101ebd8af4ca027bbfc30c8f36f4f36b918a6041d7a7e4258a75330d6e446d0e

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27/02/2025, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
Size

3.7MB
MD5

2a36b71a37bff53c21b8bd31404d41fa
SHA1

ceb50a797bc73b4fb16cd37b76eba690638c5916
SHA256

101ebd8af4ca027bbfc30c8f36f4f36b918a6041d7a7e4258a75330d6e446d0e
SHA512

2e9a4d39a4ccd3d2f91b857b025b2cc54b858e78196cd8180d0e5afb874b8818deef753f24d3899e2efc3d076755fa63092176bb5bafae643052bffd443ca8b8
SSDEEP

98304:miokeI+GyVklcIpRTk52CEyUVm9S8rnPDi:MtI+GRpRTk5Qd8rW

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2856	_F96C.tmpac7d.exe
2620	securitymanager.exe
2828	AntivirusProtection2012.exe

Loads dropped DLL 11 IoCs

pid	Process
2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus Protection 2012 SH = "C:\\Users\\Admin\\AppData\\Roaming\\Antivirus Protection\\securityhelper.exe"	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus Protection 2012 SM = "C:\\Users\\Admin\\AppData\\Roaming\\Antivirus Protection\\securitymanager.exe"	securitymanager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\3knf0fwsdof4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe"	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus Protection = "\"C:\\Users\\Admin\\AppData\\Roaming\\Antivirus Protection\\AntivirusProtection2012.exe\" /STARTUP"	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus Protection 2012 SM = "C:\\Users\\Admin\\AppData\\Roaming\\Antivirus Protection\\securitymanager.exe"	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.log	securitymanager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_F96C.tmpac7d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	securitymanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AntivirusProtection2012.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2828	AntivirusProtection2012.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
Token: SeDebugPrivilege	2828	AntivirusProtection2012.exe
Token: 33	1756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1756	AUDIODG.EXE
Token: 33	1756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1756	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2620	securitymanager.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2620	securitymanager.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
2828	AntivirusProtection2012.exe
2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe
2828	AntivirusProtection2012.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2856	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	29
PID 2172 wrote to memory of 2856	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	29
PID 2172 wrote to memory of 2856	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	29
PID 2172 wrote to memory of 2856	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	29
PID 2172 wrote to memory of 2620	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	31
PID 2172 wrote to memory of 2620	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	31
PID 2172 wrote to memory of 2620	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	31
PID 2172 wrote to memory of 2620	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	31
PID 2172 wrote to memory of 2828	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	32
PID 2172 wrote to memory of 2828	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	32
PID 2172 wrote to memory of 2828	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	32
PID 2172 wrote to memory of 2828	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	32
PID 2172 wrote to memory of 2716	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	33
PID 2172 wrote to memory of 2716	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	33
PID 2172 wrote to memory of 2716	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	33
PID 2172 wrote to memory of 2716	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	33
PID 2172 wrote to memory of 2760	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	35
PID 2172 wrote to memory of 2760	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	35
PID 2172 wrote to memory of 2760	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	35
PID 2172 wrote to memory of 2760	2172	JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a36b71a37bff53c21b8bd31404d41fa.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\_F96C.tmpac7d.exe
  "C:\Users\Admin\AppData\Local\Temp\_F96C.tmpac7d.exe" -p"08:02 AM" -y -o"C:\Users\Admin\AppData\Roaming\Antivirus Protection"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Users\Admin\AppData\Roaming\Antivirus Protection\securitymanager.exe
  "C:\Users\Admin\AppData\Roaming\Antivirus Protection\securitymanager.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2620
- C:\Users\Admin\AppData\Roaming\Antivirus Protection\AntivirusProtection2012.exe
  "C:\Users\Admin\AppData\Roaming\Antivirus Protection\AntivirusProtection2012.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C dir "C:\Users\Admin\AppData\Roaming"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C dir "C:\Users\Admin\AppData\Roaming\Antivirus Protection"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_F96C.tmpac7d.exe

Filesize
2.4MB

MD5
970787fcb53f67146d01a7ba9452ab98

SHA1
be36127392f0982ffe68c72b108a9e9065ab3f4e

SHA256
a9881f2038c2f8e655c98992bd2d21edb06003a166dccd9cc83e48bbb0b9e088

SHA512
c44902f1001477ae52c415e6316d1167a832339f80207e83fd244986fc7fe88bab5058d0538ecd9049be49187eae7d904c55eca7e4d1206c6bac7c99d191554e

Download Submit
C:\Users\Admin\AppData\Roaming\Antivirus Protection\AntivirusProtection2012.exe

Filesize
2.2MB

MD5
86fffb29bd8fb09375c1cbfb634c180b

SHA1
8dc4c2b469141d54e9a3c8f024a8d21f02d3a0e4

SHA256
fb4cd7bdef02e7ec1c3288d983c67346aa26beb6845459cf57d5611825022d7a

SHA512
123c3d5b2340317852ec7f80aa2fed0b4b155ed24ca8124b96b7102a6e63daf0d373b7e1dc00860c6ff9299ad4a08f37be598c406912abae6b2df693bb09ce26

Download Submit
C:\Users\Admin\AppData\Roaming\Antivirus Protection\securitymanager.exe

Filesize
100KB

MD5
431ceafce82a83ba44e5987bd8d09cae

SHA1
655d8e45d4940c4ee826114a49c1ac9698b977c4

SHA256
79a829b96bf1343f16fa07405ed01d87b6536584f3a130c92aab75d1e7695f64

SHA512
fadac592e08b17e49d1293cfb382cc2ac821d6803910434fde25fa51f8318578b5084a55455ece3c423b124243459cb0fc921beb88918379b24568d4065ac7d5

Download Submit
memory/2172-48-0x0000000000401000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2172-2-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2172-3-0x0000000000401000-0x00000000005C9000-memory.dmp

Filesize
1.8MB

Download
memory/2172-1-0x0000000000400000-0x0000000000DE7000-memory.dmp

Filesize
9.9MB

Download
memory/2172-0-0x0000000002B30000-0x0000000002EDF000-memory.dmp

Filesize
3.7MB

Download
memory/2172-49-0x0000000000400000-0x0000000000DE7000-memory.dmp

Filesize
9.9MB

Download
memory/2172-46-0x0000000002B30000-0x0000000002EDF000-memory.dmp

Filesize
3.7MB

Download
memory/2172-47-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2620-72-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2620-44-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2620-50-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2828-70-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-51-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-57-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-60-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-63-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-67-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-45-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-54-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-73-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-76-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-79-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-82-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-85-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-88-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download
memory/2828-91-0x0000000000400000-0x0000000001887000-memory.dmp

Filesize
20.5MB

Download