d590cbff1ecf059718d2426243b4da59d57d4fce684adc71573c9377f6210cd2

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 04:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe
Size

307KB
MD5

2af60c9f78e8ddc96437a2aa495debfc
SHA1

26282f407015d9784792141bdb8edb8ce6e12b1d
SHA256

d590cbff1ecf059718d2426243b4da59d57d4fce684adc71573c9377f6210cd2
SHA512

ecb3c2a1350d2ada31e4a105fce154f42ab1066f3b5a9c524ca20d7fb3b748a4fd7bb61788ffa02d2a709e0bb253cd064c9e034e33b674338d0c242a0c5789ee
SSDEEP

6144:K0vztT72Y0SBzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOxPECYeixlYGic7:K0bh7SSYYsY1UMqMZJYSN7wbstOx8fvB

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
236	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3008	uxbyb.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F5C6EAE8-1B61-AD4F-A81D-915899A2B245} = "C:\\Users\\Admin\\AppData\\Roaming\\Ozocju\\uxbyb.exe"	uxbyb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 236	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uxbyb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Privacy	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe
3008	uxbyb.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3008	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	29
PID 1712 wrote to memory of 3008	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	29
PID 1712 wrote to memory of 3008	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	29
PID 1712 wrote to memory of 3008	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	29
PID 3008 wrote to memory of 1100	3008	uxbyb.exe	18
PID 3008 wrote to memory of 1100	3008	uxbyb.exe	18
PID 3008 wrote to memory of 1100	3008	uxbyb.exe	18
PID 3008 wrote to memory of 1100	3008	uxbyb.exe	18
PID 3008 wrote to memory of 1100	3008	uxbyb.exe	18
PID 3008 wrote to memory of 1204	3008	uxbyb.exe	19
PID 3008 wrote to memory of 1204	3008	uxbyb.exe	19
PID 3008 wrote to memory of 1204	3008	uxbyb.exe	19
PID 3008 wrote to memory of 1204	3008	uxbyb.exe	19
PID 3008 wrote to memory of 1204	3008	uxbyb.exe	19
PID 3008 wrote to memory of 1252	3008	uxbyb.exe	20
PID 3008 wrote to memory of 1252	3008	uxbyb.exe	20
PID 3008 wrote to memory of 1252	3008	uxbyb.exe	20
PID 3008 wrote to memory of 1252	3008	uxbyb.exe	20
PID 3008 wrote to memory of 1252	3008	uxbyb.exe	20
PID 3008 wrote to memory of 1784	3008	uxbyb.exe	24
PID 3008 wrote to memory of 1784	3008	uxbyb.exe	24
PID 3008 wrote to memory of 1784	3008	uxbyb.exe	24
PID 3008 wrote to memory of 1784	3008	uxbyb.exe	24
PID 3008 wrote to memory of 1784	3008	uxbyb.exe	24
PID 3008 wrote to memory of 1712	3008	uxbyb.exe	28
PID 3008 wrote to memory of 1712	3008	uxbyb.exe	28
PID 3008 wrote to memory of 1712	3008	uxbyb.exe	28
PID 3008 wrote to memory of 1712	3008	uxbyb.exe	28
PID 3008 wrote to memory of 1712	3008	uxbyb.exe	28
PID 1712 wrote to memory of 236	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	30
PID 1712 wrote to memory of 236	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	30
PID 1712 wrote to memory of 236	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	30
PID 1712 wrote to memory of 236	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	30
PID 1712 wrote to memory of 236	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	30
PID 1712 wrote to memory of 236	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	30
PID 1712 wrote to memory of 236	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	30
PID 1712 wrote to memory of 236	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	30
PID 1712 wrote to memory of 236	1712	2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe	30
PID 3008 wrote to memory of 2348	3008	uxbyb.exe	32
PID 3008 wrote to memory of 2348	3008	uxbyb.exe	32
PID 3008 wrote to memory of 2348	3008	uxbyb.exe	32
PID 3008 wrote to memory of 2348	3008	uxbyb.exe	32
PID 3008 wrote to memory of 2348	3008	uxbyb.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2af60c9f78e8ddc96437a2aa495debfc_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Roaming\Ozocju\uxbyb.exe
    "C:\Users\Admin\AppData\Roaming\Ozocju\uxbyb.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp778e08b9.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:236

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1784

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp778e08b9.bat

Filesize
271B

MD5
6621bb45540ee5c044690d91d2978998

SHA1
b942a8bcd83cadd8d3946e4d1cff9a3783beb638

SHA256
edce6e87a738428b8800690fdf9b85a478d8373816dc82351c8822f64cfab53b

SHA512
eaeaa5beef3634f84f9241fb514931af0c2e4b5d63938a726d27cbff56e6057ad6a4610d18e9142b9cd994b438b57418e484ccb8e389320dc95a0d340a7a39e1

Download Submit
\Users\Admin\AppData\Roaming\Ozocju\uxbyb.exe

Filesize
307KB

MD5
a0a5bfaae8e54d5c3abc6b01d0b54433

SHA1
8b5cb3f52338c354ebfbbd9f9232b95427078915

SHA256
4195841bcaa81d03036df1e4a86f8f4433de250a68f9261098dbe25734fd62e4

SHA512
3f9064274780b5353b923937a4b4b867c67052081049d77db29850c8355e4e330ee9510121f78abeb41f7d45b6f2a706f6d2b7cef40e58db89947b36490afe1d

Download Submit
memory/1100-15-0x0000000001FD0000-0x0000000002014000-memory.dmp

Filesize
272KB

Download
memory/1100-16-0x0000000001FD0000-0x0000000002014000-memory.dmp

Filesize
272KB

Download
memory/1100-17-0x0000000001FD0000-0x0000000002014000-memory.dmp

Filesize
272KB

Download
memory/1100-18-0x0000000001FD0000-0x0000000002014000-memory.dmp

Filesize
272KB

Download
memory/1100-19-0x0000000001FD0000-0x0000000002014000-memory.dmp

Filesize
272KB

Download
memory/1204-22-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1204-23-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1204-24-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1204-25-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/1252-29-0x0000000002DB0000-0x0000000002DF4000-memory.dmp

Filesize
272KB

Download
memory/1252-27-0x0000000002DB0000-0x0000000002DF4000-memory.dmp

Filesize
272KB

Download
memory/1252-30-0x0000000002DB0000-0x0000000002DF4000-memory.dmp

Filesize
272KB

Download
memory/1252-28-0x0000000002DB0000-0x0000000002DF4000-memory.dmp

Filesize
272KB

Download
memory/1712-68-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-9-0x0000000000140000-0x0000000000190000-memory.dmp

Filesize
320KB

Download
memory/1712-72-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-70-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-66-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-64-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-60-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-58-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-57-0x00000000777E0000-0x00000000777E1000-memory.dmp

Filesize
4KB

Download
memory/1712-56-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1712-52-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-50-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-48-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-46-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1712-45-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1712-44-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1712-1-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1712-160-0x0000000000F10000-0x0000000000F60000-memory.dmp

Filesize
320KB

Download
memory/1712-161-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1712-162-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1712-76-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-78-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-0-0x0000000000F10000-0x0000000000F60000-memory.dmp

Filesize
320KB

Download
memory/1712-62-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-54-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-47-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1712-2-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1712-43-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1712-74-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-3-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1712-137-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1712-6-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1784-33-0x0000000002290000-0x00000000022D4000-memory.dmp

Filesize
272KB

Download
memory/1784-35-0x0000000002290000-0x00000000022D4000-memory.dmp

Filesize
272KB

Download
memory/1784-37-0x0000000002290000-0x00000000022D4000-memory.dmp

Filesize
272KB

Download
memory/1784-39-0x0000000002290000-0x00000000022D4000-memory.dmp

Filesize
272KB

Download
memory/3008-12-0x0000000000CA0000-0x0000000000CF0000-memory.dmp

Filesize
320KB

Download
memory/3008-13-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/3008-285-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/3008-293-0x0000000000CA0000-0x0000000000CF0000-memory.dmp

Filesize
320KB

Download