Overview

overview

8

Static

static

3

08c8f7e3cb...18.exe

windows7-x64

1

08c8f7e3cb...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/06/2024, 18:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08c8f7e3cb8e150c9d3a96931918903a_JaffaCakes118.exe

  • Size

    416KB

  • MD5

    08c8f7e3cb8e150c9d3a96931918903a

  • SHA1

    2fcbd3b54a7abe77fc9daed42cdebccd282361b8

  • SHA256

    9388464615cd8b99a3025429ba1e96c74c818f5e967ffd2afc43c347c211ecb3

  • SHA512

    79d171d6254b68b4eb4e8dcffb90e32caa20550f1b622ae85792feb4c6058912abca053f379e160f616de6049d7b4e95979e6d6b036e2fbad66d4162af1326f2

  • SSDEEP

    12288:RPLGaCM5Ulu+G/mXL27sIjmCNf3a/Ba7EBBV:hLJCRu+GuXZIjhf32a7ELV

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 18 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 25 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08c8f7e3cb8e150c9d3a96931918903a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\08c8f7e3cb8e150c9d3a96931918903a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4660
    • C:\Program Files (x86)f2.exe
      "C:\Program Files (x86)f2.exe"
      2⤵
      • Executes dropped EXE
      PID:3200
    • C:\Windows\SysWOW64\rundllfromwin2000.exe
      "C:\Windows\system32\rundllfromwin2000.exe" "C:\Windows\system32\wbem\weadvz60.dll",Export @install
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3972
    • C:\Windows\SysWOW64\rundllfromwin2000.exe
      "C:\Windows\system32\rundllfromwin2000.exe" "C:\Windows\system32\wbem\weadvz60.dll",Export @start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:732
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\icxsnb47.dll",ExportFunc 1001
      2⤵
      • Server Software Component: Terminal Services DLL
      • Loads dropped DLL
      PID:4704
    • C:\Windows\SysWOW64\kb20060926a.exe
      C:\Windows\system32\kb20060926a.exe
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      PID:4368
  • C:\WINDOWS\SysWOW64\RUNDLLFROMWIN2000.EXE
    C:\WINDOWS\SysWOW64\RUNDLLFROMWIN2000.EXE C:\WINDOWS\SYSTEM32\WBEM\WEADVZ60.DLL,Export 1087
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:3976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\coolsign\coolsign.dll
    Filesize

    112KB

    MD5

    e25063be2c7d0a6892a5789d0697a20a

    SHA1

    31daad687ccbba072144d408c8b693054426b6d5

    SHA256

    9c6baaab819eea4bc2ca846cf44de3b2f15913a33b2dc31081245ab864b99f11

    SHA512

    57f4081bbb35296f5641b50444d086eeb0184c5fb8482a2634f3582962f7344734b183fc119afdc5d7d7bfb913819295a70f9bb0099ef3446f8d246723002155

    Download Submit

  • C:\Program Files (x86)f2.exe
    Filesize

    50KB

    MD5

    f04d24275e0db8685b24d8973bf84624

    SHA1

    88cd499412ab380599137b7d27f47d528ecaa677

    SHA256

    a4fa277f28e157a4e9cd2710ff7126a1482e6a6f3c90eacbe62c6bd85a8e08c2

    SHA512

    69194065ca52cd0c62b3024f646bdcb3a8bcf67aec64d5c74770a941fafd8bb8c3d854c058c5341b03714a8d6069c2f6cda32ec068f62b23b3a0e564a8319105

    Download Submit

  • C:\WINDOWS\SysWOW64\WBEM\ocmor.dll
    Filesize

    5KB

    MD5

    7ea37288e136b0651242db284793a60f

    SHA1

    abf79f0691d56596f19755f44fc53103afeb4d03

    SHA256

    3485e7a46119e79e5feb035dc122e3b83342f6ea0a2b4fc3e8aa84afd768d220

    SHA512

    c466c97bcc9fb1ad3bbab3da7b26c4f9aa1ee6d1fd26c8f4ea8a03f1ac987b29c366a2d3e15bec30bda7297f9f8edab5cc9a37cc175af618b65da999f389beb5

    Download Submit

  • C:\Windows\SysWOW64\icxsnb47.dll
    Filesize

    231KB

    MD5

    73a8a5cda0839915902a9fdb85d1bb9f

    SHA1

    77d39c275f1ea3fb7fe31cd8130702b62a88b282

    SHA256

    9c84cc0711cc5bdc19521ec30386d92cdb3872c28055b1e8343bd5d9ceffed8e

    SHA512

    78aca2a9cf9f38560a8f8f307976e0489c150d1bc2e9f00f7cc8cf7d77a2e2bc5b9240caa772a0093a9eb8c12124300b9ccc36bf2a9220853cf2242cbe40cccf

    Download Submit

  • C:\Windows\SysWOW64\kb20060926a.exe
    Filesize

    11KB

    MD5

    40710057b6f1416d9625397803faa5ab

    SHA1

    38539f615a4c977a4946792aaf46af711ab34ae0

    SHA256

    e4361512e69f0738415424cee95fee446bd1f875297bb76613c0bff056b2698a

    SHA512

    f7687797ed982af0ac8db3123ef47e03242f3a36108ab4491c0c67894a1c649a20aedb2e2dd0da60769ce6d77d0c27c45f56e704095496f3030a8667f7ad8a88

    Download Submit

  • C:\Windows\SysWOW64\rundllfromwin2000.exe
    Filesize

    10KB

    MD5

    4936a6954ed59700a3c706f9094685ee

    SHA1

    124edd171bfc8a5c7f5fcf2147f6ff43b705bb79

    SHA256

    e598bcf79618ab6ab58b29b7a7f3e5fc01ce6c7dbefcaa308565d3d9168249fe

    SHA512

    1ef09ed6a9b22d761981e759fa2089e9c461fda4a46cba66431817bc7b75451d4639e63cd3872a71c3bf123831983590075fc924424833adf0ef491056de32ea

    Download Submit

  • C:\Windows\SysWOW64\wbem\weadvz60.dll
    Filesize

    231KB

    MD5

    7cc10e8530f72724c3a80940181accfa

    SHA1

    55bc30ceee3aaf899f9f36e0e6649a0f375d0b2b

    SHA256

    112ce1e329b913e0634635fdb003ce2c81533c001a8bcfe9d2fa4ccfda055571

    SHA512

    64817edf6e0325b9e29b7eff827ff19d58be2a3ce45047a57bf9f51ee8ba614ee5b9d1216941d9bee357098f0e6129475292ad4f6688d962b155acd1811d6093

    Download Submit

  • memory/732-23-0x0000000001000000-0x0000000001004000-memory.dmp

    Filesize

    16KB

    Download

  • memory/732-30-0x0000000001000000-0x0000000001004000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3972-16-0x0000000001000000-0x0000000001004000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3972-20-0x0000000001000000-0x0000000001004000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3976-61-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-60-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-67-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-66-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-55-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-56-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-57-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-58-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-59-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-36-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-65-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-62-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-63-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-64-0x0000000010000000-0x000000001003A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4368-54-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4368-46-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4660-35-0x0000000000400000-0x0000000000468300-memory.dmp

    Filesize

    416KB

    Download