958c983678883dffae16caae116896855d119a2f3bfb85f110fbba31ea6fd042

Analysis

max time kernel
155s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
Size

24KB
MD5

021ac1bfb8799798473e295845325c83
SHA1

55882b92993c8cc5da6fa96ff20986179323bf52
SHA256

958c983678883dffae16caae116896855d119a2f3bfb85f110fbba31ea6fd042
SHA512

2ef0be6eecb2a43d71f03f6a3322982e58e606575f3daef4c356fa44586d7057218f35afb7eae89817d62cf34530a95766c7052fa8b02b4fb687c76162a272f4
SSDEEP

192:mC3cFNMPf3NL1juujE7si+Sx8CYdf98uCLj5Ue2wD26FY:mwcFNMPt1judQpSip9JwUe2wD2OY

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3232	attrib.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Dx = "c:\\stormliv.exe"	reg.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.dxcpm.com/?5_606"	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2184	2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe	90
PID 2128 wrote to memory of 2184	2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe	90
PID 2128 wrote to memory of 2184	2128	021ac1bfb8799798473e295845325c83_JaffaCakes118.exe	90
PID 2184 wrote to memory of 3232	2184	cmd.exe	92
PID 2184 wrote to memory of 3232	2184	cmd.exe	92
PID 2184 wrote to memory of 3232	2184	cmd.exe	92
PID 2184 wrote to memory of 3356	2184	cmd.exe	93
PID 2184 wrote to memory of 3356	2184	cmd.exe	93
PID 2184 wrote to memory of 3356	2184	cmd.exe	93

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3232	attrib.exe

C:\Users\Admin\AppData\Local\Temp\021ac1bfb8799798473e295845325c83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\021ac1bfb8799798473e295845325c83_JaffaCakes118.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Dx.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +s +h c:\stormliv.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3232
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v Dx /t REG_SZ /d c:\stormliv.exe /f
    3⤵
    - Adds Run key to start application
    PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1320 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dx.bat

Filesize
336B

MD5
b7a09283ba1c4b6f8da6f4b53f4d6538

SHA1
e6a0393c57dc6da36f2d70d3b97c88dbf1350aa9

SHA256
c03d511fc448eed1d56b6b655e45f65fcc4ce0a7b85623f53ca5001bb3fa60bb

SHA512
da1bb3d1bf88b953890cde239a8b75afbdf93fc059035c5f223f89f3555d27647de37f39717e4d8f4928b62f0043b4a67d955036313d2d762176e7559558c513

Download Submit
C:\stormliv.exe

Filesize
24KB

MD5
021ac1bfb8799798473e295845325c83

SHA1
55882b92993c8cc5da6fa96ff20986179323bf52

SHA256
958c983678883dffae16caae116896855d119a2f3bfb85f110fbba31ea6fd042

SHA512
2ef0be6eecb2a43d71f03f6a3322982e58e606575f3daef4c356fa44586d7057218f35afb7eae89817d62cf34530a95766c7052fa8b02b4fb687c76162a272f4

Download Submit