a9a2e5d1e392fde875e5bf12c25ec17c92f91346b5fbbd58a79daaec08d7a3b6

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe
Size

333KB
MD5

14da9c0b740465e340110e7770b3964f
SHA1

97b0e9948e955c958f84f9eca0fc8b5956e8be37
SHA256

a9a2e5d1e392fde875e5bf12c25ec17c92f91346b5fbbd58a79daaec08d7a3b6
SHA512

d29797bab0e845284b42d05b009802e994023197a50c897729ba49443fd1055e8dd8cfd46096d6d42ac738fe75fa7f562c5e090ac82f355474e7ce45b4210524
SSDEEP

6144:CxF74bab59oicM835IPUdv4+n+IW+xdY2DDQdsiyfxPh4eUT/1XPGL1qmY+D527z:7ba19otM83Rv+IZTbD7iy5kThGLy

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1880	fopyyf.exe

Loads dropped DLL 1 IoCs

pid	Process
2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\{09E0E5E8-6808-AD4F-43B0-714965AC5254} = "C:\\Users\\Admin\\AppData\\Roaming\\Jeuz\\fopyyf.exe"	fopyyf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2396 set thread context of 2828	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fopyyf.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe
1880	fopyyf.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe
1880	fopyyf.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1880	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1880	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1880	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	30
PID 2396 wrote to memory of 1880	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	30
PID 1880 wrote to memory of 1108	1880	fopyyf.exe	19
PID 1880 wrote to memory of 1108	1880	fopyyf.exe	19
PID 1880 wrote to memory of 1108	1880	fopyyf.exe	19
PID 1880 wrote to memory of 1108	1880	fopyyf.exe	19
PID 1880 wrote to memory of 1108	1880	fopyyf.exe	19
PID 1880 wrote to memory of 1192	1880	fopyyf.exe	20
PID 1880 wrote to memory of 1192	1880	fopyyf.exe	20
PID 1880 wrote to memory of 1192	1880	fopyyf.exe	20
PID 1880 wrote to memory of 1192	1880	fopyyf.exe	20
PID 1880 wrote to memory of 1192	1880	fopyyf.exe	20
PID 1880 wrote to memory of 1240	1880	fopyyf.exe	21
PID 1880 wrote to memory of 1240	1880	fopyyf.exe	21
PID 1880 wrote to memory of 1240	1880	fopyyf.exe	21
PID 1880 wrote to memory of 1240	1880	fopyyf.exe	21
PID 1880 wrote to memory of 1240	1880	fopyyf.exe	21
PID 1880 wrote to memory of 1304	1880	fopyyf.exe	23
PID 1880 wrote to memory of 1304	1880	fopyyf.exe	23
PID 1880 wrote to memory of 1304	1880	fopyyf.exe	23
PID 1880 wrote to memory of 1304	1880	fopyyf.exe	23
PID 1880 wrote to memory of 1304	1880	fopyyf.exe	23
PID 1880 wrote to memory of 2396	1880	fopyyf.exe	29
PID 1880 wrote to memory of 2396	1880	fopyyf.exe	29
PID 1880 wrote to memory of 2396	1880	fopyyf.exe	29
PID 1880 wrote to memory of 2396	1880	fopyyf.exe	29
PID 1880 wrote to memory of 2396	1880	fopyyf.exe	29
PID 2396 wrote to memory of 2828	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2828	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2828	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2828	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2828	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2828	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2828	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2828	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2828	2396	14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe	31
PID 1880 wrote to memory of 944	1880	fopyyf.exe	34
PID 1880 wrote to memory of 944	1880	fopyyf.exe	34
PID 1880 wrote to memory of 944	1880	fopyyf.exe	34
PID 1880 wrote to memory of 944	1880	fopyyf.exe	34
PID 1880 wrote to memory of 944	1880	fopyyf.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Roaming\Jeuz\fopyyf.exe
    "C:\Users\Admin\AppData\Roaming\Jeuz\fopyyf.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1fb99939.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2828

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1304

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1fb99939.bat

Filesize
271B

MD5
c18523ebe981f201d57755996352fa6a

SHA1
f0ae133f75ed127ebe254a99446007d3d60063a1

SHA256
10fab31b6fbbc685be369731c2b9e1c5898f2c8ea25bf3b1bc72e1cfe7dc2607

SHA512
5b5ddc3c4d25697fe263e45346407e99f9dd4fd2a6f24405815a0411e6f66a80e52cbb3a61f927a711d746af9aebcb1e55c0543871ee7d19c4a5fcc7aa08e773

Download Submit
\Users\Admin\AppData\Roaming\Jeuz\fopyyf.exe

Filesize
333KB

MD5
4b2cd81da3a4c3334cde03beb3973a18

SHA1
09e87e091657d8c37a6d23f8e71308c0e5289720

SHA256
6f8e8bee1b30a7156d6c3d32e60a05ef0ecc3476c90437ce43bd2428e9b08ee5

SHA512
f0bdc07bb536b67e64c8778ac3860a686efda4b12b6eb6c16faaa3f5599890de62f25bc7152ac76b884c6cd4e62fd1920139c2e0255c6bdb0ba0cbfb235f2154

Download Submit
memory/1108-19-0x00000000021A0000-0x00000000021EC000-memory.dmp

Filesize
304KB

Download
memory/1108-15-0x00000000021A0000-0x00000000021EC000-memory.dmp

Filesize
304KB

Download
memory/1108-17-0x00000000021A0000-0x00000000021EC000-memory.dmp

Filesize
304KB

Download
memory/1108-12-0x00000000021A0000-0x00000000021EC000-memory.dmp

Filesize
304KB

Download
memory/1108-22-0x00000000021A0000-0x00000000021EC000-memory.dmp

Filesize
304KB

Download
memory/1192-25-0x0000000000150000-0x000000000019C000-memory.dmp

Filesize
304KB

Download
memory/1192-26-0x0000000000150000-0x000000000019C000-memory.dmp

Filesize
304KB

Download
memory/1192-27-0x0000000000150000-0x000000000019C000-memory.dmp

Filesize
304KB

Download
memory/1192-28-0x0000000000150000-0x000000000019C000-memory.dmp

Filesize
304KB

Download
memory/1240-33-0x0000000003050000-0x000000000309C000-memory.dmp

Filesize
304KB

Download
memory/1240-30-0x0000000003050000-0x000000000309C000-memory.dmp

Filesize
304KB

Download
memory/1240-31-0x0000000003050000-0x000000000309C000-memory.dmp

Filesize
304KB

Download
memory/1240-32-0x0000000003050000-0x000000000309C000-memory.dmp

Filesize
304KB

Download
memory/1304-38-0x0000000001C40000-0x0000000001C8C000-memory.dmp

Filesize
304KB

Download
memory/1304-36-0x0000000001C40000-0x0000000001C8C000-memory.dmp

Filesize
304KB

Download
memory/1304-40-0x0000000001C40000-0x0000000001C8C000-memory.dmp

Filesize
304KB

Download
memory/1304-42-0x0000000001C40000-0x0000000001C8C000-memory.dmp

Filesize
304KB

Download
memory/1880-66-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1880-90-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1880-14-0x0000000001C40000-0x0000000001C8C000-memory.dmp

Filesize
304KB

Download
memory/1880-20-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2396-52-0x0000000001DB0000-0x0000000001DFC000-memory.dmp

Filesize
304KB

Download
memory/2396-54-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2396-75-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2396-74-0x0000000001BD0000-0x0000000001C1C000-memory.dmp

Filesize
304KB

Download
memory/2396-58-0x0000000001DB0000-0x0000000001DFC000-memory.dmp

Filesize
304KB

Download
memory/2396-45-0x0000000001DB0000-0x0000000001DFC000-memory.dmp

Filesize
304KB

Download
memory/2396-51-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2396-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2396-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2396-57-0x0000000077A00000-0x0000000077A01000-memory.dmp

Filesize
4KB

Download
memory/2396-56-0x0000000001DB0000-0x0000000001DFC000-memory.dmp

Filesize
304KB

Download
memory/2396-46-0x0000000001DB0000-0x0000000001DFC000-memory.dmp

Filesize
304KB

Download
memory/2396-53-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2396-0-0x0000000001BD0000-0x0000000001C1C000-memory.dmp

Filesize
304KB

Download
memory/2396-55-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2396-50-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2396-49-0x0000000001DB0000-0x0000000001DFC000-memory.dmp

Filesize
304KB

Download
memory/2396-48-0x0000000001DB0000-0x0000000001DFC000-memory.dmp

Filesize
304KB

Download
memory/2396-47-0x0000000001DB0000-0x0000000001DFC000-memory.dmp

Filesize
304KB

Download
memory/2396-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2396-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2828-62-0x0000000000150000-0x000000000019C000-memory.dmp

Filesize
304KB

Download
memory/2828-64-0x0000000000150000-0x000000000019C000-memory.dmp

Filesize
304KB

Download
memory/2828-76-0x0000000000150000-0x000000000019C000-memory.dmp

Filesize
304KB

Download
memory/2828-84-0x0000000077A00000-0x0000000077A01000-memory.dmp

Filesize
4KB

Download
memory/2828-81-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2828-80-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2828-79-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2828-78-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2828-77-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2828-65-0x0000000000150000-0x000000000019C000-memory.dmp

Filesize
304KB

Download
memory/2828-89-0x0000000000150000-0x000000000019C000-memory.dmp

Filesize
304KB

Download
memory/2828-69-0x0000000000150000-0x000000000019C000-memory.dmp

Filesize
304KB

Download