c5b34f78fcc6cb0f0babd056edb446faf6e85df4f4d89cd2c200d29abb262217

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 03:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11a60d6dc225e66dd5ea8157280599f8_JaffaCakes118.exe
Size

129KB
MD5

11a60d6dc225e66dd5ea8157280599f8
SHA1

ce5e66fe81233010fa74c4fb7f03e3c0e63869b8
SHA256

c5b34f78fcc6cb0f0babd056edb446faf6e85df4f4d89cd2c200d29abb262217
SHA512

0f9768c8f54bc6d30e9e88c7592320f1b44317b86e3f78a94b09ea2bcfba5b12e28959a4b125dc8fb89170b4d4db4927ca0b8c07137796056fbc229f2f0d635f
SSDEEP

3072:khVNVsd+BBGpoAbHCiJDCUdcPt0RiIoGxz2BCiY8qvecdNY:4NuMOCiUUdcPCMVG52BLgd

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1820	Xwynia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\NJZJ58QLI9 = "C:\\Windows\\Xwynia.exe"	Xwynia.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	11a60d6dc225e66dd5ea8157280599f8_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	11a60d6dc225e66dd5ea8157280599f8_JaffaCakes118.exe
File created	C:\Windows\Xwynia.exe	11a60d6dc225e66dd5ea8157280599f8_JaffaCakes118.exe
File opened for modification	C:\Windows\Xwynia.exe	11a60d6dc225e66dd5ea8157280599f8_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xwynia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11a60d6dc225e66dd5ea8157280599f8_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	Xwynia.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\International	Xwynia.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe
1820	Xwynia.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1088	11a60d6dc225e66dd5ea8157280599f8_JaffaCakes118.exe
1820	Xwynia.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1820	1088	11a60d6dc225e66dd5ea8157280599f8_JaffaCakes118.exe	29
PID 1088 wrote to memory of 1820	1088	11a60d6dc225e66dd5ea8157280599f8_JaffaCakes118.exe	29
PID 1088 wrote to memory of 1820	1088	11a60d6dc225e66dd5ea8157280599f8_JaffaCakes118.exe	29
PID 1088 wrote to memory of 1820	1088	11a60d6dc225e66dd5ea8157280599f8_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\11a60d6dc225e66dd5ea8157280599f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11a60d6dc225e66dd5ea8157280599f8_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\Xwynia.exe
  C:\Windows\Xwynia.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain001.Mtx

Filesize
2B

MD5
309fc7d3bc53bb63ac42e359260ac740

SHA1
2064f80f811db79a33c4e51c10221454e30c74ae

SHA256
ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa

SHA512
77dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
372B

MD5
78ecd4292eebb7a9426d5f0a678bb572

SHA1
8bd4e98d18700aa999481fd54ff0c132e94ff937

SHA256
a28182d02910be3afa5f2dd0233955ccaa9471c3206fc0097a132a39dd3a14f9

SHA512
131894b889d8a68c3548c686389d489427b9dedd96c617e8fe976e1d6096b2f2c642894e033d52be4f2a1b1833a62a31cd151e35a99a8d780ac5a6ef3da12d2e

Download Submit
C:\Windows\Xwynia.exe

Filesize
129KB

MD5
11a60d6dc225e66dd5ea8157280599f8

SHA1
ce5e66fe81233010fa74c4fb7f03e3c0e63869b8

SHA256
c5b34f78fcc6cb0f0babd056edb446faf6e85df4f4d89cd2c200d29abb262217

SHA512
0f9768c8f54bc6d30e9e88c7592320f1b44317b86e3f78a94b09ea2bcfba5b12e28959a4b125dc8fb89170b4d4db4927ca0b8c07137796056fbc229f2f0d635f

Download Submit
memory/1088-1-0x0000000000230000-0x0000000000252000-memory.dmp

Filesize
136KB

Download
memory/1088-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1088-23968-0x0000000074DB0000-0x0000000074DBF000-memory.dmp

Filesize
60KB

Download
memory/1088-23969-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1088-2863-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1088-6221-0x0000000074DB0000-0x0000000074DBF000-memory.dmp

Filesize
60KB

Download
memory/1820-16305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-32578-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-16192-0x0000000074DB0000-0x0000000074DBF000-memory.dmp

Filesize
60KB

Download
memory/1820-16136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-32628-0x0000000074DB0000-0x0000000074DBF000-memory.dmp

Filesize
60KB

Download
memory/1820-14696-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-46150-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-46152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-46154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-46156-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-46160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-46168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download