440c90dcf04b3314204ec4b3f2c3418c7ffb0547143500134e3a5ea379525fc1

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe
Size

148KB
MD5

3afc1e842a76f2cecb20f395dfa71630
SHA1

8edd1247ceda6aa51100b5b2f9d98eeee8ff8e8e
SHA256

440c90dcf04b3314204ec4b3f2c3418c7ffb0547143500134e3a5ea379525fc1
SHA512

d3fb4424e8686b4aeb2162936359cb4256d25420e60a51d7b4ea1a6c41614096ff9b7efac4bedfb1aa7f52cd55e86e0022ab4ec5e8392d764b574a884d115ef5
SSDEEP

3072:XVR2y9+DulIevNL5lOj4pVNb0HSSSGVJtlhOOr:D2yZldvN91rb0ySZce

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
344	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2164	geqe.exe

Loads dropped DLL 2 IoCs

pid	Process
3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe
3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\{AAC6B866-B8D3-5B8C-2896-74585322BB1A} = "C:\\Users\\Admin\\AppData\\Roaming\\Heap\\geqe.exe"	geqe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 344	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Privacy	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe
2164	geqe.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe
Token: SeSecurityPrivilege	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe
Token: SeSecurityPrivilege	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2164	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2164	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2164	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	30
PID 3012 wrote to memory of 2164	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	30
PID 2164 wrote to memory of 1100	2164	geqe.exe	19
PID 2164 wrote to memory of 1100	2164	geqe.exe	19
PID 2164 wrote to memory of 1100	2164	geqe.exe	19
PID 2164 wrote to memory of 1100	2164	geqe.exe	19
PID 2164 wrote to memory of 1100	2164	geqe.exe	19
PID 2164 wrote to memory of 1168	2164	geqe.exe	20
PID 2164 wrote to memory of 1168	2164	geqe.exe	20
PID 2164 wrote to memory of 1168	2164	geqe.exe	20
PID 2164 wrote to memory of 1168	2164	geqe.exe	20
PID 2164 wrote to memory of 1168	2164	geqe.exe	20
PID 2164 wrote to memory of 1200	2164	geqe.exe	21
PID 2164 wrote to memory of 1200	2164	geqe.exe	21
PID 2164 wrote to memory of 1200	2164	geqe.exe	21
PID 2164 wrote to memory of 1200	2164	geqe.exe	21
PID 2164 wrote to memory of 1200	2164	geqe.exe	21
PID 2164 wrote to memory of 1544	2164	geqe.exe	23
PID 2164 wrote to memory of 1544	2164	geqe.exe	23
PID 2164 wrote to memory of 1544	2164	geqe.exe	23
PID 2164 wrote to memory of 1544	2164	geqe.exe	23
PID 2164 wrote to memory of 1544	2164	geqe.exe	23
PID 2164 wrote to memory of 3012	2164	geqe.exe	29
PID 2164 wrote to memory of 3012	2164	geqe.exe	29
PID 2164 wrote to memory of 3012	2164	geqe.exe	29
PID 2164 wrote to memory of 3012	2164	geqe.exe	29
PID 2164 wrote to memory of 3012	2164	geqe.exe	29
PID 3012 wrote to memory of 344	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	31
PID 3012 wrote to memory of 344	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	31
PID 3012 wrote to memory of 344	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	31
PID 3012 wrote to memory of 344	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	31
PID 3012 wrote to memory of 344	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	31
PID 3012 wrote to memory of 344	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	31
PID 3012 wrote to memory of 344	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	31
PID 3012 wrote to memory of 344	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	31
PID 3012 wrote to memory of 344	3012	3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe	31
PID 2164 wrote to memory of 656	2164	geqe.exe	33
PID 2164 wrote to memory of 656	2164	geqe.exe	33
PID 2164 wrote to memory of 656	2164	geqe.exe	33
PID 2164 wrote to memory of 656	2164	geqe.exe	33
PID 2164 wrote to memory of 656	2164	geqe.exe	33
PID 2164 wrote to memory of 3036	2164	geqe.exe	35
PID 2164 wrote to memory of 3036	2164	geqe.exe	35
PID 2164 wrote to memory of 3036	2164	geqe.exe	35
PID 2164 wrote to memory of 3036	2164	geqe.exe	35
PID 2164 wrote to memory of 3036	2164	geqe.exe	35

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1100

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3afc1e842a76f2cecb20f395dfa71630_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Roaming\Heap\geqe.exe
    "C:\Users\Admin\AppData\Roaming\Heap\geqe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpea34fe0c.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpea34fe0c.bat

Filesize
271B

MD5
72f3343ba9f75e60d2178399c1648e71

SHA1
f35d60fda3a2c30e17fd13a55694f6e2bed3650a

SHA256
9e69c8f807e65ceb3ebaa4f5a6c7fa0885dde58dcdc8c5fe0095ec24856866e2

SHA512
2110fb288330faed2cec5e1e40f31585c97d3672cc48cc3ff8f8d51ffc5b908597244e291bb0e88be163847a399de2e35574bf472de40824bbd6aebbfb653e01

Download Submit
C:\Users\Admin\AppData\Roaming\Pavuky\zywy.voe

Filesize
380B

MD5
e5534778c65d132d0c33484e1f18b0f9

SHA1
65035a752c9787bb0edd24259c058f3633919406

SHA256
c8647cf6354f056fbe1af9f380e5b0f69f1a160952cdaf723e3f44cf713c1745

SHA512
7d6ef81aee75c200c016db38de026b62d1d90f051a3397617e5f9107dad83d2c2aac01b03ce62b302ecccc0b83191ec0165892b2b9dfd7dee83238769480d1d4

Download Submit
\Users\Admin\AppData\Roaming\Heap\geqe.exe

Filesize
148KB

MD5
582ded5346953eee326805c4c61bfe34

SHA1
4116375b0cc7216a8ebb4b8cd6725c144d66b56c

SHA256
5164aad26198b08b1500077ee4d80ffdfa356a35282c5a264a2592a3455c24d7

SHA512
b973b656fb785a37435cc1335b374d567e7b884e5c6e9d5be41bdbf4a266675bb72aa75cf1a558d83a1d8dfe7dbad1550d13a1d582ce19583266543b936a4e84

Download Submit
memory/344-118-0x0000000076EF0000-0x0000000076EF1000-memory.dmp

Filesize
4KB

Download
memory/344-121-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/344-90-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/344-120-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1100-15-0x00000000020F0000-0x000000000210A000-memory.dmp

Filesize
104KB

Download
memory/1100-17-0x00000000020F0000-0x000000000210A000-memory.dmp

Filesize
104KB

Download
memory/1100-23-0x00000000020F0000-0x000000000210A000-memory.dmp

Filesize
104KB

Download
memory/1100-19-0x00000000020F0000-0x000000000210A000-memory.dmp

Filesize
104KB

Download
memory/1100-21-0x00000000020F0000-0x000000000210A000-memory.dmp

Filesize
104KB

Download
memory/1168-27-0x0000000001F30000-0x0000000001F4A000-memory.dmp

Filesize
104KB

Download
memory/1168-30-0x0000000001F30000-0x0000000001F4A000-memory.dmp

Filesize
104KB

Download
memory/1168-29-0x0000000001F30000-0x0000000001F4A000-memory.dmp

Filesize
104KB

Download
memory/1168-28-0x0000000001F30000-0x0000000001F4A000-memory.dmp

Filesize
104KB

Download
memory/1200-32-0x0000000002E00000-0x0000000002E1A000-memory.dmp

Filesize
104KB

Download
memory/1200-33-0x0000000002E00000-0x0000000002E1A000-memory.dmp

Filesize
104KB

Download
memory/1200-34-0x0000000002E00000-0x0000000002E1A000-memory.dmp

Filesize
104KB

Download
memory/1200-35-0x0000000002E00000-0x0000000002E1A000-memory.dmp

Filesize
104KB

Download
memory/1544-40-0x0000000001E70000-0x0000000001E8A000-memory.dmp

Filesize
104KB

Download
memory/1544-37-0x0000000001E70000-0x0000000001E8A000-memory.dmp

Filesize
104KB

Download
memory/1544-38-0x0000000001E70000-0x0000000001E8A000-memory.dmp

Filesize
104KB

Download
memory/1544-39-0x0000000001E70000-0x0000000001E8A000-memory.dmp

Filesize
104KB

Download
memory/2164-122-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2164-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2164-13-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-74-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-42-0x0000000000300000-0x000000000031A000-memory.dmp

Filesize
104KB

Download
memory/3012-44-0x0000000000300000-0x000000000031A000-memory.dmp

Filesize
104KB

Download
memory/3012-45-0x0000000000300000-0x000000000031A000-memory.dmp

Filesize
104KB

Download
memory/3012-47-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-49-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-51-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-53-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-55-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-57-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-59-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-61-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-65-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-66-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-70-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-72-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-43-0x0000000000300000-0x000000000031A000-memory.dmp

Filesize
104KB

Download
memory/3012-79-0x0000000000300000-0x000000000031A000-memory.dmp

Filesize
104KB

Download
memory/3012-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-0-0x0000000001DD0000-0x0000000001EB0000-memory.dmp

Filesize
896KB

Download
memory/3012-76-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-68-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-63-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3012-46-0x0000000000300000-0x000000000031A000-memory.dmp

Filesize
104KB

Download
memory/3012-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3012-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download