90c796b0b888f5e115fb2bd58bcff1e2c5750afd0ddec9ac1f1aa45dc53c35bd

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe
Size

48KB
MD5

0f647230b9bd51043647d144ad498dbc
SHA1

34dd3053083e47a1f7c98e566afeb70d5f31a4cb
SHA256

90c796b0b888f5e115fb2bd58bcff1e2c5750afd0ddec9ac1f1aa45dc53c35bd
SHA512

443f32709b425e17e558676e182f75d43e7c6dde07427b2e278c09b7514bcc98d94eea9c85282d721948d7769c68c00f83c0c42826279c08f1868688231deaac
SSDEEP

768:KrpBCq7CL/yvmS3AoHXTCZ/KcUtS8brv7LE/ithQhHr/:KJp3Ao3Tg/jUNU/4wD

Score

10^/10

evasion execution persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	coiome.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2244	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2560	coiome.exe

Loads dropped DLL 2 IoCs

pid	Process
2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe
2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\safe360 = "C:\\Program Files\\Common Files\\sgcscvy\\coiome.exe"	mshta.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\sgcscvy	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe
File created	C:\Program Files (x86)\CDG.hta	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\sgcscvy\coiome.exe	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\sgcscvy\coiome.exe	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\sgcscvy	coiome.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
556	sc.exe
2600	sc.exe
2736	sc.exe
2772	sc.exe
2412	sc.exe
240	sc.exe
1672	sc.exe
2916	sc.exe
2876	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
2292	taskkill.exe
2440	taskkill.exe
1184	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.52cailing.com"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\default_page_url = "http://www.52cailing.com"	mshta.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.52cailing.com"	mshta.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command	coiome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HTTP\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" -nohome"	coiome.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2560	coiome.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	2560	coiome.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1840	2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe	28
PID 2164 wrote to memory of 1840	2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe	28
PID 2164 wrote to memory of 1840	2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe	28
PID 2164 wrote to memory of 1840	2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe	28
PID 2164 wrote to memory of 1896	2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe	29
PID 2164 wrote to memory of 1896	2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe	29
PID 2164 wrote to memory of 1896	2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe	29
PID 2164 wrote to memory of 1896	2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe	29
PID 1896 wrote to memory of 2292	1896	cmd.exe	31
PID 1896 wrote to memory of 2292	1896	cmd.exe	31
PID 1896 wrote to memory of 2292	1896	cmd.exe	31
PID 1896 wrote to memory of 2292	1896	cmd.exe	31
PID 2164 wrote to memory of 2560	2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe	33
PID 2164 wrote to memory of 2560	2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe	33
PID 2164 wrote to memory of 2560	2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe	33
PID 2164 wrote to memory of 2560	2164	0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe	33
PID 2560 wrote to memory of 2404	2560	coiome.exe	35
PID 2560 wrote to memory of 2404	2560	coiome.exe	35
PID 2560 wrote to memory of 2404	2560	coiome.exe	35
PID 2560 wrote to memory of 2404	2560	coiome.exe	35
PID 2560 wrote to memory of 2416	2560	coiome.exe	36
PID 2560 wrote to memory of 2416	2560	coiome.exe	36
PID 2560 wrote to memory of 2416	2560	coiome.exe	36
PID 2560 wrote to memory of 2416	2560	coiome.exe	36
PID 2404 wrote to memory of 2412	2404	cmd.exe	39
PID 2404 wrote to memory of 2412	2404	cmd.exe	39
PID 2404 wrote to memory of 2412	2404	cmd.exe	39
PID 2404 wrote to memory of 2412	2404	cmd.exe	39
PID 2416 wrote to memory of 2440	2416	cmd.exe	40
PID 2416 wrote to memory of 2440	2416	cmd.exe	40
PID 2416 wrote to memory of 2440	2416	cmd.exe	40
PID 2416 wrote to memory of 2440	2416	cmd.exe	40
PID 2560 wrote to memory of 1492	2560	coiome.exe	41
PID 2560 wrote to memory of 1492	2560	coiome.exe	41
PID 2560 wrote to memory of 1492	2560	coiome.exe	41
PID 2560 wrote to memory of 1492	2560	coiome.exe	41
PID 1492 wrote to memory of 1184	1492	cmd.exe	43
PID 1492 wrote to memory of 1184	1492	cmd.exe	43
PID 1492 wrote to memory of 1184	1492	cmd.exe	43
PID 1492 wrote to memory of 1184	1492	cmd.exe	43
PID 2560 wrote to memory of 2696	2560	coiome.exe	44
PID 2560 wrote to memory of 2696	2560	coiome.exe	44
PID 2560 wrote to memory of 2696	2560	coiome.exe	44
PID 2560 wrote to memory of 2696	2560	coiome.exe	44
PID 2696 wrote to memory of 240	2696	cmd.exe	46
PID 2696 wrote to memory of 240	2696	cmd.exe	46
PID 2696 wrote to memory of 240	2696	cmd.exe	46
PID 2696 wrote to memory of 240	2696	cmd.exe	46
PID 2560 wrote to memory of 2020	2560	coiome.exe	47
PID 2560 wrote to memory of 2020	2560	coiome.exe	47
PID 2560 wrote to memory of 2020	2560	coiome.exe	47
PID 2560 wrote to memory of 2020	2560	coiome.exe	47
PID 2020 wrote to memory of 556	2020	cmd.exe	49
PID 2020 wrote to memory of 556	2020	cmd.exe	49
PID 2020 wrote to memory of 556	2020	cmd.exe	49
PID 2020 wrote to memory of 556	2020	cmd.exe	49
PID 2560 wrote to memory of 1860	2560	coiome.exe	50
PID 2560 wrote to memory of 1860	2560	coiome.exe	50
PID 2560 wrote to memory of 1860	2560	coiome.exe	50
PID 2560 wrote to memory of 1860	2560	coiome.exe	50
PID 1860 wrote to memory of 2600	1860	cmd.exe	52
PID 1860 wrote to memory of 2600	1860	cmd.exe	52
PID 1860 wrote to memory of 2600	1860	cmd.exe	52
PID 1860 wrote to memory of 2600	1860	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\CDG.hta"
  2⤵
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im coiome.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im coiome.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- C:\Program Files (x86)\Common Files\sgcscvy\coiome.exe
  "C:\Program Files (x86)\Common Files\sgcscvy\coiome.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete JavaServe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\SysWOW64\sc.exe
      sc delete JavaServe
      4⤵
      Launches sc.exe
      PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im iejore.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im iejore.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im conime.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im conime.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc stop LYTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\sc.exe
      sc stop LYTC
      4⤵
      Launches sc.exe
      PID:240
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc stop Messenger
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\sc.exe
      sc stop Messenger
      4⤵
      Launches sc.exe
      PID:556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete Messenger
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\SysWOW64\sc.exe
      sc delete Messenger
      4⤵
      Launches sc.exe
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete LYTC
    3⤵
    PID:2452
  - - C:\Windows\SysWOW64\sc.exe
      sc delete LYTC
      4⤵
      Launches sc.exe
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc stop IE_WinserverName
    3⤵
    PID:2704
  - - C:\Windows\SysWOW64\sc.exe
      sc stop IE_WinserverName
      4⤵
      Launches sc.exe
      PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete IE_WinserverName
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\sc.exe
      sc delete IE_WinserverName
      4⤵
      Launches sc.exe
      PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc stop HidServ
    3⤵
    PID:752
  - - C:\Windows\SysWOW64\sc.exe
      sc stop HidServ
      4⤵
      Launches sc.exe
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete HidServ
    3⤵
    PID:2912
  - - C:\Windows\SysWOW64\sc.exe
      sc delete HidServ
      4⤵
      Launches sc.exe
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls "C:\Documents and Settings\All Users\Application Data\Storm\update" /e /p everyone:n
    3⤵
    PID:2924
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Documents and Settings\All Users\Application Data\Storm\update" /e /p everyone:n
      4⤵
      PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /e /p everyone:n
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /e /p everyone:n
      4⤵
      PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\0f647230b9bd51043647d144ad498dbc_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CDG.hta

Filesize
780B

MD5
439e3753d54e5bb10bbacae5d707d2bc

SHA1
4a66f505f560db1c896fd1b65309ddc1befdd27f

SHA256
db72cdc20e0fd6377d92873dcdf739968780ef4f1fa4e2401f18ef84829fd9b2

SHA512
5697558df2ce7151dccd7393ca66aac544ba767fa6875cfed8629b38d3efa56aef4073395d48e6bb38eedcdd42ff5bdae4f7974f709e26b6f4d55131390f89f7

Download Submit
\Program Files (x86)\Common Files\sgcscvy\coiome.exe

Filesize
4.0MB

MD5
96b98b3d53b95814181ce20d4b402a26

SHA1
1fb1f03f7607510f68f072306723bd917791ee32

SHA256
97ec8b32ded2564109be13b047877b33a964dbc126c3cbc363de5fd3dcfd7091

SHA512
ecd8cf8795506edde9032f3ac3b83c28eb74a699b38823ffe579cc0235e8cee5f860231c07f1a21d8d8d34e9dd49bc7223c1318dfbc8801a8ecd8ea90c432ec7

Download Submit