Analysis
-
max time kernel
144s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
15/07/2024, 15:11
General
-
Target
4a350d80e40ecc4fc369741cc81496bf_JaffaCakes118.exe
-
Size
168KB
-
MD5
4a350d80e40ecc4fc369741cc81496bf
-
SHA1
cf52db48507480c8276827404e2a69b43f830407
-
SHA256
02a4f01af81b5fe28e974e8a878476a5de1b3c55488087d5d60104e7d7e3c569
-
SHA512
70c84ce887a91c07ad50b9e13f4e9e0ff75c993a69077b7ff36af80a41d5c9b3c2448dbb9812bb404c4ece4c7bc27b3828c3e1180648f2d11e9c685d3d8d9eae
-
SSDEEP
1536:AgIMXN4czoLRpCt98SaE4cku5V72O0zR1VuCEWWAERIxpE+J:BBARzSaEkuj72rzR1VuzWWCt
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 32 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a350d80e40ecc4fc369741cc81496bf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a350d80e40ecc4fc369741cc81496bf_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\julia_fun219.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf4⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf5⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlBFA9.tmpC:\Users\Admin\AppData\Local\Temp\inlBFA9.tmp2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlBFA9.tmp > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\4A350D~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5be44e66c17bdbd85604668f108f2e7d9
SHA18997fa76cc75923219934a870c9a5b09a18e26b4
SHA256505848c06c633a4efcf8cd0556b5001f002ce5804a5e45c06aeb95e5f1805192
SHA512a5b8248dc9a98bce34fba840521014c0d9f5e438af27b2544f5e0c99a96570d1e192c959cca085e46b0e3e77cbe0dfdcabcb82b1d8778c29ea4887b2266232b6
-
Filesize
342B
MD5680ff12b19f061c0347260e3cdff4802
SHA176c007e48be60093af76a39fffffd9948303ea66
SHA256b0aa9efecd187311031533f078f52d137ff1411c8e379a3b4917c5f4c1c8a58c
SHA512fecb6eb672a8026f0c698ee0c7f4588a216109e1b3ec41bf4ae2a9f7436890f6cdfbb96846d6f6a500b75d0cf8a25dae41f59fac748591dfc11c4c231cad1be6
-
Filesize
342B
MD5df217bc7d93193975c37b6620b513c8e
SHA17e9ca62ea63b7275ff8eaf34cecb2e7bda35ce44
SHA256f039df66af847be7939c73e43573eb388836582df27df43c7111f3335b5cd4f2
SHA512cc3d1d454688c6767f4ccce0dd12ca31c9aaacf79e120777acf982b3e556121c52181c9d7f420c3af203a720d0340e19a7d7655cdc6a9dba8145bf99e37fef12
-
Filesize
342B
MD5ded894eab8025ba4bd639d452bdaf0bf
SHA14671099787035b5609e0c2c7df115aad445f6b60
SHA2567127280edc1c9448a892dde8bdd955574a5fbe48445ceb7888bbb8a8f241eac5
SHA512f1aa7da4706261b037d9c01b42593bc38ce5b4889fb38d3b9c4a30df734032577fa9c340a55a49e8a175b958bb9741c334ad580b5bf3ec76ea5c57f7ae408d9e
-
Filesize
342B
MD55a0424d49b6213609815cbfa25ccfcaa
SHA16a0a54bf938d8e5a6be5a52e5c71f613e02423b2
SHA256286aad1363c94bb36067c6e03a8d225fb9140de5a8f10225d149417e1a5a9155
SHA512194f27cd14caab595f1a4a38cacf3847a7f0c52fa6823ae5fb2e84be23ecb8bb3fb69d4acace3f86fb509c1602cc0afacd3961c604f2a420b5f360e44a5ba8d5
-
Filesize
342B
MD526d37b599a7a0cf8d995d9cbed6144e1
SHA1a833e2e22548c1ddcf5bd126626a1a85572ffcc5
SHA2562e55dc6368600334df4b7b97e4c844810ce5bf477f9497ffe38b0b1ae3d57c34
SHA512306e60b29312bbd15daa1fdaf9779db6b13c3fb2537a2fc2851a295fbb2a3d9d4d5b111f0e53fb160c182a8c4684cd8d06615a9a8a2e5866fcc0c2152e9070bb
-
Filesize
342B
MD50a55dae45a102b6324459935125f4715
SHA127f47d6e796177f382ea926f517ab41b72219c87
SHA256b78e54b9b60e524aa2a6e87a6eabb39cc05b8ad3d78dbf6992edf1c66d68726a
SHA5129df2434146e241cc343a6ed1dcdcb03d9f67a8c4b0d3b52415ebc30a093e1d8f7246825f0ea4cf1b8d6637a1e956c3404973e528e89c7648a1499f14435d2ed0
-
Filesize
342B
MD50e7324cd0923d0b3ecc83fe2cfe6319c
SHA1d19e878da3b68d946f595c004e0aad40552016db
SHA256c114cdc098dfda88b9eca0e12631ded925d87db8d351b138d7035b5e438b790d
SHA512ce0edc74838aecec28c9e43565128bef612804ed24982a68d9953ae5a8b8e95543755fa0c3ed5711125daa35dacc57228401a7f93691cb1a3693e753fe81ed7e
-
Filesize
342B
MD516f7f8b5df5b13f556b78f569e98471f
SHA15239dd91d775296b91d10c7c6b39239ad9b8c9ac
SHA256dd292b1e0072abcea0a88342da1e48ebe347feac05b6f5f8fface1cbca343eb6
SHA5129bf3a23aabdb28d8f8b08322fcbd7e1bb800cecca481b53e19261c82c25840c65665385189059ab7dc9b7900d21c3324bc6cb5b91072e922cf167ec779d86d34
-
Filesize
342B
MD5defdd57de57b51aff30581e61bd5de3e
SHA138e1cba1a2ffb3a5f4016186416d2be748424017
SHA2567df9a86a43cd76482d4769e697d465d6fe116fa5ee6d15b7d8477d5bd3fcca5d
SHA512f9b9a6ab8d2cc954a80ebbbe2013f5668e444c65fd644f0399840fc171083f2f0f7b62fb6fd861b303861f72c2a35fd15d58ccb746977ba5022c935526fe0f84
-
Filesize
342B
MD5a2e9aae9fd09ce64e09a6d68b751ccdf
SHA1795c800c7c760ece9b3fd362fa004b43dd9150ed
SHA2561ed4d2af8e9c44d4d9b42d687ab43e4313bbe3fed00c17560f48374839dfd867
SHA51267f3355961618bda3989ca033e4fc8ed5fdc5e92e594eb6e85782deb021383091347374fc4a33b8557c88c23a4a1eee6eb20be6fa2e4bbd6853a3085098aa323
-
Filesize
342B
MD53ef2473e38e68aa8605233b0efa766ca
SHA14ce1f75f6c192cf541a94342780979c12d541ff0
SHA256b093c0d2a1b7daa649a8f492132880169f1ba86f4fd4cb4041511d6911e71372
SHA512794baf4f17103d07eb2d90769f2b3e3a9daebfbaefa1bbc99af38a3b0d1ba64f273712aabe115f779c69646dc93e720cf22c2df8e726b19df497a94760af96be
-
Filesize
342B
MD56fbc9af9829db266fc960fc33df58a1b
SHA16b97d30e0d69d2454a0e9fa24873043a668c0399
SHA2567a0c493db7db9e5258ca31159bf988581242fdd4038f1e01b1a002085d25f2ae
SHA512ba2c3f3f69fac2b98944bee1ee8f91e4920b611fbfc16cfc6c9139cefbad96ed2c932abec4688179da93f7f5b8f176cfeec14ddc5bcc1e33a307da9f222e2932
-
Filesize
342B
MD5c520e4531a3258527a15b1a2159eb44a
SHA14ed894040169af38eb36872466ee94b105eced7e
SHA2566965e1a5d6dde6713b9b0d4209af4e46be2da8ac29e2f8602cc684eeb84b5cae
SHA5126c8c73bd2d1eeed6ab729d62484bd9518cf4fc8ce07fd45e1aa8d8a1792b78bc7dd0f8f5a8da5cb2a083e6d789cd27099ae90ba021cd0aa466ba184204bde848
-
Filesize
342B
MD5198df18c3e66f6ecab84950fba9f7d4d
SHA1c1d111ed8f89da22537d84c84debfe796b804e7f
SHA256bf6eab74f1753e75371664efed044188000120f9a42e96c52f58d75fd455ed1c
SHA51227afc534504f194f0623f45a70a1f3ebfd47b950a75401e9b4ef6bc6cfc5389c87ce1a540883cfc6d94785be789a406ea6917b9a423f0e6515ab0faef7405897
-
Filesize
342B
MD5ff235eb1bac2ee57631a2e2f2a7b5df8
SHA1f67b67ecdc9682a85bc68b642b5d58df371483b1
SHA2563a61dd41460a729cfaae68355b8d2d0b34f115b69734d4740271f0aeae55b5c1
SHA512abf2a6778235d701d70873774d97969a0c49c005ce7097343e8578cf9728a7b5446da7351c8b600e1e6777b2a7c67942611a0e6827298627d4d38ae337200023
-
Filesize
342B
MD5d2ec112c447e98249964ca6c7f7ed928
SHA1a9a2873f7bc5b9c4189e5c167416aa93dfe457be
SHA25639049df01d2e2d0416fa0040c7c696cd79720d311b0a953ab3ec26d0737e7690
SHA5122fdeb8a375632ff0455953f884f556e3cb9f28506cf03c8d5b2c448f7bd0b7cdf54a072f667c590c6ebfde8325ea0f032ee2fee7bca5f5da503d6df061d30f2f
-
Filesize
342B
MD56437d754a68f9df41602ec28acd87afd
SHA10f58aa7652d544172f57deee2e3c69fa3abd93fa
SHA256810f12b363be815dcebfe9c80bd40b530da7824ab01abb7469dc3918b9d50d49
SHA512380d086b604f6521d8f0777466e2a0c13e5b7d2273acb670a6b8de295dd82084f4ac4f826dfc09e122eddf95be1a13052294b83a8e6e7eb91e06eb0efcfa95c9
-
Filesize
342B
MD5da1fb51b893ab95836984e21dcd9fd14
SHA19bfcfadfa35a04c4d95732e1fc1352508b703687
SHA256f2f7c7cbb53da18db3dc683ea62cdcb058e5a12376a8de5f8ae028e9fdd6a2ec
SHA512f1fc1ea31543c526f32e65c61876ba012bbe2798a9184d2eb48b751519461bbf86dc72378bee3f4eb40c17597219e97d0731f457485e13e34260b72d3ff6d8fe
-
Filesize
802B
MD5b4f7d6a0d3f6605440a1f5574f90a30c
SHA19d91801562174d73d77f1f10a049c594f969172a
SHA256e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd
SHA512c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
53B
MD523962a245f75fe25510051582203aff1
SHA120832a3a1179bb2730194d2f7738d41d5d669a43
SHA2561abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80
-
Filesize
660B
MD5c40ea8f677b3f48bfb7f4cfc6d3f03ab
SHA110b94afd8e6ea98a3c8a955304f9ce660b0c380a
SHA256b1a31a74cc88d0f8e39aaebf58a724b89391dc3fbac733953790edf8ded8172c
SHA512409b8a45576bf08e185446b13a512c115df7483ff8ec30ea51ee93ee1ac8153ae3b615650ff69a5d1e41fa0cd57fcdc4c5d03b4b4453431114ac018f48e194d9
-
Filesize
3KB
MD5b7c5e3b416b1d1b5541ef44662e1a764
SHA18bff7ea2be2f3cf29f2381d8007198b5991ca3ae
SHA256f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1
SHA51265dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD56b78cb8ced798ca5df5612dd62ce0965
SHA15a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf
SHA25681f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3
SHA512b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e
-
Filesize
247B
MD5ca436f6f187bc049f9271ecdcbf348fa
SHA1bf8a548071cfc150f7affb802538edf03d281106
SHA2566cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591
-
Filesize
12.3MB
MD54a730ef0570176951a57a1b6fa32aff6
SHA1e62bd84cff29c8efb688311e54dcac933506cd67
SHA2569a521dc6d85f3b758493b64d637b3c52cb3e6eed57d260c8fb33456c84b3529a
SHA5127f867ba7577cb49fdccded5d9b90f4dcc67f3fdf0d31c6e2778e987c641337ba0344f46ed51529b7a2bc931f0e996e28a47dea9ef02dc7853100da30e4a4762c
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB