Overview

overview

8

Static

static

3

04ec53a1c6...18.exe

windows7-x64

7

04ec53a1c6...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20/06/2024, 09:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe

  • Size

    96KB

  • MD5

    04ec53a1c638d330d93daf8b7bfaadad

  • SHA1

    c4c17dd3d907e2482abce5577b32b53ced7112b2

  • SHA256

    1579be2c9e38abc5bcbeffc11285886aab4c535e83ed002b1866ba4ed79f95fd

  • SHA512

    bfb95ed883e813abf582983043845667699b7f131cd6cdc52bd616c009827f490f8157a0610586259af4f91d4763cf5fb9d479e5bcb0e4cc5b057dd04bf2a524

  • SSDEEP

    1536:WUsuXxpfTtbrO/A5HN+TOC+eWmcJ9J+r3:6ITtx+R+PJ8

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04ec53a1c638d330d93daf8b7bfaadad_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\1.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:768
        • C:\PROGRA~1\INTERN~1\iexplore.exe
          C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2248
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1492
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\1.inf
          4⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:2492
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\2.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:332
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v ModRiskFileTypes /t REG_SZ /d .bat /f
            5⤵
            • Modifies registry key
            PID:1500
          • C:\Windows\SysWOW64\gpupdate.exe
            gpupdate /force
            5⤵
              PID:324
      • C:\Users\Admin\AppData\Local\Temp\inl5591.tmp
        C:\Users\Admin\AppData\Local\Temp\inl5591.tmp
        2⤵
        • Executes dropped EXE
        PID:1016

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
            Filesize

            915B

            MD5

            be85f25f9b7db8406cd5355970ab35a4

            SHA1

            9b3dda905d2e30940e7205846195b2d7b6636747

            SHA256

            fa23240bc8f6b3bfe2622188299e24aa286ab3d27ba0e40358f8893926a6dc59

            SHA512

            8418f4d3dca7002394e8d538d90bfe05582a2ee4b10f8526c3cbb87c8a512ee606afd0172eaf57e47bde21c0129b53a740c4e5a5ed1efa205316edc5e9ab9ea2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmp_ext.bat
            Filesize

            50B

            MD5

            e08ad52d3d132292f9c51e7cfec5fe08

            SHA1

            269f7eb185a9ff02664297bfb6f5df9f86ec10f0

            SHA256

            bd2a3003fb1f771283b30a044c49aecb72bfdff4322330337dba4992ecd198f4

            SHA512

            3dc0331f3ee9a57de7bda71a94953239bc7033a130f2b783b35d17ce3ed7b7928c154323d10ba81bd81d3bfd2d7c123cec55f5178d2b44286c2f857ccd6a1722

            Download Submit

          • C:\Users\Admin\AppData\Roaming\lua\1.bat
            Filesize

            2KB

            MD5

            d720afa7c1bc6d67157c1fc5e1804f5f

            SHA1

            372cb41239edb1f4452a67b2c116cd4016b0f608

            SHA256

            fa0eaebd30bad6d62a875ff2bbd6861750cdf63ef811e620d95584337d8805e3

            SHA512

            1f4b6dffc79fbdac3868dbd9c9654374eaf28600053dcf041dcc0bbfdfb7d6610d29b8edabf0a88d3d298e8877f927c6f0600fca41ccb1e7d4aaed44ea1d3f1e

            Download Submit

          • C:\Users\Admin\AppData\Roaming\lua\1.inf
            Filesize

            263B

            MD5

            49867388978209a322cce5e58881aaf0

            SHA1

            6f5e5702dfdd03349533784e36611015fda96484

            SHA256

            c37541cb88ecb332271fbda8f2b140d27627a898f2f2bf156b8a94ce5fefd0a8

            SHA512

            d7445933e5b4979007ac0c63d24f6d34949bc45d6595da2f2f146dcc372775f23e676f15635fd96f87a5d87668f5722e0fc494a3ca71c81b55ab1daab116f5f1

            Download Submit

          • C:\Users\Admin\AppData\Roaming\lua\1.inf
            Filesize

            410B

            MD5

            66a1f0147fed7ddd19e9bb7ff93705c5

            SHA1

            9d803c81ea2195617379b880b227892ba30b0bf6

            SHA256

            4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

            SHA512

            cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

            Download Submit

          • C:\Users\Admin\AppData\Roaming\lua\2.bat
            Filesize

            8KB

            MD5

            7b2cc87165c7598cd390c0f7cf4d6717

            SHA1

            04fd7ce74a29e2df543b9f3eca0bf8f82064f5af

            SHA256

            4f9d55cf344b944fd73ed63560ee9bf9130f124d593502b5a67abab2586bcd62

            SHA512

            0d8ca7b61c3a1d69b571063c2d43b623f2fac296e8f9c0dda1103212546632356aeaac6b21de1097ed54682aeccd5a68d8ef08f03f6ad0fc2bd386c7f52bc996

            Download Submit

          • memory/2248-45-0x00000000027F0000-0x0000000002800000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2436-0-0x0000000000400000-0x0000000000418000-memory.dmp

            Filesize

            96KB

            Download