e1761376183d2eb65753762b1ba7a3bc2f4593903df2e63fa62f421f4a54a2ff

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/11/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe
Size

341KB
MD5

907d81bc6ee6a9a0c958994729fe54da
SHA1

3436f2ceec31d2b3c9bba8c7cb70f4b1060122be
SHA256

e1761376183d2eb65753762b1ba7a3bc2f4593903df2e63fa62f421f4a54a2ff
SHA512

9f8ebf98655c95a6d915180ad3b4045e0da0430ce82f5e47c977e8300722bd02e9ec9076e8bad84f5478e299704490a4fedbdda319f021a7718ebb8e57619f46
SSDEEP

6144:v2AVHBPYYGf7/fKR3Wr1Garj+69x/pjoFfJzv8UtSCNgg2Wm:TgfKc39x/p8FfVhgP

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2764	abudo.exe
2852	abudo.exe

Loads dropped DLL 9 IoCs

pid	Process
3040	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe
3040	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe
292	WerFault.exe
292	WerFault.exe
292	WerFault.exe
292	WerFault.exe
292	WerFault.exe
292	WerFault.exe
292	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\{D828F808-3C80-AD4F-7E84-E44A5F96C757} = "C:\\Users\\Admin\\AppData\\Roaming\\Emure\\abudo.exe"	abudo.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1560 set thread context of 3040	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	31
PID 2764 set thread context of 2852	2764	abudo.exe	34
PID 3040 set thread context of 2504	3040	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	37

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2744	1560	WerFault.exe	30
292	2764	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abudo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Privacy	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\0E686E8C-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe
2852	abudo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1620	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1620	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 3040	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	31
PID 1560 wrote to memory of 3040	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	31
PID 1560 wrote to memory of 3040	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	31
PID 1560 wrote to memory of 3040	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	31
PID 1560 wrote to memory of 3040	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	31
PID 1560 wrote to memory of 3040	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	31
PID 1560 wrote to memory of 3040	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	31
PID 1560 wrote to memory of 3040	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	31
PID 1560 wrote to memory of 3040	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	31
PID 1560 wrote to memory of 2744	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	32
PID 1560 wrote to memory of 2744	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	32
PID 1560 wrote to memory of 2744	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	32
PID 1560 wrote to memory of 2744	1560	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	32
PID 3040 wrote to memory of 2764	3040	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	33
PID 3040 wrote to memory of 2764	3040	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	33
PID 3040 wrote to memory of 2764	3040	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	33
PID 3040 wrote to memory of 2764	3040	907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe	33
PID 2764 wrote to memory of 2852	2764	abudo.exe	34
PID 2764 wrote to memory of 2852	2764	abudo.exe	34
PID 2764 wrote to memory of 2852	2764	abudo.exe	34
PID 2764 wrote to memory of 2852	2764	abudo.exe	34
PID 2764 wrote to memory of 2852	2764	abudo.exe	34
PID 2764 wrote to memory of 2852	2764	abudo.exe	34
PID 2764 wrote to memory of 2852	2764	abudo.exe	34
PID 2764 wrote to memory of 2852	2764	abudo.exe	34
PID 2764 wrote to memory of 2852	2764	abudo.exe	34
PID 2764 wrote to memory of 292	2764	abudo.exe	35
PID 2764 wrote to memory of 292	2764	abudo.exe	35
PID 2764 wrote to memory of 292	2764	abudo.exe	35
PID 2764 wrote to memory of 292	2764	abudo.exe	35
PID 2852 wrote to memory of 1112	2852	abudo.exe	19
PID 2852 wrote to memory of 1112	2852	abudo.exe	19
PID 2852 wrote to memory of 1112	2852	abudo.exe	19
PID 2852 wrote to memory of 1112	2852	abudo.exe	19
PID 2852 wrote to memory of 1112	2852	abudo.exe	19
PID 2852 wrote to memory of 1164	2852	abudo.exe	20
PID 2852 wrote to memory of 1164	2852	abudo.exe	20
PID 2852 wrote to memory of 1164	2852	abudo.exe	20
PID 2852 wrote to memory of 1164	2852	abudo.exe	20
PID 2852 wrote to memory of 1164	2852	abudo.exe	20
PID 2852 wrote to memory of 1232	2852	abudo.exe	21
PID 2852 wrote to memory of 1232	2852	abudo.exe	21
PID 2852 wrote to memory of 1232	2852	abudo.exe	21
PID 2852 wrote to memory of 1232	2852	abudo.exe	21
PID 2852 wrote to memory of 1232	2852	abudo.exe	21
PID 2852 wrote to memory of 316	2852	abudo.exe	23
PID 2852 wrote to memory of 316	2852	abudo.exe	23
PID 2852 wrote to memory of 316	2852	abudo.exe	23
PID 2852 wrote to memory of 316	2852	abudo.exe	23
PID 2852 wrote to memory of 316	2852	abudo.exe	23
PID 2852 wrote to memory of 1560	2852	abudo.exe	30
PID 2852 wrote to memory of 1560	2852	abudo.exe	30
PID 2852 wrote to memory of 1560	2852	abudo.exe	30
PID 2852 wrote to memory of 1560	2852	abudo.exe	30
PID 2852 wrote to memory of 1560	2852	abudo.exe	30
PID 2852 wrote to memory of 3040	2852	abudo.exe	31
PID 2852 wrote to memory of 3040	2852	abudo.exe	31
PID 2852 wrote to memory of 3040	2852	abudo.exe	31
PID 2852 wrote to memory of 3040	2852	abudo.exe	31
PID 2852 wrote to memory of 3040	2852	abudo.exe	31
PID 2852 wrote to memory of 2744	2852	abudo.exe	32
PID 2852 wrote to memory of 2744	2852	abudo.exe	32
PID 2852 wrote to memory of 2744	2852	abudo.exe	32
PID 2852 wrote to memory of 2744	2852	abudo.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\907d81bc6ee6a9a0c958994729fe54da_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Users\Admin\AppData\Roaming\Emure\abudo.exe
      "C:\Users\Admin\AppData\Roaming\Emure\abudo.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Users\Admin\AppData\Roaming\Emure\abudo.exe
        
        "C:\Users\Admin\AppData\Roaming\Emure\abudo.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 116
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:292
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp879880d6.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 116
    3⤵
    - Program crash
    PID:2744

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:316

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "805056438-931571054323406462-1406548189-18234271452140664899-358010234-1949696575"
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
ee707d0a5d855042d840537123ee8e8f

SHA1
65a9b6ed40117301376d07523f78802d891259cb

SHA256
b07ba44cfe9fc3dae2ef043a1556f1d958e0b62a6a664763a83da256e867157b

SHA512
5c5c6dfb70fe2dbc8126f80778b4709dbf3164d6a7ae021897a1b923bdfe8b8eaa162ff20ab9b36c9a593f9a8459ce1c2d22372dd3e746538f71a2476ff55dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp879880d6.bat

Filesize
271B

MD5
69ed5d744c42a2fb454f3aa81780f1f1

SHA1
c01373eec420d6a16e32d8ea0b9e065bc09a6b7e

SHA256
ec4697570c567c8a6d918ab4703ac53fb36d8eb3c152f0cbfb62eb731515b890

SHA512
cb3f9c1443b52049ac7a1688da1ffd6c0000b5faacaa25c1ced189ab71fce8fbae03ce02534717b1facbe8b51d1f85d844fc4cb2298a245e31c28cff8374e416

Download Submit
\Users\Admin\AppData\Roaming\Emure\abudo.exe

Filesize
341KB

MD5
6dabb80e844e448920bb3f76b69a7e97

SHA1
7d7fbe35745e224d14ea46e774b0f8eda8ee6745

SHA256
f2dffab7308cec30505c70073e0a375a6a37f4b41e5725c5e04440d5d97f63e8

SHA512
c66b17a2b68728a106447d38a32d102c958d3bd2fcc26fa5619bca9c8efaa58898712ef0b3c3e73a380b9bd0529c7c128c0d8beaa602087db9eb1a8db573d2ab

Download Submit
memory/316-74-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/316-75-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/316-73-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/316-72-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1112-53-0x00000000021E0000-0x0000000002224000-memory.dmp

Filesize
272KB

Download
memory/1112-55-0x00000000021E0000-0x0000000002224000-memory.dmp

Filesize
272KB

Download
memory/1112-57-0x00000000021E0000-0x0000000002224000-memory.dmp

Filesize
272KB

Download
memory/1112-59-0x00000000021E0000-0x0000000002224000-memory.dmp

Filesize
272KB

Download
memory/1164-63-0x0000000001ED0000-0x0000000001F14000-memory.dmp

Filesize
272KB

Download
memory/1164-65-0x0000000001ED0000-0x0000000001F14000-memory.dmp

Filesize
272KB

Download
memory/1164-64-0x0000000001ED0000-0x0000000001F14000-memory.dmp

Filesize
272KB

Download
memory/1164-62-0x0000000001ED0000-0x0000000001F14000-memory.dmp

Filesize
272KB

Download
memory/1232-67-0x0000000003D50000-0x0000000003D94000-memory.dmp

Filesize
272KB

Download
memory/1232-68-0x0000000003D50000-0x0000000003D94000-memory.dmp

Filesize
272KB

Download
memory/1232-69-0x0000000003D50000-0x0000000003D94000-memory.dmp

Filesize
272KB

Download
memory/1232-70-0x0000000003D50000-0x0000000003D94000-memory.dmp

Filesize
272KB

Download
memory/1560-77-0x00000000005A0000-0x00000000005E4000-memory.dmp

Filesize
272KB

Download
memory/1560-87-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1560-82-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1560-79-0x00000000005A0000-0x00000000005E4000-memory.dmp

Filesize
272KB

Download
memory/1560-78-0x00000000005A0000-0x00000000005E4000-memory.dmp

Filesize
272KB

Download
memory/1560-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1560-85-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1560-83-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1560-80-0x00000000005A0000-0x00000000005E4000-memory.dmp

Filesize
272KB

Download
memory/1560-81-0x00000000005A0000-0x00000000005E4000-memory.dmp

Filesize
272KB

Download
memory/1560-838-0x00000000005A0000-0x00000000005FA000-memory.dmp

Filesize
360KB

Download
memory/2764-28-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2764-600-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2852-50-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2852-776-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3040-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-11-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-632-0x0000000000380000-0x00000000003C4000-memory.dmp

Filesize
272KB

Download
memory/3040-631-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-27-0x0000000000380000-0x00000000003DA000-memory.dmp

Filesize
360KB

Download
memory/3040-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-26-0x0000000000380000-0x00000000003DA000-memory.dmp

Filesize
360KB

Download