743b782db3d90fd1e18f440b21eb8254ec8cf7a68df9871ee1977c2f5b1706c1

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 09:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe
Size

298KB
MD5

12d2566eca8173d0e6ee0bf576ed140d
SHA1

5ff3709bd7717732b1744635991b5229464171ac
SHA256

743b782db3d90fd1e18f440b21eb8254ec8cf7a68df9871ee1977c2f5b1706c1
SHA512

a8d691c6df29eddca69ee1d8490baf3c93a1cf11a782dc9050ffea168630de0b6d623d1e2ccf6e63e309105adeb0b55ea4abae5779ec5c5df52dfb1ecd9ee823
SSDEEP

3072:/tpe7RlPXDomWqLEnCYvcvIXRTy1hmUI0xlOcw6IvS3oGcFuG9hFoHk148GzMwS2:D4RX8vDx8hzNxl86IvSiFxTO8GzM+

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2916	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1312	poyxp.exe

Loads dropped DLL 1 IoCs

pid	Process
2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\{15320D28-6FEE-AD4F-3AAA-40C7281D63DA} = "C:\\Users\\Admin\\AppData\\Roaming\\Ecdof\\poyxp.exe"	poyxp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2396 set thread context of 2916	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poyxp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Privacy	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe
1312	poyxp.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe
1312	poyxp.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1312	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1312	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1312	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1312	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	30
PID 1312 wrote to memory of 1112	1312	poyxp.exe	19
PID 1312 wrote to memory of 1112	1312	poyxp.exe	19
PID 1312 wrote to memory of 1112	1312	poyxp.exe	19
PID 1312 wrote to memory of 1112	1312	poyxp.exe	19
PID 1312 wrote to memory of 1112	1312	poyxp.exe	19
PID 1312 wrote to memory of 1164	1312	poyxp.exe	20
PID 1312 wrote to memory of 1164	1312	poyxp.exe	20
PID 1312 wrote to memory of 1164	1312	poyxp.exe	20
PID 1312 wrote to memory of 1164	1312	poyxp.exe	20
PID 1312 wrote to memory of 1164	1312	poyxp.exe	20
PID 1312 wrote to memory of 1200	1312	poyxp.exe	21
PID 1312 wrote to memory of 1200	1312	poyxp.exe	21
PID 1312 wrote to memory of 1200	1312	poyxp.exe	21
PID 1312 wrote to memory of 1200	1312	poyxp.exe	21
PID 1312 wrote to memory of 1200	1312	poyxp.exe	21
PID 1312 wrote to memory of 336	1312	poyxp.exe	25
PID 1312 wrote to memory of 336	1312	poyxp.exe	25
PID 1312 wrote to memory of 336	1312	poyxp.exe	25
PID 1312 wrote to memory of 336	1312	poyxp.exe	25
PID 1312 wrote to memory of 336	1312	poyxp.exe	25
PID 1312 wrote to memory of 2396	1312	poyxp.exe	29
PID 1312 wrote to memory of 2396	1312	poyxp.exe	29
PID 1312 wrote to memory of 2396	1312	poyxp.exe	29
PID 1312 wrote to memory of 2396	1312	poyxp.exe	29
PID 1312 wrote to memory of 2396	1312	poyxp.exe	29
PID 2396 wrote to memory of 2916	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2916	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2916	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2916	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2916	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2916	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2916	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2916	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2916	2396	12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\12d2566eca8173d0e6ee0bf576ed140d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Roaming\Ecdof\poyxp.exe
    "C:\Users\Admin\AppData\Roaming\Ecdof\poyxp.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf6ed5c9d.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2916

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpf6ed5c9d.bat

Filesize
271B

MD5
fb4f7bb6f5aa7416d7a6b39f5fa2c53d

SHA1
731fefdc3806b14dfc2d7af2cc13cebd1de5497c

SHA256
62f964777ce086307c379af66f7abbe3d0efd4505974708a0eb05666542d780f

SHA512
fd42ec61bec4f6221c2857132a022597627bf7ae4e05ad0353929388e981f3e5622deba5a629c1d55d79c4c02a1349a3d6224db779996667f1d05dbd1f16b598

Download Submit
C:\Users\Admin\AppData\Roaming\Ecdof\poyxp.exe

Filesize
298KB

MD5
2963cdbd5881aaa9f9703300e09f4215

SHA1
f82b9597933b2f1b5097315dfbee335bb6b827a5

SHA256
2aa8f55f87f45e8f4d08cf06f5592af6de53c79ed4803d3d6cf32bf03805dbea

SHA512
b0fde1967acdbad63609d41a72e287fc361c4a75f0287ca7ae437adfcc3320e4c48b5e3e0b83d7abdc4c7e597c210d1ef6c4cce83648978e053982a02c151f29

Download Submit
memory/336-34-0x0000000001ED0000-0x0000000001F14000-memory.dmp

Filesize
272KB

Download
memory/336-40-0x0000000001ED0000-0x0000000001F14000-memory.dmp

Filesize
272KB

Download
memory/336-38-0x0000000001ED0000-0x0000000001F14000-memory.dmp

Filesize
272KB

Download
memory/336-36-0x0000000001ED0000-0x0000000001F14000-memory.dmp

Filesize
272KB

Download
memory/1112-13-0x0000000002220000-0x0000000002264000-memory.dmp

Filesize
272KB

Download
memory/1112-14-0x0000000002220000-0x0000000002264000-memory.dmp

Filesize
272KB

Download
memory/1112-15-0x0000000002220000-0x0000000002264000-memory.dmp

Filesize
272KB

Download
memory/1112-16-0x0000000002220000-0x0000000002264000-memory.dmp

Filesize
272KB

Download
memory/1112-17-0x0000000002220000-0x0000000002264000-memory.dmp

Filesize
272KB

Download
memory/1164-19-0x0000000001EA0000-0x0000000001EE4000-memory.dmp

Filesize
272KB

Download
memory/1164-23-0x0000000001EA0000-0x0000000001EE4000-memory.dmp

Filesize
272KB

Download
memory/1164-25-0x0000000001EA0000-0x0000000001EE4000-memory.dmp

Filesize
272KB

Download
memory/1164-21-0x0000000001EA0000-0x0000000001EE4000-memory.dmp

Filesize
272KB

Download
memory/1200-29-0x00000000024C0000-0x0000000002504000-memory.dmp

Filesize
272KB

Download
memory/1200-30-0x00000000024C0000-0x0000000002504000-memory.dmp

Filesize
272KB

Download
memory/1200-31-0x00000000024C0000-0x0000000002504000-memory.dmp

Filesize
272KB

Download
memory/1200-28-0x00000000024C0000-0x0000000002504000-memory.dmp

Filesize
272KB

Download
memory/1312-56-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/1312-283-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1312-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1312-57-0x0000000000390000-0x00000000003DE000-memory.dmp

Filesize
312KB

Download
memory/2396-71-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-73-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-52-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-50-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-48-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-45-0x0000000000710000-0x0000000000754000-memory.dmp

Filesize
272KB

Download
memory/2396-44-0x0000000000710000-0x0000000000754000-memory.dmp

Filesize
272KB

Download
memory/2396-59-0x0000000000710000-0x0000000000754000-memory.dmp

Filesize
272KB

Download
memory/2396-60-0x0000000077BF0000-0x0000000077BF1000-memory.dmp

Filesize
4KB

Download
memory/2396-61-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-63-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-65-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-67-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-69-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-1-0x0000000000350000-0x000000000039E000-memory.dmp

Filesize
312KB

Download
memory/2396-54-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-75-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-136-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-77-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-79-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2396-43-0x0000000000710000-0x0000000000754000-memory.dmp

Filesize
272KB

Download
memory/2396-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-46-0x0000000000710000-0x0000000000754000-memory.dmp

Filesize
272KB

Download
memory/2396-161-0x0000000000710000-0x0000000000754000-memory.dmp

Filesize
272KB

Download
memory/2396-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-159-0x0000000000350000-0x000000000039E000-memory.dmp

Filesize
312KB

Download
memory/2396-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-0-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download