5b58315ec526b096146e6316f9ad6e4865bf8dc6e034226bb4fbfbfa0794260a

General

Target

Cocaina-Tool/Cocaina/Cocaina-Tool.py
Size

115KB
MD5

f5e4819df646dce8513c0be7a6dc540f
SHA1

ab220001bd6dcf338c9b5b7adacfc9e57900f4d4
SHA256

2d80336fecb8c3d44eab8e62944b0f6314b1e682d37081386c2a3831594de375
SHA512

54ca376efbd4bfb5d51dd7e8305f74c07b65ab5d82c1f06e9a7c6d12d3dc1a9b796b440647198247d02d1e7b2d9ba988730d2dbcb24fb28863a22f783d57ddc6
SSDEEP

3072:ZulojjpR+ueTk8uqOabW6rou6aKGbYG0Lj6u+J+RCs:cK3eiqOabVB1bYfj6oRX

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 3d4543037807da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{09B74E5F-1E99-471E-93C3-9DB62719DCB2}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{268F8DB8-83F3-11EE-8D2D-CE6685DAFC54} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\py_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\.py	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\py_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\py_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\py_auto_file\shell\open\CommandId = "IE.File"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\.py\ = "py_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\py_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\py_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\py_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1792	OpenWith.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4540	iexplore.exe
4540	iexplore.exe
4540	iexplore.exe
4540	iexplore.exe

Suspicious use of SetWindowsHookEx 49 IoCs

pid	Process
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
1792	OpenWith.exe
4540	iexplore.exe
4540	iexplore.exe
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE
4540	iexplore.exe
4540	iexplore.exe
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 4540	1792	OpenWith.exe	74
PID 1792 wrote to memory of 4540	1792	OpenWith.exe	74
PID 4540 wrote to memory of 1384	4540	iexplore.exe	75
PID 4540 wrote to memory of 1384	4540	iexplore.exe	75
PID 4540 wrote to memory of 1384	4540	iexplore.exe	75
PID 4540 wrote to memory of 2744	4540	iexplore.exe	77
PID 4540 wrote to memory of 2744	4540	iexplore.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Cocaina-Tool\Cocaina\Cocaina-Tool.py
1⤵
- Modifies registry class
PID:4224

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Cocaina-Tool\Cocaina\Cocaina-Tool.py
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4540 CREDAT:82945 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1384
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Cocaina-Tool\Cocaina\Cocaina-Tool.py
    3⤵
    - Modifies Internet Explorer settings
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads