Overview

overview

7

Static

static

1

14da9c0b74...18.exe

windows7-x64

7

14da9c0b74...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2024, 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe

  • Size

    333KB

  • MD5

    14da9c0b740465e340110e7770b3964f

  • SHA1

    97b0e9948e955c958f84f9eca0fc8b5956e8be37

  • SHA256

    a9a2e5d1e392fde875e5bf12c25ec17c92f91346b5fbbd58a79daaec08d7a3b6

  • SHA512

    d29797bab0e845284b42d05b009802e994023197a50c897729ba49443fd1055e8dd8cfd46096d6d42ac738fe75fa7f562c5e090ac82f355474e7ce45b4210524

  • SSDEEP

    6144:CxF74bab59oicM835IPUdv4+n+IW+xdY2DDQdsiyfxPh4eUT/1XPGL1qmY+D527z:7ba19otM83Rv+IZTbD7iy5kThGLy

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2996
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:3056
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:3100
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
            PID:3460
            • C:\Users\Admin\AppData\Local\Temp\14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe
              "C:\Users\Admin\AppData\Local\Temp\14da9c0b740465e340110e7770b3964f_JaffaCakes118.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1192
              • C:\Users\Admin\AppData\Roaming\Hycoet\ximeba.exe
                "C:\Users\Admin\AppData\Roaming\Hycoet\ximeba.exe"
                3⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2272
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpaf15f02d.bat"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:3696
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
            1⤵
              PID:3556
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:3772
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:3860
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                    PID:3928
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:4052
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      1⤵
                        PID:4132
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:2108
                        • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                          "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                          1⤵
                            PID:4624
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                            1⤵
                              PID:2456
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff85c6cd198,0x7ff85c6cd1a4,0x7ff85c6cd1b0
                                2⤵
                                  PID:3672
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2140,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:2
                                  2⤵
                                    PID:2472
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1820,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:3
                                    2⤵
                                      PID:5008
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2400,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=2716 /prefetch:8
                                      2⤵
                                        PID:2952
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1416,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
                                        2⤵
                                          PID:4792

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\tmpaf15f02d.bat
                                        Filesize

                                        271B

                                        MD5

                                        28e1a1771b18ea4648c2b24c357554c3

                                        SHA1

                                        79cdc9ac079355bd1712e9d732a70d12062dc78c

                                        SHA256

                                        3e7e2a3cb4ae11d71e5fb8fcddb583dceaa544820db80e582633177a8f0e6d64

                                        SHA512

                                        30e56399e63aa7bc4fc2cf4209ccb596406f0f95318bc72a11ffc8d5df715db36ed18bde2acf5a66b54bb361e09dde05cbbb900d2fb1304f5fb25f04a3f7db9d

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Hycoet\ximeba.exe
                                        Filesize

                                        333KB

                                        MD5

                                        8bdc3aa93a262421f384b6364778fe38

                                        SHA1

                                        3044c24ae0b8fadf9b63e63e677529ebd8356e51

                                        SHA256

                                        5b0b8c6c7580caa093f728b6b7c884bd59d6b2a0e5ead79c067b89bba4725719

                                        SHA512

                                        5868970be755976ca4b1f223de67cb12338edf4930cc98907d8cab1f8dd6de3d567d4a996e40867a8c564155b1f1adf26c18b60b757abefd2d5056b1e3bad392

                                        Download Submit

                                      • memory/1192-17-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/1192-15-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/1192-7-0x0000000000400000-0x0000000000456000-memory.dmp

                                        Filesize

                                        344KB

                                        Download

                                      • memory/1192-2-0x0000000000400000-0x000000000044C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/1192-1-0x0000000000400000-0x000000000044C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/1192-16-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/1192-12-0x00000000022B0000-0x00000000022FC000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/1192-18-0x00000000022B0000-0x00000000022FC000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/1192-20-0x00000000022B0000-0x00000000022FC000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/1192-14-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/1192-13-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/1192-30-0x0000000000400000-0x000000000044C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/1192-32-0x0000000002210000-0x000000000225C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/1192-19-0x0000000000400000-0x0000000000456000-memory.dmp

                                        Filesize

                                        344KB

                                        Download

                                      • memory/1192-3-0x0000000000400000-0x000000000044C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/1192-0-0x0000000002210000-0x000000000225C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/2272-10-0x0000000000400000-0x0000000000456000-memory.dmp

                                        Filesize

                                        344KB

                                        Download

                                      • memory/2272-45-0x0000000000400000-0x000000000044C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/2272-11-0x0000000000400000-0x0000000000456000-memory.dmp

                                        Filesize

                                        344KB

                                        Download

                                      • memory/2272-43-0x0000000000400000-0x0000000000456000-memory.dmp

                                        Filesize

                                        344KB

                                        Download

                                      • memory/2272-42-0x0000000000400000-0x0000000000456000-memory.dmp

                                        Filesize

                                        344KB

                                        Download

                                      • memory/2272-24-0x0000000000400000-0x000000000044C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/3696-36-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/3696-38-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/3696-37-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/3696-39-0x00000000000B0000-0x00000000000FC000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/3696-40-0x00000000000B0000-0x00000000000FC000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/3696-35-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/3696-34-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/3696-33-0x000000006FFF0000-0x0000000070000000-memory.dmp

                                        Filesize

                                        64KB

                                        Download

                                      • memory/3696-23-0x00000000000B0000-0x00000000000FC000-memory.dmp

                                        Filesize

                                        304KB

                                        Download