Overview

overview

10

Static

static

3

66fb1bb18e...18.exe

windows7-x64

10

66fb1bb18e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66fb1bb18e75f0bb0bca89d55afb0ec9_JaffaCakes118.exe

  • Size

    196KB

  • MD5

    66fb1bb18e75f0bb0bca89d55afb0ec9

  • SHA1

    52b7f47a3ad12580434f956b21f98547a886284d

  • SHA256

    db2725ac686e28562c27ef88699ede3bb5dc3cdd58644cf2cb7bd02bb8d36680

  • SHA512

    b3541098cf04bdb3bdfec69981e79848afb4da6b1cebc19dfc75dfaa6ba5266c0a6cee180052380c37f6bc4d1c58e47a829f9df5f4c3cd974df3a83b569318de

  • SSDEEP

    3072:1uwTNLvIi99v3kaVfH3b52iOXbbx16B0YMr/F3VvZqsmGqOHXIFBjm1/cY7Kx:PRvpVz5OXp1Y0YMr/FFFm1sUYWx

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Sets file to hidden 1 TTPs 3 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 11 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\66fb1bb18e75f0bb0bca89d55afb0ec9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\66fb1bb18e75f0bb0bca89d55afb0ec9_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Users\Admin\AppData\Local\Temp\inl9695.tmp
        C:\Users\Admin\AppData\Local\Temp\inl9695.tmp cdf1912.tmp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2472
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Users\Admin\AppData\Local\Temp\lieC51.tmp
            C:\Users\Admin\AppData\Local\Temp\lieC51.tmp
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1148
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat" "
              6⤵
              • Checks computer location settings
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4316
              • C:\Windows\SysWOW64\PING.EXE
                ping 88.99.00.00
                7⤵
                • Runs ping.exe
                PID:3008
              • C:\Windows\SysWOW64\mshta.exe
                "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER_LOG.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                7⤵
                • Modifies WinLogon for persistence
                • Modifies visibility of file extensions in Explorer
                • Drops desktop.ini file(s)
                • Modifies Internet Explorer settings
                • Modifies Internet Explorer start page
                • Modifies registry class
                PID:4864
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.92mh.com/
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2860
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4540
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4544
          • C:\Users\Admin\AppData\Local\Temp\kil270E.tmp
            C:\Users\Admin\AppData\Local\Temp\kil270E.tmp
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1652
            • C:\Program Files\Common Files\19920306.exe
              "C:\Program Files\Common Files\19920306.exe"
              6⤵
              • Executes dropped EXE
              PID:4600
            • C:\Program Files\Common Files\920306.exe
              "C:\Program Files\Common Files\920306.exe"
              6⤵
              • Executes dropped EXE
              PID:4912
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 300
                7⤵
                • Program crash
                PID:2448
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 308
                7⤵
                • Program crash
                PID:4148
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\SysWOW64\expand.exe
        expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
        3⤵
        • Drops file in Windows directory
        PID:4632
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\66FB1B~1.EXE > nul
      2⤵
        PID:4652
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4912 -ip 4912
      1⤵
        PID:3356
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4912 -ip 4912
        1⤵
          PID:1944
        • C:\Windows\system32\attrib.exe
          attrib +s +h "D:\RECYCLERMD4"
          1⤵
          • Process spawned unexpected child process
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4140
        • C:\Windows\system32\attrib.exe
          attrib +s +h "D:\VolumeXX\desktop.ini"
          1⤵
          • Process spawned unexpected child process
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4576
        • C:\Windows\system32\attrib.exe
          attrib +s +h "D:\VolumeXX"
          1⤵
          • Process spawned unexpected child process
          • Sets file to hidden
          • Views/modifies file attributes
          PID:3920

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Common Files\19920306.exe
          Filesize

          24.1MB

          MD5

          79654049ba429cc93db2faebe9c761c6

          SHA1

          f54f61d20fd1732eb9712953a30ccc1743dbd091

          SHA256

          0edcf4285b5bd8e8edee460be44a10271662261769b646db008fe2d5f9f2d0e3

          SHA512

          aaec7299865cdecfc79bb03e648a1bf6b2b6adebc361c925a161972b21028c8a3c8438f41d41448fa4922b0bb0453f05ebfff0f064832b19ace9e1089895a26e

          Download Submit

        • C:\Program Files\Common Files\920306.exe
          Filesize

          24.2MB

          MD5

          6cb5cf2002816d36f69f192dbd646385

          SHA1

          786ef5849611ded0287a90536c9b18934c4742bd

          SHA256

          747c8e479f277211d343df1a21c665a13fb1440ba3c490da4d6be767067ab48d

          SHA512

          c0ed93fdba47290280e4cdc1454a32987f6f450b235787d73bd77ae752bf0fae5dfd25b1b7b8323bfe3db6893fb6d665c1e3e752703562e33329fafdf84a749f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver87B9.tmp
          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\4DF043PQ\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
          Filesize

          766B

          MD5

          b69d002455f1a5a100e717a6a84ff991

          SHA1

          3a99b22845afb2132300095d84534e65823e678d

          SHA256

          c05465e73465c2d6addc7514ad50b517675ce26bfb1a4cad3d3b64b617940934

          SHA512

          1f2e36f1e8c6f66ba746a3450a9f5c07f300bff4682e32344541596b0bdae7e3f443f3e25deaa7936195c48642f9268e3a626a4018772417ce48d26e4f9d1505

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat
          Filesize

          57B

          MD5

          e0b1a0fe1a2802368b3a8e7b1e399bf1

          SHA1

          2fb70f2da2656cb29dd7894d55a6e287272d62db

          SHA256

          1afdcae8686b8112cc3df81ef72c95ae9f23f6da62424672d6e701a3b878a788

          SHA512

          8e91e45a086646e9c4caa5fb5c6a8e0d2bdb5a760f3be40a081f5b5c3956bb144bfa1e0ab58f826b94b50aa79236a77c5738d1914ca76d3f30916593c8cc785d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat
          Filesize

          45B

          MD5

          2220659200be39fcc23b9f8c65a5c0a5

          SHA1

          063f63aa67539d849607695bebeea0dfca6b7a2a

          SHA256

          d64f9bb1344205c769950ce0be3f594941790aaa6a4493694fa4a4c60a435fdc

          SHA512

          aa09cd362f5b6a5a525ed75cd29a190f9ebf387198e82fe502c28696d497ae8875600bef77bd9c41206c1f34f2dbe6070119fdf9fbf9d9616b689e42cd8ad07c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat
          Filesize

          44B

          MD5

          d8afd0adea160b9755513beeecbd1d3d

          SHA1

          6caaf1920b247b6d7928e2a83853b8510202614d

          SHA256

          5a8933fc3d3e3f5dcc32bf978c10b8c507dfbb6f9c933a31458408bb7ff6315f

          SHA512

          c6233c8d5cdac7fed04b2395fa79ebd76fee0629f3587789f81faef3f03480344715a824988374ac5a6e6059d96af493d3f971a4ce3b2413285ffd3f82107dcd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat
          Filesize

          70B

          MD5

          edea5cd5060d69b6c558fea75e330a67

          SHA1

          929e7c5ca8c300a98ac6833d0e8fa912ca9fa5dd

          SHA256

          1ed1bc8bfd84479497b2c1e3d0ca1df56eb2f3d82a68862e8b50eead06889b39

          SHA512

          adbe14c811b915972709530049bb6934eacead6c5d19243ecea07abdd6c93aeede3fcae99f6419fb7ca1b2394dcef19e642be36f22c572de01b069dac2b4aa61

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat
          Filesize

          98B

          MD5

          8663de6fce9208b795dc913d1a6a3f5b

          SHA1

          882193f208cf012eaf22eeaa4fef3b67e7c67c15

          SHA256

          2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

          SHA512

          9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER_LOG.hta
          Filesize

          7KB

          MD5

          55409e8335285720e34eeb153fee993d

          SHA1

          51336bf33901c5a544387b8ae5fe3ca2f97f7db8

          SHA256

          90e0062b4e9e8dca75ff5f6792529075d2594e74fb4693ace0001fe226e6a42a

          SHA512

          1964296394ae968c3fdc5bbe9d808f2e51c45f5610d48f7db77d7ce70f9525290eede4f8411768825824131bfaffa43d4ccfb0fdfacd3c53ccd5458843d4049d

          Download Submit

        • C:\Users\Admin\Favorites\°ËØÔɫͼ.url
          Filesize

          154B

          MD5

          8d681a59ea75e91f730bd9ce3c42e514

          SHA1

          9d426029daeebf03c9053761e0e5a9f447f98e9c

          SHA256

          afd3d42faa66d6703a32f2f5b41e0d679dd8210aacb284d1e46854207087cac7

          SHA512

          ffece212187fb127e98a612a59e7f2df7e9ebc6fee600644e2eef80d62fcc7d411ffba435b48981c4d75ba0ca34f85ff57091f4098104651710220a28a13ba8d

          Download Submit

        • C:\Users\Admin\Favorites\°Ù¹ÈµçÓ°.url
          Filesize

          155B

          MD5

          5a17106c27138df10448c2c3be95f399

          SHA1

          56acc2ed4fea4171127a13dcdee08bdd39d674d6

          SHA256

          c544ab13bd785ea3d5792873dedb102e87ea9a3b28fb1283be2eaac363ce360c

          SHA512

          1d8839f36323dfb4458745dbf31a98bc676121db3e4ccda59ca8e177437c85a5811125119fbfa3b5bcde6c2fbf25ae910109e785e276c32fbfebe6437aea8198

          Download Submit

        • C:\Users\Admin\Favorites\´´ÒµÍ¶×ʺÃÏîÄ¿.url
          Filesize

          156B

          MD5

          8a275b261afcc166671132b6f03831e4

          SHA1

          03ac21edc1de2df748ee3a301a6b3de989c423c3

          SHA256

          0296e167f4cfe36275cf1a705a6c56b30b15c0712ec5904b4ed3299f07beee8e

          SHA512

          269cf3d57201d9c390cef3a8e74d63036d300ff464d20b419324d4575c04e004655179ac29da5e3b2b52a5e2b6f37ecbf6e512fa0c2c5d5af0c5a359af51d739

          Download Submit

        • C:\Users\Admin\Favorites\¿´¿´µçÓ°.url
          Filesize

          158B

          MD5

          d645085ab92574a2a17abd323415dde5

          SHA1

          49ebaa4499cacd9256f270f35f31684b7cd195b1

          SHA256

          41ef37f97f886f32ec9e4d9ebf58079442d8bc8b102e9487de2f3f7da36e8058

          SHA512

          a726352ef7725eb8f94609dc3b80b5314387416513e654487e6a0b96bab922412b15bfbc07f1643bc104543be7c4c8a1b1472374d8cfe7fa9a010d28a135d654

          Download Submit

        • C:\Users\Admin\Favorites\ÃÀÅ®ÀÖÔ°.url
          Filesize

          157B

          MD5

          993f72a439a3301caeb969c7faa7a8b9

          SHA1

          176244349a0463cd0fc38cad426d89dc3b055311

          SHA256

          b7ea84a9d48f22c799c3c3b96f29f0ae7c1b274e6402d6fbadae31fc053f2140

          SHA512

          c373b12c16c65e966593990019b3a2fd96f703820976835c7ab3d042a997f617f49c1b5110e77833a18b3d2a2bef8fd3a97e77ea05dd7cdce9053840398320d8

          Download Submit

        • \??\c:\users\admin\appdata\local\temp\favorites_url.cab
          Filesize

          425B

          MD5

          da68bc3b7c3525670a04366bc55629f5

          SHA1

          15fda47ecfead7db8f7aee6ca7570138ba7f1b71

          SHA256

          73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

          SHA512

          6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

          Download Submit

        • memory/1148-71-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/1652-100-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/1652-87-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/2472-42-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/2472-92-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/2472-58-0x00000000000C0000-0x00000000000C3000-memory.dmp

          Filesize

          12KB

          Download

        • memory/2472-78-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/2472-43-0x00000000000C0000-0x00000000000C3000-memory.dmp

          Filesize

          12KB

          Download

        • memory/2472-56-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4148-19-0x00000000000D0000-0x00000000000D3000-memory.dmp

          Filesize

          12KB

          Download

        • memory/4148-0-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/4148-18-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/4148-1-0x00000000000D0000-0x00000000000D3000-memory.dmp

          Filesize

          12KB

          Download

        • memory/4912-97-0x0000000000400000-0x0000000000430938-memory.dmp

          Filesize

          194KB

          Download

        • memory/4912-98-0x0000000000400000-0x0000000000430938-memory.dmp

          Filesize

          194KB

          Download