banload | a69a6db6be2046090b294c59880230409167a82fe824b235af90506accd9c1ee

General

Target

3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Size

2.9MB
MD5

3e41579ead92ce8368b2c1985539d510
SHA1

a20ae14e51b16b27b285d020aaa014ec94fb4bdb
SHA256

a69a6db6be2046090b294c59880230409167a82fe824b235af90506accd9c1ee
SHA512

c9ee45be8c2e00e66668831af1bb5479c603e387f02d6a41c4bbeb9c524b85bdc92f29d06f8bfc35746b2cfd8758d68fd64dca4359ec83f25eecf4377bff414b
SSDEEP

49152:1cuumjkA07OTRsaSfpwXTLWi5zPqEMorqXsomXVw2sAMKd70fwkuGn37:1cdAQindcEMor6m7Gwq

Score

10^/10

banload downloader dropper trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX, 16"	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\MiscStatus\1\ = "131473"	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX"	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\InprocServer32\InprocServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b00500072006f0064007500630074004e006f006e0042006f006f007400460069006c00650073003e00640062004b0078002d006c0062006d006600280047006e002c004c005b005b0051007e0043004e0000000000	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\InprocServer32\ThreadingModel = "Apartment"	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\MiscStatus\ = "0"	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\Programmable	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\TypeLib	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\ = "Microsoft Slider Control, version 6.0"	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\MiscStatus	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\MiscStatus\1	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\Version\ = "2.0"	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\Implemented Categories	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\InprocServer32	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\ToolboxBitmap32	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79E636ED-FEB2-A50F-86EA-5164CDFC417E}\Version	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1684	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1684	3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e41579ead92ce8368b2c1985539d510_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-0-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/1684-1-0x0000000002540000-0x0000000002746000-memory.dmp

Filesize
2.0MB

Download
memory/1684-8-0x0000000002540000-0x0000000002746000-memory.dmp

Filesize
2.0MB

Download
memory/1684-13-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/1684-15-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/1684-16-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/1684-14-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/1684-17-0x0000000000400000-0x00000000007EB000-memory.dmp

Filesize
3.9MB

Download
memory/1684-18-0x0000000002540000-0x0000000002746000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing