Overview
overview
8Static
static
365975f0ec8...18.exe
windows7-x64
865975f0ec8...18.exe
windows10-2004-x64
4$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Tools/modu...rt.hta
windows7-x64
3Tools/modu...rt.hta
windows10-2004-x64
3Tools/run.hta
windows7-x64
8Tools/run.hta
windows10-2004-x64
1config.js
windows7-x64
3config.js
windows10-2004-x64
3drp.js
windows7-x64
3drp.js
windows10-2004-x64
3js/soft.js
windows7-x64
3js/soft.js
windows10-2004-x64
3languages/ar.js
windows7-x64
3languages/ar.js
windows10-2004-x64
3languages/az.js
windows7-x64
3languages/az.js
windows10-2004-x64
3languages/be.js
windows7-x64
3languages/be.js
windows10-2004-x64
3languages/bg.js
windows7-x64
3languages/bg.js
windows10-2004-x64
3languages/bn.js
windows7-x64
3languages/bn.js
windows10-2004-x64
3languages/ca.js
windows7-x64
3languages/ca.js
windows10-2004-x64
3languages/cs.js
windows7-x64
3languages/cs.js
windows10-2004-x64
3languages/de.js
windows7-x64
3languages/de.js
windows10-2004-x64
3languages/el.js
windows7-x64
3languages/el.js
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 01:52
Behavioral task
behavioral1
Sample
65975f0ec8f73437db3a5374b09a441b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
65975f0ec8f73437db3a5374b09a441b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Tools/modules/bugreport.hta
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Tools/modules/bugreport.hta
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Tools/run.hta
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Tools/run.hta
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
config.js
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
config.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
drp.js
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
drp.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
js/soft.js
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
js/soft.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
languages/ar.js
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
languages/ar.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
languages/az.js
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
languages/az.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
languages/be.js
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
languages/be.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
languages/bg.js
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
languages/bg.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
languages/bn.js
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
languages/bn.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
languages/ca.js
Resource
win7-20240508-en
Behavioral task
behavioral26
Sample
languages/ca.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
languages/cs.js
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
languages/cs.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
languages/de.js
Resource
win7-20231129-en
Behavioral task
behavioral30
Sample
languages/de.js
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
languages/el.js
Resource
win7-20240215-en
Behavioral task
behavioral32
Sample
languages/el.js
Resource
win10v2004-20240426-en
General
-
Target
Tools/run.hta
-
Size
2KB
-
MD5
d0e69969ac10cee9ac933c3223542059
-
SHA1
7f9246b3bcb6f1cf1b5d9f26ad7a747dc4fbceb3
-
SHA256
11abb36beb797e400f6d5fc924f8ae07f40ec41aeb1b1b43f6583bb60a875cd5
-
SHA512
4bd2df510345263952df26c7b6c9f2fc57e1af4046919d68f8a9aa3c8b1d60127a4bef6b75bf915710287e8a1e442437dde135eb3ac7d4dc10321ffbf97dc2d6
Malware Config
Signatures
-
Blocklisted process makes network request 18 IoCs
Processes:
mshta.exeflow pid process 4 1484 mshta.exe 5 1484 mshta.exe 7 1484 mshta.exe 10 1484 mshta.exe 13 1484 mshta.exe 14 1484 mshta.exe 15 1484 mshta.exe 17 1484 mshta.exe 18 1484 mshta.exe 20 1484 mshta.exe 22 1484 mshta.exe 26 1484 mshta.exe 27 1484 mshta.exe 28 1484 mshta.exe 29 1484 mshta.exe 32 1484 mshta.exe 33 1484 mshta.exe 34 1484 mshta.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2752 netsh.exe 1440 netsh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs net.exe
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
mshta.execmd.execmd.exenet.exedescription pid process target process PID 1484 wrote to memory of 872 1484 mshta.exe cmd.exe PID 1484 wrote to memory of 872 1484 mshta.exe cmd.exe PID 1484 wrote to memory of 872 1484 mshta.exe cmd.exe PID 1484 wrote to memory of 872 1484 mshta.exe cmd.exe PID 872 wrote to memory of 2752 872 cmd.exe netsh.exe PID 872 wrote to memory of 2752 872 cmd.exe netsh.exe PID 872 wrote to memory of 2752 872 cmd.exe netsh.exe PID 872 wrote to memory of 2752 872 cmd.exe netsh.exe PID 1484 wrote to memory of 2800 1484 mshta.exe cmd.exe PID 1484 wrote to memory of 2800 1484 mshta.exe cmd.exe PID 1484 wrote to memory of 2800 1484 mshta.exe cmd.exe PID 1484 wrote to memory of 2800 1484 mshta.exe cmd.exe PID 2800 wrote to memory of 1440 2800 cmd.exe netsh.exe PID 2800 wrote to memory of 1440 2800 cmd.exe netsh.exe PID 2800 wrote to memory of 1440 2800 cmd.exe netsh.exe PID 2800 wrote to memory of 1440 2800 cmd.exe netsh.exe PID 1484 wrote to memory of 2396 1484 mshta.exe net.exe PID 1484 wrote to memory of 2396 1484 mshta.exe net.exe PID 1484 wrote to memory of 2396 1484 mshta.exe net.exe PID 1484 wrote to memory of 2396 1484 mshta.exe net.exe PID 2396 wrote to memory of 1208 2396 net.exe net1.exe PID 2396 wrote to memory of 1208 2396 net.exe net1.exe PID 2396 wrote to memory of 1208 2396 net.exe net1.exe PID 2396 wrote to memory of 1208 2396 net.exe net1.exe PID 1484 wrote to memory of 1932 1484 mshta.exe rundll32.exe PID 1484 wrote to memory of 1932 1484 mshta.exe rundll32.exe PID 1484 wrote to memory of 1932 1484 mshta.exe rundll32.exe PID 1484 wrote to memory of 1932 1484 mshta.exe rundll32.exe PID 1484 wrote to memory of 1932 1484 mshta.exe rundll32.exe PID 1484 wrote to memory of 1932 1484 mshta.exe rundll32.exe PID 1484 wrote to memory of 1932 1484 mshta.exe rundll32.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Tools\run.hta"1⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall delete rule name="DriverPack aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_57414.txt""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name="DriverPack aria2c.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Tools\tools\aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_94275.txt""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\Tools\tools\aria2c.exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" start wscsvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start wscsvc3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32 kernel32,Sleep2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\collect[1].gifFilesize
35B
MD528d6814f309ea289f847c69cf91194c6
SHA10f4e929dd5bb2564f7ab9c76338e04e292a42ace
SHA2568337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015
SHA5121d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\allfont[1].htmFilesize
175B
MD55255b05e221a2ee9e73b8d9ca6eaa4ad
SHA128d5fbabcdcc49246e71721c45d49a0dd025cb0b
SHA256ed2ae741d3478834f11bdecc1f4a8e179bc295a99e489936befac5ee4eaf4cc5
SHA51259941bf156a18037f99367a8455137ffaad3ca0d2da6b3b604e6d17caa4299789b463908cf812e07477aee07e7a6fd4b7fcbad598ffb48d57a76a018da368e05
-
C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_57414.txtFilesize
9B
MD502466847c63e90c5041b8dd7990dce27
SHA1fdcf71f16e2efcb8815730b4cca5f580b185cf5c
SHA256195418a93d769a17558aa804568eff487979e62d0731aa8c63d8d0ffc1723321
SHA51286b11957db369afa71831c72848b897aafd155887467a377484d0346dcaeaac88476cad2331e34a24e7f8ac3a07335dd1e639ae27bfa0d4491dcc6a48a7e6ff3