f97c2515b011badbd1530583738dc11acbe07054694469c06d53530c408b7a95

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe
Size

359KB
MD5

2c41e947b027cbeae85f27259a9df7fe
SHA1

032f4b0d16bcfe402ef93479cf19163c261ef120
SHA256

f97c2515b011badbd1530583738dc11acbe07054694469c06d53530c408b7a95
SHA512

7ceb1ac587ec34fbdb34cf9ce2f2738a3aec68feff77e3077cecdf5305c9222a60347dd50305efd9d5952dfe468572e4fd48a94d175a054e6134e3f3a26b1645
SSDEEP

6144:CiPYnj0RHkzPVVtwcccgSFqyCAHts1AC1WhfsB7BnaXwnSdn0R:NYnjMHiV4SFqCLFtSdn/nSdno

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
332	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	ahgeiz.exe

Loads dropped DLL 2 IoCs

pid	Process
1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe
1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D3EA3BE8-3C80-AD4F-223E-C0310034E32C} = "C:\\Users\\Admin\\AppData\\Roaming\\Utowo\\ahgeiz.exe"	ahgeiz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 332	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ahgeiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Privacy	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe
2728	ahgeiz.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe
2728	ahgeiz.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2728	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2728	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2728	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2728	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	30
PID 2728 wrote to memory of 1116	2728	ahgeiz.exe	19
PID 2728 wrote to memory of 1116	2728	ahgeiz.exe	19
PID 2728 wrote to memory of 1116	2728	ahgeiz.exe	19
PID 2728 wrote to memory of 1116	2728	ahgeiz.exe	19
PID 2728 wrote to memory of 1116	2728	ahgeiz.exe	19
PID 2728 wrote to memory of 1176	2728	ahgeiz.exe	20
PID 2728 wrote to memory of 1176	2728	ahgeiz.exe	20
PID 2728 wrote to memory of 1176	2728	ahgeiz.exe	20
PID 2728 wrote to memory of 1176	2728	ahgeiz.exe	20
PID 2728 wrote to memory of 1176	2728	ahgeiz.exe	20
PID 2728 wrote to memory of 1268	2728	ahgeiz.exe	21
PID 2728 wrote to memory of 1268	2728	ahgeiz.exe	21
PID 2728 wrote to memory of 1268	2728	ahgeiz.exe	21
PID 2728 wrote to memory of 1268	2728	ahgeiz.exe	21
PID 2728 wrote to memory of 1268	2728	ahgeiz.exe	21
PID 2728 wrote to memory of 1312	2728	ahgeiz.exe	23
PID 2728 wrote to memory of 1312	2728	ahgeiz.exe	23
PID 2728 wrote to memory of 1312	2728	ahgeiz.exe	23
PID 2728 wrote to memory of 1312	2728	ahgeiz.exe	23
PID 2728 wrote to memory of 1312	2728	ahgeiz.exe	23
PID 2728 wrote to memory of 1964	2728	ahgeiz.exe	29
PID 2728 wrote to memory of 1964	2728	ahgeiz.exe	29
PID 2728 wrote to memory of 1964	2728	ahgeiz.exe	29
PID 2728 wrote to memory of 1964	2728	ahgeiz.exe	29
PID 2728 wrote to memory of 1964	2728	ahgeiz.exe	29
PID 1964 wrote to memory of 332	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	31
PID 1964 wrote to memory of 332	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	31
PID 1964 wrote to memory of 332	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	31
PID 1964 wrote to memory of 332	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	31
PID 1964 wrote to memory of 332	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	31
PID 1964 wrote to memory of 332	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	31
PID 1964 wrote to memory of 332	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	31
PID 1964 wrote to memory of 332	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	31
PID 1964 wrote to memory of 332	1964	2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe	31

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2c41e947b027cbeae85f27259a9df7fe_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Roaming\Utowo\ahgeiz.exe
    "C:\Users\Admin\AppData\Roaming\Utowo\ahgeiz.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp441b8b89.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp441b8b89.bat

Filesize
271B

MD5
aa3ac6187529be9a617bbe54001cd30f

SHA1
ff23d5535ff9c02dae0a21c8f0bbb6bf7fbf1b8c

SHA256
9c5c460db90df0b965fd91a2274070b1c96599c352c6a430f9dbf53f5624b11f

SHA512
0374e148da41cff154b2cc33935cf09d02f7731a518a5503538ea7f30d4794c4085a443dee20c2e4c405975ce1bc45b9791c41cdd482e1574ef99341a04deb20

Download Submit
C:\Users\Admin\AppData\Roaming\Utowo\ahgeiz.exe

Filesize
359KB

MD5
44d55b65e5aca754d6628540e2898331

SHA1
00a82357565c351eb2f6335ca468f02122b5877d

SHA256
bf4fd5a4a669b910641730b2f6051177444667af12fbffeef44ce24db809bfcd

SHA512
7946db5ef6b713798d4f4373b19134c54943cd8d5e976f456f402b7c1a9ce6b3418493c5c13326b7d65f4fe3dc8c01b6a522ea368afea8de1520ab55cd745ebd

Download Submit
memory/1116-22-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1116-26-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1116-20-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1116-18-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1116-24-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/1176-29-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1176-30-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1176-31-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1176-32-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1268-35-0x0000000002E20000-0x0000000002E64000-memory.dmp

Filesize
272KB

Download
memory/1268-34-0x0000000002E20000-0x0000000002E64000-memory.dmp

Filesize
272KB

Download
memory/1268-36-0x0000000002E20000-0x0000000002E64000-memory.dmp

Filesize
272KB

Download
memory/1268-37-0x0000000002E20000-0x0000000002E64000-memory.dmp

Filesize
272KB

Download
memory/1312-41-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/1312-42-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/1312-39-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/1312-40-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/1964-76-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-134-0x0000000001E10000-0x0000000001E54000-memory.dmp

Filesize
272KB

Download
memory/1964-52-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-50-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-49-0x0000000001E10000-0x0000000001E54000-memory.dmp

Filesize
272KB

Download
memory/1964-135-0x0000000076F10000-0x0000000076F11000-memory.dmp

Filesize
4KB

Download
memory/1964-47-0x0000000001E10000-0x0000000001E54000-memory.dmp

Filesize
272KB

Download
memory/1964-45-0x0000000001E10000-0x0000000001E54000-memory.dmp

Filesize
272KB

Download
memory/1964-56-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-64-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-58-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-60-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-66-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-68-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-70-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-72-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-74-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-62-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-54-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-78-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-48-0x0000000001E10000-0x0000000001E54000-memory.dmp

Filesize
272KB

Download
memory/1964-136-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1964-46-0x0000000001E10000-0x0000000001E54000-memory.dmp

Filesize
272KB

Download
memory/1964-159-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1964-160-0x0000000001C20000-0x0000000001C7C000-memory.dmp

Filesize
368KB

Download
memory/1964-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1964-162-0x0000000001E10000-0x0000000001E54000-memory.dmp

Filesize
272KB

Download
memory/1964-0-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1964-1-0x0000000001C20000-0x0000000001C7C000-memory.dmp

Filesize
368KB

Download
memory/1964-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1964-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1964-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1964-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-15-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2728-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-284-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2728-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download