Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 14:48
Behavioral task
behavioral1
Sample
AutoJail v1.0.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
AutoJail v1.0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
jail.pyc
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
jail.pyc
Resource
win10v2004-20240508-en
General
-
Target
jail.pyc
-
Size
17KB
-
MD5
6f6b9caab4669be8e62c0a6e2b7d7057
-
SHA1
5bdedf9f36c6023b898126f546682d59da225fbf
-
SHA256
930666a4e7556155bc966ceb5c0e440b87628e926532b894897f50dd8e2ac76a
-
SHA512
cda3a40db4c1187629b5a8cd8d2542e5ccb48aa5ecf2e787ee9128479044dc9a05a785069a49c38dfa3cb6f52489beff19f062ece18838311216c5aa560a4db3
-
SSDEEP
48:SDK4RawasLu4nnm2i56Qey3B18lhPolwERKNmMLhZdfasmL4fv1KSfAAmL4fv1KI:7IasLuem2i5Yy3H1lwERImMLhZXFD
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 7b9d822a7ba1da01 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{4B5F3796-A549-4F99-91B8-0542E04EF588}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1D19D435-1B6F-11EF-BCA5-56103091DE06} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Modifies registry class 13 IoCs
Processes:
iexplore.exeOpenWith.execmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\pyc_auto_file\shell\open OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\pyc_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.pyc OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.pyc\ = "pyc_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\pyc_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\pyc_auto_file\shell\open\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\pyc_auto_file\shell\open\CommandId = "IE.File" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\pyc_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\pyc_auto_file\shell OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exeOpenWith.exepid process 4240 OpenWith.exe 3056 OpenWith.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
iexplore.exepid process 2560 iexplore.exe 2560 iexplore.exe 2560 iexplore.exe 2560 iexplore.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
Processes:
OpenWith.exeiexplore.exeIEXPLORE.EXEOpenWith.exeIEXPLORE.EXEpid process 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 4240 OpenWith.exe 2560 iexplore.exe 2560 iexplore.exe 4848 IEXPLORE.EXE 4848 IEXPLORE.EXE 3056 OpenWith.exe 3056 OpenWith.exe 3056 OpenWith.exe 3056 OpenWith.exe 3056 OpenWith.exe 2560 iexplore.exe 2560 iexplore.exe 4824 IEXPLORE.EXE 4824 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
OpenWith.exeiexplore.exeOpenWith.exedescription pid process target process PID 4240 wrote to memory of 2560 4240 OpenWith.exe iexplore.exe PID 4240 wrote to memory of 2560 4240 OpenWith.exe iexplore.exe PID 2560 wrote to memory of 4848 2560 iexplore.exe IEXPLORE.EXE PID 2560 wrote to memory of 4848 2560 iexplore.exe IEXPLORE.EXE PID 2560 wrote to memory of 4848 2560 iexplore.exe IEXPLORE.EXE PID 3056 wrote to memory of 4760 3056 OpenWith.exe iexplore.exe PID 3056 wrote to memory of 4760 3056 OpenWith.exe iexplore.exe PID 2560 wrote to memory of 4824 2560 iexplore.exe IEXPLORE.EXE PID 2560 wrote to memory of 4824 2560 iexplore.exe IEXPLORE.EXE PID 2560 wrote to memory of 4824 2560 iexplore.exe IEXPLORE.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\jail.pyc1⤵
- Modifies registry class
PID:972
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\jail.pyc2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2560 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4848 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2560 CREDAT:82948 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4824
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\jail.pyc2⤵
- Modifies Internet Explorer settings
PID:4760