Overview

overview

8

Static

static

3

42a47f02b9...18.exe

windows7-x64

1

42a47f02b9...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42a47f02b90e98334963bee3580aed3e_JaffaCakes118.exe

  • Size

    45KB

  • MD5

    42a47f02b90e98334963bee3580aed3e

  • SHA1

    4a8026b7a343ed91349206366e0be1e462d51f67

  • SHA256

    bb3b38a2fd89ba150c65b2161d549e952513348d41f4754d1991c51da01a6c3a

  • SHA512

    d35d685bec07c6f9c809c3794debe2f54f163fb558dc55234182676d8d45cb88f0f258743cd3084a71d9723d5bef6b949b0f152cead66a0f736ccfa7e1d008df

  • SSDEEP

    768:1hXsWnz5bu8Zhj71vCzSBmLJXR002jt5Y029tzePAvTHkLFv+QOU:znYCtB0BGh29tzeovwx+g

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\42a47f02b90e98334963bee3580aed3e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\42a47f02b90e98334963bee3580aed3e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3448
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\1.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\PROGRA~1\INTERN~1\iexplore.exe
          C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?71628
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4616
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4616 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1616
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\1.inf
          4⤵
            PID:4328
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\lua\2.bat
            4⤵
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:4804
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?S"" /f
              5⤵
              • Modifies Internet Explorer settings
              • Modifies Internet Explorer start page
              PID:924
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?S"" /f
              5⤵
              • Modifies Internet Explorer settings
              • Modifies Internet Explorer start page
              PID:3388
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?S"" /f
              5⤵
                PID:2368
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
                5⤵
                • Modifies registry class
                PID:2340
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\lua\3.bat""" /f
                5⤵
                • Modifies registry class
                PID:448
              • C:\Windows\SysWOW64\attrib.exe
                attrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
                5⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:3900
              • C:\Windows\SysWOW64\attrib.exe
                attrib +s +h C:\Users\Admin\AppData\Roaming\lua\tmp
                5⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1740
              • C:\Windows\SysWOW64\rundll32.exe
                rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\lua\2.inf
                5⤵
                • Adds Run key to start application
                • Suspicious use of WriteProcessMemory
                PID:3348
                • C:\Windows\SysWOW64\runonce.exe
                  "C:\Windows\system32\runonce.exe" -r
                  6⤵
                  • Checks processor information in registry
                  • Suspicious use of WriteProcessMemory
                  PID:432
                  • C:\Windows\SysWOW64\grpconv.exe
                    "C:\Windows\System32\grpconv.exe" -o
                    7⤵
                      PID:3220
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32 D:\VolumeDH\inj.dat,MainLoad
                  5⤵
                    PID:220
            • C:\Users\Admin\AppData\Local\Temp\inlC2EF.tmp
              C:\Users\Admin\AppData\Local\Temp\inlC2EF.tmp
              2⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4940
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlC2EF.tmp > nul
                3⤵
                  PID:708
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\42A47F~1.EXE > nul
                2⤵
                  PID:2828

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4DF043PQ\favicon[1].htm
                Filesize

                802B

                MD5

                b4f7d6a0d3f6605440a1f5574f90a30c

                SHA1

                9d91801562174d73d77f1f10a049c594f969172a

                SHA256

                e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd

                SHA512

                c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
                Filesize

                903B

                MD5

                a895dff7b4822dbeacbc624df35b115f

                SHA1

                1ecec3bde42582d1841755d6f27ee707c97fbf1e

                SHA256

                a4d15f9e35eea6a8df381f1755660210afc596d97b2babd65132d2261769c5c0

                SHA512

                340b00695153e29ea71726c45482c1923765e4b93c8fdfa243dc575014711f8b27e9e29b1ccce4d86349dab4422f6c72e73cef049cd53c4a8657c5dfbb929f29

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmp_ext.bat
                Filesize

                50B

                MD5

                e08ad52d3d132292f9c51e7cfec5fe08

                SHA1

                269f7eb185a9ff02664297bfb6f5df9f86ec10f0

                SHA256

                bd2a3003fb1f771283b30a044c49aecb72bfdff4322330337dba4992ecd198f4

                SHA512

                3dc0331f3ee9a57de7bda71a94953239bc7033a130f2b783b35d17ce3ed7b7928c154323d10ba81bd81d3bfd2d7c123cec55f5178d2b44286c2f857ccd6a1722

                Download Submit

              • C:\Users\Admin\AppData\Roaming\lua\1.bat
                Filesize

                2KB

                MD5

                582695c0131019067973d3870c8c9bca

                SHA1

                575da5536074707385418985375d6735fec7de77

                SHA256

                4dd7bb56ca6f2e48cd57ceafcd79ff31c11ce2d474d777ee5c9e16c5bfbf3e9c

                SHA512

                ea59965f427ca826734115290e42ed9a2b7db66853474a735c0add16b5e0f2e799fe7586aa2114443797d3ea02c09e36523d072dc12be38c9be5ddbab6083231

                Download Submit

              • C:\Users\Admin\AppData\Roaming\lua\1.inf
                Filesize

                410B

                MD5

                66a1f0147fed7ddd19e9bb7ff93705c5

                SHA1

                9d803c81ea2195617379b880b227892ba30b0bf6

                SHA256

                4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

                SHA512

                cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

                Download Submit

              • C:\Users\Admin\AppData\Roaming\lua\2.bat
                Filesize

                3KB

                MD5

                2cc7ab0e0e60b07b036165b5359b4f29

                SHA1

                ce5d46d531e37bb52ac4983c061963223b043052

                SHA256

                52ed22e575304c981f0f44c771fdd7d4fe185ecfba4ff9e3ac24986686e58be9

                SHA512

                35bb22bf0c253a0d099f6fbf92ebea36714a674459f7185bce8267aee79ddceeef010a86b3e0f5a1aa9af0d7d3843c4a905a171529e19472543c916b7c926746

                Download Submit

              • C:\Users\Admin\AppData\Roaming\lua\2.inf
                Filesize

                244B

                MD5

                524023ba7f18bfc502d22dbaade4571e

                SHA1

                fc118e1284db4e36da41d5cc4496ffa9a8b7cd2e

                SHA256

                5d170c83ca9a16ed7f62145099b3b8b0c0a1d4187e60bb0719754cb6ed40fc4c

                SHA512

                22384a0854a9949209444d9e7af3016327ad698e56797af246e02604b880949f40c7f4627303c11d73581c681b93bcee285b3937d4088c61107b9ec73901bdbc

                Download Submit

              • C:\Users\Admin\AppData\Roaming\lua\4.bat
                Filesize

                44KB

                MD5

                453848f2584f3077097aeb0184db57f9

                SHA1

                1adae922e19383e1c384effe8b9e5e6068b6879f

                SHA256

                eb5142d209e1e8ab8124fb2a6163e814d828d6bd2892aa0c64e5008835f64a9f

                SHA512

                fd6e93bccb2d020b250aeb56c557a922118ac9ed5821607e05fe29c2d74a766f430f6b00ec5668ecfe3f69d31cb67d199047ffef1f6da26ee791e5a36df3ff07

                Download Submit

              • memory/944-0-0x0000000000FB0000-0x0000000000FCF000-memory.dmp

                Filesize

                124KB

                Download

              • memory/944-1-0x0000000000D20000-0x0000000000D23000-memory.dmp

                Filesize

                12KB

                Download

              • memory/944-5-0x0000000000FB0000-0x0000000000FCF000-memory.dmp

                Filesize

                124KB

                Download

              • memory/944-7-0x0000000000D20000-0x0000000000D23000-memory.dmp

                Filesize

                12KB

                Download

              • memory/944-134-0x0000000000FB0000-0x0000000000FCF000-memory.dmp

                Filesize

                124KB

                Download

              • memory/4616-87-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-79-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-69-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-68-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-65-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-75-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-77-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-83-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-85-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-92-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-93-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-94-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-91-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-62-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-100-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-95-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-86-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-84-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-82-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-81-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-80-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-67-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-71-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-70-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-64-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-63-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-60-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-55-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-56-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-54-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-52-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-59-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-105-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-104-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-110-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-108-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-107-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-106-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-58-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-57-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/4616-51-0x00007FFF50010000-0x00007FFF5007E000-memory.dmp

                Filesize

                440KB

                Download