Overview

overview

10

Static

static

5

0d4bfbdb0a...18.exe

windows7-x64

10

0d4bfbdb0a...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    139s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-05-2024 02:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d4bfbdb0a90be3072174f93dc81897e_JaffaCakes118.exe

  • Size

    7.7MB

  • MD5

    0d4bfbdb0a90be3072174f93dc81897e

  • SHA1

    eb034e2bf1859deab12617ab4333b7b719553306

  • SHA256

    a3320970587f1cb52cd036b1317dcd800c71da4c499a240d7644d9d93003c933

  • SHA512

    ecae4033707c66a455dae64061cec4ff225b4679df6a684d6cdb07cba22f1695e53b0f265f3c1456b1bb0820827225c8ecbf92129ef8957695ff315a8ef3cfe3

  • SSDEEP

    196608:MCKPhIdB4LC4BgRexpA4O1Xq7pZIBVIAg26FsluEMC/WpsvkCesIG:nWo4m4iwg/qfDLKEC/WSvkCeH

Score
7/10
discoveryevasionpersistencetrojan

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 1 IoCs
  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 36 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • NSIS installer 2 IoCs
    installer
  • Modifies registry class 52 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d4bfbdb0a90be3072174f93dc81897e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0d4bfbdb0a90be3072174f93dc81897e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4124
    • C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
      "C:\Users\Admin\AppData\Local\Temp\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Users\Admin\AppData\Local\Temp\is-PG549.tmp\cexplorer.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-PG549.tmp\cexplorer.tmp" /SL5="$A0096,6397385,121344,C:\Users\Admin\AppData\Local\Temp\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
          "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Modifies registry class
          PID:3140
        • C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
          "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer
          4⤵
          • Executes dropped EXE
          • Registers COM server for autorun
          • Adds Run key to start application
          • Modifies registry class
          PID:2676
        • C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
          "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update
          4⤵
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          PID:4896
        • C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
          "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          PID:2000
    • C:\Users\Admin\AppData\Local\Temp\update.exe
      "C:\Users\Admin\AppData\Local\Temp\update.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Users\Admin\AppData\Local\Temp\crpt.exe
        "C:\Users\Admin\AppData\Local\Temp\crpt.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Users\Admin\AppData\Local\Temp\crpt.exe
          "C:\Users\Admin\AppData\Local\Temp\crpt.exe"
          4⤵
            PID:3964
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 904
            4⤵
            • Program crash
            PID:4712
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1960 -ip 1960
      1⤵
        PID:4516

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
        Filesize

        14.4MB

        MD5

        92a3d0847fc622b31f2d0c273a676c0e

        SHA1

        e642d694367cc98a8863d87fec82e4cf940eb48a

        SHA256

        9a9923c08d3fc5937b6ed189e20cf416482a079bc0c898c4ed75329e0ee3ae89

        SHA512

        01d13fd9a0dd52bc2e3f17af7a999682201c99ecf7218bca254a4944a483fd1dec2a3e6d59def501a024ad760b849787902ecb55bd33d23fa9651c0a7689cd1c

        Download Submit

      • C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
        Filesize

        4.4MB

        MD5

        5b0ae3fac33c08145dca4a9c272ebc34

        SHA1

        940f504d835fc254602953495320bb92456177b9

        SHA256

        137723bdd388f6e5a50b7942eff02f4cc70e6b86d8650a41f9e8956ea1e4de3b

        SHA512

        015ffc133ad3a6937222bbc057f68b60abfe22b900b5e7c4e6ca3ec7dc6b09abaf54b595f00fa9212f370da8531af1ac5fc52b39953e1f685e81c66d1ec61f8a

        Download Submit

      • C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new
        Filesize

        786KB

        MD5

        dd5ce4d765edd75eba6f311e6e0ea10a

        SHA1

        9ea7f6516e5ad0755b74463d427055f63ed1a664

        SHA256

        64b7f8f70a7b037d10da72eaa769078b7e4d1ac8964c5eae5515d373e816ed6d

        SHA512

        d2782310df7cc533cc9ffaf5c1903d5bc6a500c3bbe48148c1339fb5de19c835e4a8c765da1b80b3744ea231353f76f22ba4e04c78a3d950d7ee291d6eab2216

        Download Submit

      • C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new
        Filesize

        1.2MB

        MD5

        de5f74ef4e17b2dc8ad69a3e9b8d22c7

        SHA1

        42df8fedc56761041bce47b84bd4e68ee75448d2

        SHA256

        b89a6a57b48be10103825440d2157f2c4a56e4c6b79ad13f729429cd5393bf32

        SHA512

        515e9b498d8cd9bb03f8d9758e891d073627dfd6fb0b931650a47d6e53722aa6e1cc3caff8c0e64f4721ad2abef7a81ef4e7b49952d3c8fc325deb5bba6b3314

        Download Submit

      • C:\Program Files (x86)\Chameleon Explorer\Folder.dll
        Filesize

        750KB

        MD5

        fb76f4f533203e40ce30612a47171f94

        SHA1

        304ba296c77a93ddb033d52578fcc147397db981

        SHA256

        3de05f18ffe9fda589a45ea539a464e58a30f70d59d71444b018064cf831c4a6

        SHA512

        a416a6d6efbbd69209e1867f12b9d1d11b21160f6dfe07c510b43112c22c317f805c67dd9402744a6c7e1541f6b3a061c49942fe28fa70f74aea670ba9c71995

        Download Submit

      • C:\Program Files (x86)\Chameleon Explorer\Folder64.dll
        Filesize

        1.2MB

        MD5

        96f92c8368c1e922692f399db96da1eb

        SHA1

        1a91d68f04256ef3bc1022beb616ba65271bd914

        SHA256

        161408b86eed7c4d9a5882aa00df3f8765ed28fa4fd9aab2c9b3dceadbd527f9

        SHA512

        b3d3fb2d78fe2df864f0e07a8bc1610ee9d65251957e0495a34c1631895293590e0fca965ec9deb160f48a4e09a2feabd3bff6fb9a0c22888a941e308de39d14

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\aut45A4.tmp
        Filesize

        6.5MB

        MD5

        b2e5a8fe3ca4f0cd681b5662f972ea5f

        SHA1

        b7dbcfaee55ecbf0158431d85dabdd479ab449c7

        SHA256

        e71c48c03b8cfd37bf17e62460733a4bfe9c484e947fd9db291f65405a2ba9e8

        SHA512

        40b7140f5c182cd51cee142a2575bd70dc9bde311ad3952119fb9769b5ceeb467695aa5a66fc90520712d9a39458930efb965496d6443665b7597cfd66247aaf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\crpt.exe
        Filesize

        226KB

        MD5

        41fbfe54412289cb9abfdbb4d3859abc

        SHA1

        2a67b1e08cd669bb6746e3be34c277b9403cb7c5

        SHA256

        a5a5fd2215aae7022d03ae86e8f8c9a5dde74e8915d420e37cd069354be68d6a

        SHA512

        b3a03f97b94455dd10c9b974e4b1dc4680bdcbd4288b1ea23f32b247ea31d0a0c2b00b06778db323ea2fd147dbd84abd83c29983c8afa309270c2f4163ba6d6e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-PG549.tmp\cexplorer.tmp
        Filesize

        1.1MB

        MD5

        729bc0108bcd7ec083dfa83d7a4577f2

        SHA1

        0b4efa5e1764b4ce3e3ae601c8655c7bb854a973

        SHA256

        b1c68b1582ebb5f465512a0b834ccac095460b29136b6c7eea0475612bf16b49

        SHA512

        49c83533ce88d346651d59d855cff18190328795401c1277f4e3d32ff34f207d2c35f026785aa6c4a85624d88bf8c927654907faf50db1d57447730d9d6ac44c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsg63DC.tmp\System.dll
        Filesize

        11KB

        MD5

        3f176d1ee13b0d7d6bd92e1c7a0b9bae

        SHA1

        fe582246792774c2c9dd15639ffa0aca90d6fd0b

        SHA256

        fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

        SHA512

        0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\update.exe
        Filesize

        499KB

        MD5

        87ac1f492527b5d2c5fff3f2f88c7979

        SHA1

        ba88ad533db0ec894e186730cd060cdc91c47767

        SHA256

        2a16bd13e1305d9787e2e05a1120bdeb36c9d60dbeb958aed3604822436b0b84

        SHA512

        fca1c6017193abc507e3bae9504f3107aceade99a02410074338e16834378cbb3968faf2fcd294991af8f07ae018a915cac34f90ff8546a67143e78711304ce1

        Download Submit

      • memory/2000-161-0x0000000000400000-0x0000000001438000-memory.dmp

        Filesize

        16.2MB

        Download

      • memory/2084-166-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2084-24-0x0000000000401000-0x0000000000412000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2084-21-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/2196-85-0x0000000005000000-0x0000000005063000-memory.dmp

        Filesize

        396KB

        Download

      • memory/2196-79-0x0000000005000000-0x0000000005063000-memory.dmp

        Filesize

        396KB

        Download

      • memory/2196-83-0x0000000005000000-0x0000000005063000-memory.dmp

        Filesize

        396KB

        Download

      • memory/2196-81-0x0000000005000000-0x0000000005063000-memory.dmp

        Filesize

        396KB

        Download

      • memory/2196-77-0x0000000005000000-0x0000000005063000-memory.dmp

        Filesize

        396KB

        Download

      • memory/2196-75-0x0000000005000000-0x0000000005063000-memory.dmp

        Filesize

        396KB

        Download

      • memory/2196-74-0x0000000005000000-0x0000000005063000-memory.dmp

        Filesize

        396KB

        Download

      • memory/2196-89-0x0000000005000000-0x0000000005063000-memory.dmp

        Filesize

        396KB

        Download

      • memory/2196-91-0x0000000005000000-0x0000000005063000-memory.dmp

        Filesize

        396KB

        Download

      • memory/2196-69-0x0000000002540000-0x00000000025AA000-memory.dmp

        Filesize

        424KB

        Download

      • memory/2196-72-0x0000000004A10000-0x0000000004FB4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2196-93-0x0000000005000000-0x0000000005063000-memory.dmp

        Filesize

        396KB

        Download

      • memory/2196-95-0x0000000005000000-0x0000000005063000-memory.dmp

        Filesize

        396KB

        Download

      • memory/2196-87-0x0000000005000000-0x0000000005063000-memory.dmp

        Filesize

        396KB

        Download

      • memory/2196-73-0x0000000005000000-0x0000000005068000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2536-165-0x0000000000400000-0x000000000052D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2536-28-0x0000000000400000-0x000000000052D000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2676-127-0x0000000000400000-0x0000000001438000-memory.dmp

        Filesize

        16.2MB

        Download

      • memory/3140-124-0x0000000000400000-0x0000000001438000-memory.dmp

        Filesize

        16.2MB

        Download

      • memory/4896-144-0x0000000000400000-0x0000000000A39000-memory.dmp

        Filesize

        6.2MB

        Download