1e7e4fd69977aa3ea2edb53e26bfc211d0f05f5c64cbd6b42a441d32748b4d0b

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe
Size

147KB
MD5

145496abaebd8c7fa375699c15a22f5d
SHA1

285a92079da710f43c1824e30285b631564bdef3
SHA256

1e7e4fd69977aa3ea2edb53e26bfc211d0f05f5c64cbd6b42a441d32748b4d0b
SHA512

aad36b531939b888f87bc0a7ca5b15fa27c8ebb6331ad0a3854b472cd082ab4cba4a9ea0d9db7d085c9c598244b2c42a1a4e01f29e92e5751db22089420f8a1d
SSDEEP

3072:F5F53F795uW3qol65oKqJSNmt2o7duyJH5tAGbIF9mz:Dj5uOlSotSNw3LOG

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2960	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2272	miebcya.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe
2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\{766AE4AA-32BD-D878-856E-B71B0F7E70F4} = "C:\\Users\\Admin\\AppData\\Roaming\\Beeneg\\miebcya.exe"	miebcya.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2236 set thread context of 2960	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Privacy	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0EA054BD-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe
2272	miebcya.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe
Token: SeSecurityPrivilege	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe
Token: SeSecurityPrivilege	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2964	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2964	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2964	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2964	WinMail.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2272	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	28
PID 2236 wrote to memory of 2272	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	28
PID 2236 wrote to memory of 2272	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	28
PID 2236 wrote to memory of 2272	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	28
PID 2272 wrote to memory of 1084	2272	miebcya.exe	19
PID 2272 wrote to memory of 1084	2272	miebcya.exe	19
PID 2272 wrote to memory of 1084	2272	miebcya.exe	19
PID 2272 wrote to memory of 1084	2272	miebcya.exe	19
PID 2272 wrote to memory of 1084	2272	miebcya.exe	19
PID 2272 wrote to memory of 1172	2272	miebcya.exe	20
PID 2272 wrote to memory of 1172	2272	miebcya.exe	20
PID 2272 wrote to memory of 1172	2272	miebcya.exe	20
PID 2272 wrote to memory of 1172	2272	miebcya.exe	20
PID 2272 wrote to memory of 1172	2272	miebcya.exe	20
PID 2272 wrote to memory of 1200	2272	miebcya.exe	21
PID 2272 wrote to memory of 1200	2272	miebcya.exe	21
PID 2272 wrote to memory of 1200	2272	miebcya.exe	21
PID 2272 wrote to memory of 1200	2272	miebcya.exe	21
PID 2272 wrote to memory of 1200	2272	miebcya.exe	21
PID 2272 wrote to memory of 544	2272	miebcya.exe	23
PID 2272 wrote to memory of 544	2272	miebcya.exe	23
PID 2272 wrote to memory of 544	2272	miebcya.exe	23
PID 2272 wrote to memory of 544	2272	miebcya.exe	23
PID 2272 wrote to memory of 544	2272	miebcya.exe	23
PID 2272 wrote to memory of 2236	2272	miebcya.exe	27
PID 2272 wrote to memory of 2236	2272	miebcya.exe	27
PID 2272 wrote to memory of 2236	2272	miebcya.exe	27
PID 2272 wrote to memory of 2236	2272	miebcya.exe	27
PID 2272 wrote to memory of 2236	2272	miebcya.exe	27
PID 2236 wrote to memory of 2960	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2960	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2960	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2960	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2960	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2960	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2960	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2960	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2960	2236	145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe	30
PID 2272 wrote to memory of 1748	2272	miebcya.exe	32
PID 2272 wrote to memory of 1748	2272	miebcya.exe	32
PID 2272 wrote to memory of 1748	2272	miebcya.exe	32
PID 2272 wrote to memory of 1748	2272	miebcya.exe	32
PID 2272 wrote to memory of 1748	2272	miebcya.exe	32
PID 2272 wrote to memory of 2856	2272	miebcya.exe	35
PID 2272 wrote to memory of 2856	2272	miebcya.exe	35
PID 2272 wrote to memory of 2856	2272	miebcya.exe	35
PID 2272 wrote to memory of 2856	2272	miebcya.exe	35
PID 2272 wrote to memory of 2856	2272	miebcya.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1084

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\145496abaebd8c7fa375699c15a22f5d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Roaming\Beeneg\miebcya.exe
    "C:\Users\Admin\AppData\Roaming\Beeneg\miebcya.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp79ccc29f.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2960

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:544

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1748

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
3e434cbe70dccb159e1ab2a78051e666

SHA1
e10df6d57b435f5f7c5d6e483ce866594c3225e8

SHA256
816be4cb7dfd611e22c3d4346b0ce17b954743e609efbf032431ac4d234fb846

SHA512
e6e866870acdc88bd8333645368996130629d003381fe7c489bf7ef73d32f89e6ff161e869dfc225242d4c306fd6dcdf66c87f38b6c4fbb454950328c23a215f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79ccc29f.bat

Filesize
271B

MD5
7a39959be5333394e7ecdc678d0f180a

SHA1
10b8e2eadc84aba800970b05400a4dc3084f11b3

SHA256
2720c453bff2a05ccee8640a37d84c83672e34b49f04390ad8841c0268426ccc

SHA512
79960c84b832d604942496d9481f0f427bef8930671eb54b0ba685787658dfaa8e9851adca14089fdd2ba42b027e834a947b96f9818caa056e835eac00f15da7

Download Submit
C:\Users\Admin\AppData\Roaming\Beeneg\miebcya.exe

Filesize
147KB

MD5
e3abef3f772e37f127a8c91bc0aecf54

SHA1
9316cbf0ba65f95251d1e9c533687bdae62d31e1

SHA256
a5514047c4e84d0812ebb56e73d497ffee42062bb09ab11a8fdea9d59d4d1e2b

SHA512
19f6e4b6e01cd4a9b81e3ea66608545bcc712af7393d9125a2b6891eb7e22d7d21f66d8cde18ca580971f7c78bd34b116fef60d5c6e00446f024064593da7919

Download Submit
C:\Users\Admin\AppData\Roaming\Efa\ypwoov.qug

Filesize
380B

MD5
681899fc9d6690a8ad83e0834faf230d

SHA1
3def4a3ba9769f092faade9b248b5b25724ab3bd

SHA256
b5ef7c12fd10a40aa39c8b18d3c55f113cd6fd8a7c5fa70ead475a58f65c094d

SHA512
636a850e71de6b0540a9cd8a2dc9648a66db98ec8174f7131be7d0df93b1a14720fe76a9e294124d052f892d4e946f7592b8699bed7ba7ba90c12a5e54eef50c

Download Submit
memory/544-48-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/544-46-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/544-47-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/544-49-0x0000000001DC0000-0x0000000001DE7000-memory.dmp

Filesize
156KB

Download
memory/1084-19-0x0000000002100000-0x0000000002127000-memory.dmp

Filesize
156KB

Download
memory/1084-17-0x0000000002100000-0x0000000002127000-memory.dmp

Filesize
156KB

Download
memory/1084-21-0x0000000002100000-0x0000000002127000-memory.dmp

Filesize
156KB

Download
memory/1084-23-0x0000000002100000-0x0000000002127000-memory.dmp

Filesize
156KB

Download
memory/1084-15-0x0000000002100000-0x0000000002127000-memory.dmp

Filesize
156KB

Download
memory/1172-31-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1172-27-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1172-29-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1172-33-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1200-43-0x0000000002490000-0x00000000024B7000-memory.dmp

Filesize
156KB

Download
memory/1200-41-0x0000000002490000-0x00000000024B7000-memory.dmp

Filesize
156KB

Download
memory/1200-39-0x0000000002490000-0x00000000024B7000-memory.dmp

Filesize
156KB

Download
memory/1200-37-0x0000000002490000-0x00000000024B7000-memory.dmp

Filesize
156KB

Download
memory/2236-53-0x00000000004D0000-0x00000000004F7000-memory.dmp

Filesize
156KB

Download
memory/2236-79-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2236-52-0x00000000004D0000-0x00000000004F7000-memory.dmp

Filesize
156KB

Download
memory/2236-0-0x0000000001E80000-0x00000000020A0000-memory.dmp

Filesize
2.1MB

Download
memory/2236-54-0x00000000004D0000-0x00000000004F7000-memory.dmp

Filesize
156KB

Download
memory/2236-56-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2236-55-0x00000000004D0000-0x00000000004F7000-memory.dmp

Filesize
156KB

Download
memory/2236-1-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2236-65-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2236-63-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2236-61-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2236-59-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2236-57-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2236-67-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2236-71-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2236-69-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2236-73-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2236-77-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2236-75-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2236-51-0x00000000004D0000-0x00000000004F7000-memory.dmp

Filesize
156KB

Download
memory/2236-223-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2236-2-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2272-173-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2272-12-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2272-13-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download