Overview

overview

10

Static

static

1

8681d7bd5c...18.vbs

windows7-x64

8681d7bd5c...18.vbs

windows10-2004-x64

Analysis

  • max time kernel
    6s
  • max time network
    8s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 09:20

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    8681d7bd5c2d5ceff7611cb07ea020c1_JaffaCakes118.vbs

  • Size

    11KB

  • MD5

    8681d7bd5c2d5ceff7611cb07ea020c1

  • SHA1

    28827a904d6c9808aa0ba72a1fe2c4a0930ebdf0

  • SHA256

    8002d87b9e8d6211c4748894cdb039eee927bc5777d3c5db52409e8cbab31715

  • SHA512

    b6891de86f450b06e19a76ee6488d61b5af326dc076475c87d64b64c053baca00c4d8a8ad80fe73e67ca032593e49e4c932e4531a619d4bc3262eb9db7d61d4b

  • SSDEEP

    192:E9FeVYIAvL5ojSBcaRZpA4zeOI4KhMort6lI4Ob6F7Nz1lSA9HYBzv++365q:EeVaqjSBd64KXtD4ObUTSA9y3kq

Score
10/10
lampionbankertrojan

Malware Config

Signatures

  • Lampion

    Lampion is a banking trojan, targeting Portuguese speaking countries.

    trojanbankerlampion
  • Blocklisted process makes network request 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8681d7bd5c2d5ceff7611cb07ea020c1_JaffaCakes118.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Windows\System32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Roaming\hioeugwdmxz.vbs
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c shutdown /r /t 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4260
        • C:\Windows\system32\shutdown.exe
          shutdown /r /t 0 /f
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5708
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39be055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:5448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\91859486520290\sqbpfjhxpzmimuvaj65881948351859.exe
    Filesize

    311B

    MD5

    a4fe2d959f9b12b98f3e398611520bee

    SHA1

    94ba202b5724e0c7f8c80ff791cb53acc5f7c188

    SHA256

    bca7a66cfa7255ab7276bcb631c41f1d5d68553d3ab92a581dc2265391b52f79

    SHA512

    d00162ceb44561043032fa1543a8f77ab90b4cda5b435630512c0f28b69528bcb8b2692c349215e49f315698b41896de28598fd09c820f1c6d42b4c921b12530

    Download Submit
  • C:\Users\Admin\AppData\Roaming\hioeugwdmxz.vbs
    Filesize

    675B

    MD5

    88448a4dfdcfd268e941a7130efe68c1

    SHA1

    eb92812367e7bea92d3a242436c6118944e47d13

    SHA256

    3d29fa4ea423767279ad4387d09a13e2fc3a7e739e9b81b5ba1ce5b39ae8a897

    SHA512

    8b9b2ecaa385e0160cfd523b7e9ad193716c8037fc6e4d7d555a8a504412c8304f06da2e23c6a557bd7596f2d25bccd717f7616ea9a98cef3a0c325743341011

    Download Submit