a7781c2e245c3710d71867a8c72972a6a93b3af25947dc6b2fef11ff375c11ac

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44e7f53a79b4904e481580bd19025d43_JaffaCakes118.exe
Size

160KB
MD5

44e7f53a79b4904e481580bd19025d43
SHA1

3a294a3dae12481ebc3d6f16839dcb9b72dd74c7
SHA256

a7781c2e245c3710d71867a8c72972a6a93b3af25947dc6b2fef11ff375c11ac
SHA512

d2bc79d64bea26db7288319d4edf08ea301b1e9dd442d683e6567729e8fc4be3f3f0caec54d3d4abaa4827cc0b3e648bd568de0ddca305585e01e82384a589fb
SSDEEP

3072:ac/T34yi7qEPuq8K/vhE0T1ool0RIUV4qPbHtycvCqyDdYOxQ8OjIJfB:Z3bynuk/vhV2o2RIUVlDHtyaLeeqQ8Ou

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3636	Cjytaa.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cjytaa.exe	44e7f53a79b4904e481580bd19025d43_JaffaCakes118.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Cjytaa.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Cjytaa.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	44e7f53a79b4904e481580bd19025d43_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	44e7f53a79b4904e481580bd19025d43_JaffaCakes118.exe
File created	C:\Windows\Cjytaa.exe	44e7f53a79b4904e481580bd19025d43_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44e7f53a79b4904e481580bd19025d43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjytaa.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	44e7f53a79b4904e481580bd19025d43_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	Cjytaa.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\International	Cjytaa.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	Cjytaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe
3636	Cjytaa.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3636	Cjytaa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 3636	1856	44e7f53a79b4904e481580bd19025d43_JaffaCakes118.exe	89
PID 1856 wrote to memory of 3636	1856	44e7f53a79b4904e481580bd19025d43_JaffaCakes118.exe	89
PID 1856 wrote to memory of 3636	1856	44e7f53a79b4904e481580bd19025d43_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\44e7f53a79b4904e481580bd19025d43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\44e7f53a79b4904e481580bd19025d43_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\Cjytaa.exe
  C:\Windows\Cjytaa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Cjytaa.exe

Filesize
160KB

MD5
44e7f53a79b4904e481580bd19025d43

SHA1
3a294a3dae12481ebc3d6f16839dcb9b72dd74c7

SHA256
a7781c2e245c3710d71867a8c72972a6a93b3af25947dc6b2fef11ff375c11ac

SHA512
d2bc79d64bea26db7288319d4edf08ea301b1e9dd442d683e6567729e8fc4be3f3f0caec54d3d4abaa4827cc0b3e648bd568de0ddca305585e01e82384a589fb

Download Submit
C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
390B

MD5
af95fa83bf26db67eab923616e0d4cf4

SHA1
67940ebe54255ad375243ca97807d27cfab24df5

SHA256
5c62e4e4755da85cc6cddde19bf3ac17e5e39fb47a0ba1c9ad18e91eb0506eb9

SHA512
5c124dbe66d9cf85320f5499101ce32acc768a918439b933e5b09d34990d594611e6ff2af8399a2826b363fad1c45cf6ada828124bf2caf3a0d8c81651fb50ed

Download Submit
memory/1856-1568-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1856-1-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1856-2-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1856-47634-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1856-0-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1856-5796-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-23759-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-54765-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-31171-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-39554-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-47829-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-11-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-140184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-140185-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-140186-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-140187-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-140189-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3636-140193-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download