b860f598a2550bb42b2aa77aed81e106cd36c50975a71b8288871ae61482e7a0

Analysis

max time kernel
141s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
Size

542KB
MD5

0f562ef0200664bc779e2e2569337a14
SHA1

b545b0ff555c09326d27adbd3cf8e5964e230baf
SHA256

b860f598a2550bb42b2aa77aed81e106cd36c50975a71b8288871ae61482e7a0
SHA512

17c357bc7c54a09806dcbb1903e9c61bcd2a13ebd6e56901054b7db2d462e951e8dee35aad04aa2366f78402edd09fe7d5465d4b6ff64d1f4f1444334d736a75
SSDEEP

12288:wI5AA6NtlKQOeJVU9E3wleUeRYm8sz+OQK4JQ8uhWsSL:HApTOeTU9E3wsUeFznQJhue

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2652	aspeeder.exe

Loads dropped DLL 3 IoCs

pid	Process
2652	aspeeder.exe
2652	aspeeder.exe
2652	aspeeder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\TypedURLs	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.dh234.com/"	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "http://www.dh234.com/ghost.html"	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "ÍøÖ·µ¼º½"	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "°Ù¶ÈËÑË÷"	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.dh234.com/"	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=dh234_pg"	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "ÍêÃÀÏµÍ³ÏÂÔØ"	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.dh234.com/"	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 32 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2652	aspeeder.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2652	aspeeder.exe
2652	aspeeder.exe
2652	aspeeder.exe
2652	aspeeder.exe
2652	aspeeder.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2652	aspeeder.exe
2652	aspeeder.exe
2652	aspeeder.exe
2652	aspeeder.exe
2652	aspeeder.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2652	aspeeder.exe
2652	aspeeder.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2652	1556	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe	82
PID 1556 wrote to memory of 2652	1556	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe	82
PID 1556 wrote to memory of 2652	1556	0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f562ef0200664bc779e2e2569337a14_JaffaCakes118.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\A±äËÙÆ÷\aspeeder.exe
  C:\Users\Admin\AppData\Local\Temp\A±äËÙÆ÷\aspeeder.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A±äËÙÆ÷\JSHJ.dll

Filesize
52KB

MD5
543df5cc612f10d753b823a893c5b636

SHA1
60d8df3b1cd3d1cd8316a8ec3c4fb1a98ec13139

SHA256
35fa8c59e3480e5b26e7334ec91e8318130f68583fc2e3ae04f824357271ea63

SHA512
cb9b22c493f8e9a3188b35570a3bb091508fc2e41e4852eeaf17f0e9eeddeb0e68c717a9f3eaacd2c935aba9c6366e5f2d9258b38cacf9a5a5a5e02abf8d494d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A±äËÙÆ÷\WINIO.DLL

Filesize
48KB

MD5
6d113aa35a8c79b236751e4ccf2b7751

SHA1
b4ac97768512acd31e4a824b6595ec2163db7972

SHA256
d2eb2a40174b9adb3abc768af7fa80882cd1e2ad22303fe4448db89509ac392b

SHA512
f83209d9e98395ae6127f247b7f68167708c1af789a332695feed0f7879d8a83405eed3c3e860e482cebc704a613563bcadfaa8a2986e348d85e50a2e0b3fb68

Download Submit
C:\Users\Admin\AppData\Local\Temp\A±äËÙÆ÷\aspeeder.exe

Filesize
1.0MB

MD5
0b99f927d85b0d20e548183a860afaa0

SHA1
5fff765df471ef83b370c92a12f56789dda2cb1f

SHA256
c6eb445c422dda11d1094d927cc0f45446a7e954e72be6e3bfce81ef24f23c0f

SHA512
f3290b60c149a70bf54786a2b447dbd0e94f9a16c901047a7109d4562410104dc54d6a9f7ef9a1ccc2bdd80e5b5094b8a098bb304cc2a068015e9472fb15b91c

Download Submit
memory/2652-28-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2652-29-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2652-35-0x00000000033C0000-0x00000000033D3000-memory.dmp

Filesize
76KB

Download
memory/2652-36-0x00000000033C0000-0x00000000033D3000-memory.dmp

Filesize
76KB

Download
memory/2652-38-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2652-39-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2652-40-0x00000000033C0000-0x00000000033D3000-memory.dmp

Filesize
76KB

Download
memory/2652-51-0x00000000033C0000-0x00000000033D3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads