to memory of 2464	2056	iwnea.exe	30
PID 2056 wrote to memory of 2464	2056	iwnea.exe	30
PID 2056 wrote to memory of 2464	2056	iwnea.exe	30
PID 2464 wrote to memory of 2576	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	32
PID 2464 wrote to memory of 2576	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	32
PID 2464 wrote to memory of 2576	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	32
PID 2464 wrote to memory of 2576	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	32
PID 2464 wrote to memory of 2576	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	32
PID 2464 wrote to memory of 2576	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	32
PID 2464 wrote to memory of 2576	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	32
PID 2464 wrote to memory of 2576	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	32
PID 2464 wrote to memory of 2576	2464	0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe	32
PID 2056 wrote to memory of 1604	2056	iwnea.exe	34
PID 2056 wrote to memory of 1604	2056	iwnea.exe	34
PID 2056 wrote to memory of 1604	2056	iwnea.exe	34
PID 2056 wrote to memory of 1604	2056	iwnea.exe	34
PID 2056 wrote to memory of 1604	2056	iwnea.exe	34
PID 2056 wrote to memory of 2416	2056	iwnea.exe	36
PID 2056 wrote to memory of 2416	2056	iwnea.exe	36
PID 2056 wrote to memory of 2416	2056	iwnea.exe	36
PID 2056 wrote to memory of 2416	2056	iwnea.exe	36
PID 2056 wrote to memory of 2416	2056	iwnea.exe	36

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0ede8327bcb476283e689965ef2f4032_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Roaming\Owyqba\iwnea.exe
    "C:\Users\Admin\AppData\Roaming\Owyqba\iwnea.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp418437a3.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp418437a3.bat

Filesize
271B

MD5
268b6a3ee3e02a4c1f0ee5aa21115f24

SHA1
022807b11a073edc24c1da060a74db18dc7a8541

SHA256
be62e831288e54006e416576ecb50d94b0d1cb256963e7dd1a2200e02fcef938

SHA512
c45a7d8cd7be878d50df503fe0e146a2e15bd47384a060b1ca1effbaafa45ac3d2cb41b6a22d3fb875e6c975b0bf63de5167b45f5784f18038af0604d89d0e8e

Download Submit
C:\Users\Admin\AppData\Roaming\Omly\edzap.qut

Filesize
380B

MD5
8e54ad3f8122268cc9b9e2df6ee05091

SHA1
9cc7a2fead17f7fb46189b3fe3f08f8822391d9b

SHA256
29c1065627eeeed65f9467e8773174ed7f14009cc82f9503d2a9660cbf4c2d4a

SHA512
0fbcaf5081b2ad7cbc14512a8e11fa1748167e6dd7e4e78278696e07aa8429c6aed749c3c59aba79e1e5f02ba77a2c28727ac13831ee183574f6955b288c0af5

Download Submit
\Users\Admin\AppData\Roaming\Owyqba\iwnea.exe

Filesize
119KB

MD5
081393729dc7084cd4a9e94d0c6684af

SHA1
152f299ecf49d8565dc75ec3772456cc115a2fbd

SHA256
f17339a3947ae73dea2862bdcac036439d08090d809e6673e37de5f8ac3d937b

SHA512
16eac9d1ced8522b858b104a27171434c7eae4681d57fe1431ec91bf550b47531c3e6e5a9671d4be11e9d3b8edaf90804eaadf7e052df5087b43c7bdfc750b1a

Download Submit
memory/1112-21-0x00000000020F0000-0x000000000210F000-memory.dmp

Filesize
124KB

Download
memory/1112-17-0x00000000020F0000-0x000000000210F000-memory.dmp

Filesize
124KB

Download
memory/1112-19-0x00000000020F0000-0x000000000210F000-memory.dmp

Filesize
124KB

Download
memory/1112-25-0x00000000020F0000-0x000000000210F000-memory.dmp

Filesize
124KB

Download
memory/1112-23-0x00000000020F0000-0x000000000210F000-memory.dmp

Filesize
124KB

Download
memory/1168-32-0x0000000000240000-0x000000000025F000-memory.dmp

Filesize
124KB

Download
memory/1168-31-0x0000000000240000-0x000000000025F000-memory.dmp

Filesize
124KB

Download
memory/1168-30-0x0000000000240000-0x000000000025F000-memory.dmp

Filesize
124KB

Download
memory/1168-29-0x0000000000240000-0x000000000025F000-memory.dmp

Filesize
124KB

Download
memory/1216-35-0x0000000003B80000-0x0000000003B9F000-memory.dmp

Filesize
124KB

Download
memory/1216-34-0x0000000003B80000-0x0000000003B9F000-memory.dmp

Filesize
124KB

Download
memory/1216-36-0x0000000003B80000-0x0000000003B9F000-memory.dmp

Filesize
124KB

Download
memory/1216-37-0x0000000003B80000-0x0000000003B9F000-memory.dmp

Filesize
124KB

Download
memory/1340-46-0x0000000001F10000-0x0000000001F2F000-memory.dmp

Filesize
124KB

Download
memory/1340-40-0x0000000001F10000-0x0000000001F2F000-memory.dmp

Filesize
124KB

Download
memory/1340-42-0x0000000001F10000-0x0000000001F2F000-memory.dmp

Filesize
124KB

Download
memory/1340-44-0x0000000001F10000-0x0000000001F2F000-memory.dmp

Filesize
124KB

Download
memory/2056-15-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2056-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2056-13-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2056-130-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2464-82-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-70-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-58-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-56-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-54-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-53-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2464-52-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2464-51-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2464-50-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2464-49-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2464-62-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-64-0x0000000000427000-0x000000000042A000-memory.dmp

Filesize
12KB

Download
memory/2464-65-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2464-66-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-68-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-60-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-72-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-74-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-76-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-78-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-80-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2464-0-0x0000000000427000-0x000000000042A000-memory.dmp

Filesize
12KB

Download
memory/2464-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2464-103-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2464-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2464-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2576-115-0x0000000077E90000-0x0000000077E91000-memory.dmp

Filesize
4KB

Download
memory/2576-132-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2576-104-0x0000000000050000-0x000000000006F000-memory.dmp

Filesize
124KB

Download
memory/2576-133-0x0000000000050000-0x000000000006F000-memory.dmp

Filesize
124KB

Download