a56378e94e672235543d5dd887b564d4b1cca0b2bb7a8be1919d82af3c791c40

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 16:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
Size

320KB
MD5

30c7473bf95078d67bf3c085e646fda6
SHA1

0f0fb6e51455985a259f65bf4caf70fa314eb182
SHA256

a56378e94e672235543d5dd887b564d4b1cca0b2bb7a8be1919d82af3c791c40
SHA512

5251bbba0a883dab9ac03cb2bad9eb2803ee0882d769ffb39e7eae7a18ccd951460cca57ef2b4a51ef92e28d579f74d3c81240f450d973f75a59e65f7d8cb626
SSDEEP

6144:fVpAm6qyBu2vukCUT8AlG0KwCkspuJ2ViKpxQX34+ex:fklp+DwCkWG1KpxLZ

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	cohe.exe

Loads dropped DLL 2 IoCs

pid	Process
2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Osuruhawq = "C:\\Users\\Admin\\AppData\\Roaming\\Owci\\cohe.exe"	cohe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 2780	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cohe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\71E678E9-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe
2772	cohe.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
Token: SeSecurityPrivilege	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2568	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2568	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2568	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2568	WinMail.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
2772	cohe.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2772	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2772	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2772	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	31
PID 2664 wrote to memory of 2772	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	31
PID 2772 wrote to memory of 1048	2772	cohe.exe	17
PID 2772 wrote to memory of 1048	2772	cohe.exe	17
PID 2772 wrote to memory of 1048	2772	cohe.exe	17
PID 2772 wrote to memory of 1048	2772	cohe.exe	17
PID 2772 wrote to memory of 1048	2772	cohe.exe	17
PID 2772 wrote to memory of 1056	2772	cohe.exe	18
PID 2772 wrote to memory of 1056	2772	cohe.exe	18
PID 2772 wrote to memory of 1056	2772	cohe.exe	18
PID 2772 wrote to memory of 1056	2772	cohe.exe	18
PID 2772 wrote to memory of 1056	2772	cohe.exe	18
PID 2772 wrote to memory of 1124	2772	cohe.exe	20
PID 2772 wrote to memory of 1124	2772	cohe.exe	20
PID 2772 wrote to memory of 1124	2772	cohe.exe	20
PID 2772 wrote to memory of 1124	2772	cohe.exe	20
PID 2772 wrote to memory of 1124	2772	cohe.exe	20
PID 2772 wrote to memory of 1472	2772	cohe.exe	25
PID 2772 wrote to memory of 1472	2772	cohe.exe	25
PID 2772 wrote to memory of 1472	2772	cohe.exe	25
PID 2772 wrote to memory of 1472	2772	cohe.exe	25
PID 2772 wrote to memory of 1472	2772	cohe.exe	25
PID 2772 wrote to memory of 2664	2772	cohe.exe	30
PID 2772 wrote to memory of 2664	2772	cohe.exe	30
PID 2772 wrote to memory of 2664	2772	cohe.exe	30
PID 2772 wrote to memory of 2664	2772	cohe.exe	30
PID 2772 wrote to memory of 2664	2772	cohe.exe	30
PID 2664 wrote to memory of 2780	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	33
PID 2664 wrote to memory of 2780	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	33
PID 2664 wrote to memory of 2780	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	33
PID 2664 wrote to memory of 2780	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	33
PID 2664 wrote to memory of 2780	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	33
PID 2664 wrote to memory of 2780	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	33
PID 2664 wrote to memory of 2780	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	33
PID 2664 wrote to memory of 2780	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	33
PID 2664 wrote to memory of 2780	2664	30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe	33
PID 2772 wrote to memory of 1400	2772	cohe.exe	35
PID 2772 wrote to memory of 1400	2772	cohe.exe	35
PID 2772 wrote to memory of 1400	2772	cohe.exe	35
PID 2772 wrote to memory of 1400	2772	cohe.exe	35
PID 2772 wrote to memory of 1400	2772	cohe.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1048

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1056

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1124
- C:\Users\Admin\AppData\Local\Temp\30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\30c7473bf95078d67bf3c085e646fda6_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Roaming\Owci\cohe.exe
    "C:\Users\Admin\AppData\Roaming\Owci\cohe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4ddcfe44.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2780

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1472

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
c9369db597e1a33c6a80372ffcaca6d2

SHA1
62f4d4aa79ef0f56d606ccc77576abdade2b3012

SHA256
04e6a5533b279b4174ca55ba6eb74cd6aaa805511670b92fbdd88dba828452fe

SHA512
feb4eca9457ae914d02a241ba698f070c7ea73bad158e73196f15c4a406e1ad6ba1e0e0a7bcb012c65df242d3335b7b01416220059e9c05c9295eb8bed3d7562

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4ddcfe44.bat

Filesize
271B

MD5
5c38fd342cfff0499784999719ca844e

SHA1
5c638b25b7b3b9874f5115ed89337e7e7f1d1de6

SHA256
5f9eb88824a85cf1731785d22c4ab6470f240069d5112db2ec8195b00e0e3caf

SHA512
9290a8beec85e69324b75ff6046298bbe4f29f4322736541951c3f463bda845c0b2fb4693115d6ad7a6fdd74e84e73e66199650e39d3f6ba3afd5c3ec22dc399

Download Submit
C:\Users\Admin\AppData\Roaming\Ukle\atin.pye

Filesize
4KB

MD5
e415ee39489801545ce3c7d8d5887bb8

SHA1
9712f728443ea13a5e1383dac5acfe15583e1ac7

SHA256
5987c8c56503f5c373e250a7536f1d257f0c96ff3100be13886ee635185d4579

SHA512
c71790de0cf5b0117f551a076d2bc39fe240a57fa91e460f2db9cb2778061348e108aa96c560615300e2c7d315c3421bd54da06240c1c788881ed0496abcdf41

Download Submit
C:\Users\Admin\AppData\Roaming\Ukle\atin.pye

Filesize
4KB

MD5
12403f07e8c8dcaad82b18387990630d

SHA1
37d88ed6752000945898b17c6965da6d7d4e2520

SHA256
e4dbb9c867a05b2baece67a696c1b418f4d0a4f7a5fc1a866e9c4ab4a0f28ecf

SHA512
f7fdf05d123239131af6e31fbe1d8631d03a1174457ef593b4a60ee1a5e1366478c222b4f9de257f99f3c0355b859f3f762b26c9231dfa1ecac34bc16536d0e1

Download Submit
\Users\Admin\AppData\Roaming\Owci\cohe.exe

Filesize
320KB

MD5
4b4026a7a4158cae99855f6f2462e7fb

SHA1
b48ecbf59299bccab0183c6c7589e0b6e8b4bcb2

SHA256
e9f0b0c4028e057cf3cd507a9e0f33e7248db85af5c365ec8b01e51052ed12f4

SHA512
90f8809bf5d94dfb146d9a28fcd800cb1a2ca5fdfbeedfb7afd6eee1e0233199f6919b23858b262a89a77bf1628bd5564ac8217180eba4f26cb7de19c9aa7ba9

Download Submit
memory/1048-37-0x00000000022A0000-0x00000000022D6000-memory.dmp

Filesize
216KB

Download
memory/1048-41-0x00000000022A0000-0x00000000022D6000-memory.dmp

Filesize
216KB

Download
memory/1048-43-0x00000000022A0000-0x00000000022D6000-memory.dmp

Filesize
216KB

Download
memory/1048-39-0x00000000022A0000-0x00000000022D6000-memory.dmp

Filesize
216KB

Download
memory/1048-35-0x00000000022A0000-0x00000000022D6000-memory.dmp

Filesize
216KB

Download
memory/1056-49-0x0000000001F80000-0x0000000001FB6000-memory.dmp

Filesize
216KB

Download
memory/1056-46-0x0000000001F80000-0x0000000001FB6000-memory.dmp

Filesize
216KB

Download
memory/1056-48-0x0000000001F80000-0x0000000001FB6000-memory.dmp

Filesize
216KB

Download
memory/1056-47-0x0000000001F80000-0x0000000001FB6000-memory.dmp

Filesize
216KB

Download
memory/1124-53-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

Filesize
216KB

Download
memory/1124-54-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

Filesize
216KB

Download
memory/1124-52-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

Filesize
216KB

Download
memory/1124-51-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

Filesize
216KB

Download
memory/1472-59-0x0000000001CF0000-0x0000000001D26000-memory.dmp

Filesize
216KB

Download
memory/1472-56-0x0000000001CF0000-0x0000000001D26000-memory.dmp

Filesize
216KB

Download
memory/1472-57-0x0000000001CF0000-0x0000000001D26000-memory.dmp

Filesize
216KB

Download
memory/1472-58-0x0000000001CF0000-0x0000000001D26000-memory.dmp

Filesize
216KB

Download
memory/2664-82-0x0000000001CC0000-0x0000000001CF6000-memory.dmp

Filesize
216KB

Download
memory/2664-69-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2664-61-0x0000000001CC0000-0x0000000001CF6000-memory.dmp

Filesize
216KB

Download
memory/2664-63-0x0000000001CC0000-0x0000000001CF6000-memory.dmp

Filesize
216KB

Download
memory/2664-66-0x0000000001CC0000-0x0000000001CF6000-memory.dmp

Filesize
216KB

Download
memory/2664-64-0x0000000001CC0000-0x0000000001CF6000-memory.dmp

Filesize
216KB

Download
memory/2664-65-0x0000000001CC0000-0x0000000001CF6000-memory.dmp

Filesize
216KB

Download
memory/2664-0-0x0000000000280000-0x00000000002B6000-memory.dmp

Filesize
216KB

Download
memory/2664-337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-338-0x0000000001CC0000-0x0000000001CF6000-memory.dmp

Filesize
216KB

Download
memory/2664-11-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2664-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-7-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2664-74-0x0000000001CC0000-0x0000000001CF6000-memory.dmp

Filesize
216KB

Download
memory/2664-79-0x0000000077CB0000-0x0000000077CB1000-memory.dmp

Filesize
4KB

Download
memory/2664-222-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2664-1-0x00000000002C0000-0x0000000000312000-memory.dmp

Filesize
328KB

Download
memory/2664-80-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2664-77-0x0000000001CC0000-0x0000000001CF6000-memory.dmp

Filesize
216KB

Download
memory/2664-75-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2664-71-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2664-62-0x0000000001CC0000-0x0000000001CF6000-memory.dmp

Filesize
216KB

Download
memory/2664-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2664-273-0x00000000002C0000-0x0000000000312000-memory.dmp

Filesize
328KB

Download
memory/2772-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-24-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2772-23-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2772-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download