Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18/04/2024, 13:24
General
-
Target
f8163c4bdb1eb9c1beb502bc194f8649_JaffaCakes118.exe
-
Size
160KB
-
MD5
f8163c4bdb1eb9c1beb502bc194f8649
-
SHA1
acc1bfc812bc832e5e82f5a4d4b7672e2e17ca5b
-
SHA256
d122d4beba16b9f42014e6f788b51cf1577d6c44518df92786e56987479661b3
-
SHA512
7e331446511499ef491813a017bff8a29d39c5a9f0ff6f1f688a4e106787fea69155703f1fdf8fdc12d57cfcc70a41c68eddf5f682a82f0fbbd70d6889ab062a
-
SSDEEP
1536:9/elR8Hruyv+mMiIAcI9vmQHv51skHMDnHbZAYsMKWqD7WCDYVRaJNGXp+B:F2WLuyv+mMi5cCeeM7FAJM3IymYVZo
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 14 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8163c4bdb1eb9c1beb502bc194f8649_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8163c4bdb1eb9c1beb502bc194f8649_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\s_Mg_l_219.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:25⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f5⤵
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf5⤵
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl6BCF.tmpC:\Users\Admin\AppData\Local\Temp\inl6BCF.tmp2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F8163C~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
791B
MD51706b41fd446b5718a8419c0fcb35d55
SHA1d9bb8df22acdc60c754ac14982cf795df3b1b815
SHA2565c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943
SHA51268c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e
-
Filesize
2.6MB
MD56c297cf8f6b581bc73d333fd6c18a48b
SHA171fe38e4a848ef1a5e7c559550cb5e43d0083d53
SHA256d07e174fcf300621e18098d2e350696eefdfe63fa24804a18b99f67d12f5d8b2
SHA5122e0a5da7bace6266d1e62e2ddd1ee3538d122c290de044870dd0de885188adb8cea8f65708b5873ea762d4550910af17145d4e0487c4eb34181cb31bed097701
-
Filesize
2.5MB
MD5944f65b16ca26b05052f1be6424a22bc
SHA1fc2e618d83ca4407ecc3c44bb8edc627d29053a5
SHA256d78684f86a694591cac7dfacb94d819449e0bc11b1febbcf31b47d97f0056f55
SHA51226d4ecfa8c65ce1ceaa3bca025b06c4e93a083bea3e58782c70a5852dc02f8c2bedd6000722df7b300222598dbd0eeb349417de7436021c3c3750d097191e4ed
-
Filesize
54B
MD5504490369970f1c0eb580afbcdf91618
SHA1b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971
SHA256a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43
SHA5125495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad
-
Filesize
3KB
MD5168976102055ae6902b5d251d4b39401
SHA137c28d5b4d19bf3ef0be7be04ac4b54c71866773
SHA256aabf9954046b451c6287c18b37448dbce289b0a76bb0bcbe72b7e97b6ebfc9fc
SHA51295474e88ce99544ab19d25c3f96b348b99733858b8382baeedce62748444b529e55c0c4df84c20ff05eb7b3172baaa22ade7604c7288b536e1895cd95dbc42a6
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD5428b15afd0f31b5f77d86f84a2e0bf36
SHA1e76c640936f9ea1a4cf0f26e5417d4cbbde08ea2
SHA256390a9eb07646fea162115045ea2b76a3a248d8823e7dc4a54851c39463ddfdb5
SHA5123272917c8a65641eb39c280ba2f23c359145d8951ec78d803143fdbfa87cf6233a4d3a03607bcae7703f718dc592297aefc69726086a206e5d0bffd5655d8ca4
-
Filesize
248B
MD52197ffb407fb3b2250045c084f73b70a
SHA13d0efbacba73ac5e8d77f0d25d63fc424511bcf6
SHA256a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591
SHA512b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe
-
Filesize
9.1MB
MD58300cb409d6d7872ad8093140777109e
SHA1553f4f39616207492c07eb53d6a5a2bbe93f8abf
SHA2566ff92d4651d9d5bd57329b82a8e301aa7a05e9d949067dff8db1b12c56fbcbca
SHA5122e3b2c93e211b401e7a0413e6dd29b2804039462b99d842a13a4849a86b8a8fac796f340d492a74847909730224f82ea879abab6bb5a763d1fa3df8085812cc2
-
Filesize
1.9MB
MD5e9e2e43f01e903ee3f3ad6276eebf306
SHA1b59c23fb7b905357c498e16533768412b5e6e4d8
SHA256b8c1b9ddb3add82b56547fbf28f361cedc663dd7fe8bdc6a83963d74d4d578d5
SHA512ba8f4214c3136a80c29ed2970a339c54d50d45a6218afed1ac099b835cdef079330eb53516ea77c11a83a1a9e585d16979f07d66d4af1c6f09047326d176e245
-
Filesize
2.6MB
MD55dd67bcf883ee095f2cd6b2874f76f58
SHA19fb31d417ff1d8dae729121128b503627f4daa23
SHA2568ea94cd9bb3bd3966220d21e946d2f893d4454f5d181c3cd0bd4fc8849bc8ddf
SHA512fb6a4955d71ae98031bb5b78300eabd6af19618063d4d3563628f628d5d3d8657e117664d0aef53ef579638f432357d25bd45c7e96c4aa60d51b4370965c8f43
-
Filesize
64KB
-
Filesize
160KB