Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
26/07/2024, 13:23
General
-
Target
743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe
-
Size
59KB
-
MD5
743c70dc9d04d9b39f681a13658a3953
-
SHA1
22379799d963acd5a88707518bb798965e3cab3e
-
SHA256
0765299e68651128f2edf3a3f849ce4d38ee4982a81379890cd3e129a9fe92e5
-
SHA512
8b877f07e1878e0d491f3a65585c8ce410fa31561f47b92d0203ff6de19fa0d6d877294d34bd31ea43fcfe67da3db429cfa587f082c59d953df27938f4a8046f
-
SSDEEP
1536:gS9sf3ewWNlLC+U1xf4Trnm4GDvJO7kEy:gS9sfuwqBU1B4TrmBOAh
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 32 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xcodewget2.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat4⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp5⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf5⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\jni.mp3,MainLoad5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl81FE.tmpC:\Users\Admin\AppData\Local\Temp\inl81FE.tmp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl81FE.tmp > nul3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\743C70~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b7c5e3b416b1d1b5541ef44662e1a764
SHA18bff7ea2be2f3cf29f2381d8007198b5991ca3ae
SHA256f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1
SHA51265dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD56cbd1848e570354769fb56efd38f3594
SHA1d17d48036cdbd6a928729a16a34babc2bd49708a
SHA256cd0076ca521c3a3a8845fb6dac00fc93da9803bca9e03c904516b3493f7ba13d
SHA512ff8502603849d56807be7a4990d4f17459a7a60c446283e8656dc69b5dae6b4ef833e521f4b6a24a69e7867a03d8688bac14498a21c7aa950d9d889b61d8e2e5
-
Filesize
230B
MD5f6dcb2862f6e7f9e69fb7d18668c59f1
SHA1bb23dbba95d8af94ecc36a7d2dd4888af2856737
SHA256c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c
SHA512eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75
-
Filesize
12.3MB
MD51cebbf1ea053e6ca5fa204755e865959
SHA1ec1f5acf0c7cb172404043290a667e8fb0741c92
SHA256653815953b008c2c59fcf056ce870fea5a9aca34734bf2f9e0fe33c65d31d8d1
SHA512632eddf26a4a5730c1d6f6bc4d0ad92152f8b45cc29882db75a0991bdf234f17faabdff2a61f28463462c3f34e7707f4f9a4b6893af422f22d59bfe3723ae95c
-
Filesize
342B
MD5c85e8b8d7749bba986853538b232b8b9
SHA1f6bb12ba0c7884bf79151012d9ab5a39a30ce144
SHA25620fba2372eb6f0b7b8cecd261fb6e8294f468c4471822a1764b400c1fbbde7d3
SHA512a0f6cd33ec2649fde2165abdd04c914e3b341b3eec76a7586c2270fa34de842b72956ec37d7c82c94138ca19e01bdf6eca10217bb7b70b6416f5779f73941648
-
Filesize
342B
MD5d0222c305193d902004e845e0841cbf8
SHA1c0614debe5eba8dc77d03e1b3e14576e989d84d5
SHA256412cd08c1e83b4162e706619953764e95e51fb5e7fb7c5203d16133e3bfef5f5
SHA512b1d94edd79f83268cdc577451afb808b514f773498c0cc3da2db48e3617891a42bcf48ec30a21fde459b06221b9aa460bf8231a97a94aefa4e2535606de039ee
-
Filesize
342B
MD51a5fdb550579be2fe45f796a0b161c13
SHA1af6675c83c3346d290e0801cbd691215d3b6af20
SHA256b47abbeaa75c53aaecdfa0e87628fe82d1bc06ab5ccfce72e9004483ce8b5ff2
SHA512e2eead7f61a398e0e7c03ca67ccbcdd4625f28f66dd127a160e038112a20bda2a31d98652f6a5c9f7f409e78bc77bc8e28f00b9ce75fcc2b431255405bb95e7e
-
Filesize
342B
MD5780c81cbd83469996ea6bb4258c6d113
SHA1766546abcf1da445f785bf53383860d739e63bd8
SHA25641b7d43bc04b79024e53a6f51662d838d714c48ef6378c37a05f11bab05d5492
SHA51239742e34dd8db78b9c0678f89b19e392a3cd73d46aa1705adc2ff6299dcf2cd2c89c3c518c9599d0fdb5bf27e2078e51e5570f11f21765dae09d1db92567f4a1
-
Filesize
342B
MD5e562f4a723419dfc7a192450179f9c75
SHA1f49f41cef7d9efc1a1d099d3651233f3b06d3ffb
SHA25620626177859cded309a91d7152aef1f04464573e479699d078416cfee29e87e4
SHA512cfd4c960d3500debad20307d1ddc1d0657c0156fa87637c4e8364e45c0e767953df4057f1d8f94bb4d0b6537a5ad7c4bf997ec3f9dffc57920a611002a3fe544
-
Filesize
342B
MD533370f144ae982c45d8d47376a780128
SHA1363f6883e9acc371905102222dae528ce1665679
SHA256489dc07ce68a23d5b862f13d432ad7f6adfcc201b7af433b6557755441d5576a
SHA512e2137e11bbc4fabe19e7782170d48303887c21437d7fba32fe7338c61dc3ced7b3cbb6f385ba3e5107edfa655f046816d1dc4ba95c5fee0d114ab6e069b3c0d8
-
Filesize
342B
MD5ffea77f83e256988d31e8199674648d0
SHA166e5648bd7eb3013df74990c7e0591d6a93f6379
SHA256841ea93519f7421cea60fb079680b655d7f1cfac725ffcf64ad4df54ba13f8d5
SHA512fe2b56ea90529c531727a4cf21727c04ba628732336c558013096100cc10739313cf48eacbf838fca6cc58144d8850537761f9487968556e3a85ccdf5c4fa6d8
-
Filesize
342B
MD5f762ac1d1428c6465dc792536839ff14
SHA15c193038aa6fae42cc94ef5378c1b09ff39f5117
SHA2568d05832c522a563c47f04f591c7660b8efe36477c6cf88ee1c34f358ab6a1977
SHA5123c5527b4df294229b905b0e5dc196ac02a27297de085b63cb3bd23335e95ef7b2f389edfcb8f1495e3d1b690a38bb79791daee2db42e6067477573ed72c44a35
-
Filesize
342B
MD51f1e558040e70a0274a2bb37eeaec712
SHA14e2b903eb978de76007c17e3af6ca686ff9ff40a
SHA256c7b564d0cc4356dc64c8f1c8259baedc8b41b5478c007ada90f64378d1544834
SHA512a4270a4ef49d5c7d9bdc3e48885bcfe7d879523943edb3233546b0c9975189a40baa9360538376b74d2a8b3e2a091cfb4c421ab3ed45ed3e12fc86924c9df21f
-
Filesize
342B
MD5b34fb7a77ae9b3bf22825d42a289872f
SHA17f72142774fb88a3186c4c383456bd1d946a6164
SHA256b6524a006e4921b2a200475b12ae063ea2a470f189420cfdaaa8c4e156363d93
SHA5122837af42df0e8c860e6f210556ea2ac87e53beb4f4e3046c5784eb1d9d83db21341b805d1f28097b87c2298e9703521c9bf5069ea1e388754d7e3c27c83d1a16
-
Filesize
342B
MD561f2e4288a765bf927b62cb6a4f19030
SHA16754717123252b2c3082c9471ee6eb486d6a2698
SHA256d2fd1092fedfac4f71b3e95f2bd9b4157b09b422fab2cae783cad80de520dd87
SHA5123812d6c1baec6e10d3ab8d4a7b76bdce25c8ba17832de9b7529a7afb1d46160a67f06644bc69bab52ed79066c3038878534592b52ed41e6291193d4fc68bef31
-
Filesize
342B
MD56038349cee3c3fff15cb21c04920a834
SHA1db1d47ffd0d8eff72aae0860d5786cc11a0dca2c
SHA25657515fe21c27125b368d321f734f3a78de666a8684f4c8b4049090410ae54ab5
SHA512c1f121a25e36638e6d66a73940830b89d3cc6f8f7121665acdbe1d1934ce1135896cd3e149adba376e63a2f9f93449b0d706072ef434697dbb288081cac24cdf
-
Filesize
342B
MD5cb52d7aa3daaf3c11767c3734a07f649
SHA1f3e51958dc13ce7cb6ed63b8e7b5a3f4b31e98aa
SHA25689e90c0b70507e0cd3895af9144edc3aa652da729985f2ebc03ea0befdbb7fda
SHA512c4178d05331a2f80b957e2b9be08366802618484911e4a3113bb0be8f87c572756fe416a297584598e1a9261ef5b3b4ca170b979c9c49fe58af9a99eb49ee507
-
Filesize
342B
MD567d7d699338c7b652a7142dde896ffdb
SHA1db88c40fd4dcf07a19454dda195db65f0cfb5f74
SHA25606e98adace2f3fc0dc52bcbc72d7a962160a497693257460e63388ead5278700
SHA512326f25a27c0b8953851d2bbe16849077ca3518c796c645ab9cf79d79e6618f5a462fb8091f9f6211b9656278212df45dde7fa2ebe605dd463ad18e1aa435d5f3
-
Filesize
342B
MD52ec5aa9c8990188c5e0e7a929baa145e
SHA1c657f0ff9610e2542d50f5418f3b0d8e5c85fc06
SHA2568ce7618af7703d1c74f32d442131e76d2b6019932e9173dc4be793734a7801e7
SHA5129db7f05467e5ebf14d0a8d0a33f0f5e95d6f7befb47ee50463a16d5e0fcae1bf0a6012fd33bb7c3dbdc2eeee6b21ba86c3f1cf10cfd95b0baf3e1bab64833274
-
Filesize
342B
MD5bd1e903dd769a81fc62433a868b82ca9
SHA1efbd54e4b179f01ec2bb8bdd0098c5ef67dfa9f0
SHA256c5a2f68a7bc8779473753b80c591b8c8ff8d7db4fa30f947abbf126f62de9228
SHA512c4492d2ef144bc564552e849a49e2907832a2f7269bde4dc3e399590bf183c7403fb63468a18c751f37eac9d07a52f0942cfce799f63b4c3c3c8c16d083b5209
-
Filesize
342B
MD5971a8786d670228a824af71c92c5e956
SHA14e8d9ef918afa1cb43cb17c6140a3aa11c2b98fb
SHA25636aef124b0688fd6e70d38b25d9f0b0c697040045109848cd28141c47ffa8623
SHA51231013d536c7d0e887fc55547cc188eea367ccb4059a22dc65ebfc9c1765f89cc071f434395486996d3dcae1c346325e6f1c1823efa0f20abfcd8900202de3f2a
-
Filesize
342B
MD54fce1a2f1cbe046613b7889a325b5bf7
SHA193c5596eb89abf1ab5028277fee2838ab06ffcdc
SHA256b39d229b2c00384047db3984cbaab0a8a9238805861cc4ac3ceb4567dc9f2d6c
SHA51269466bd6e8eed10f7db02e8e1930a321aa14e703b93ba509e3c2ec3eb67c8a802f666cad7b57cb998bfb8a24dff7ef7d0024eefd61ef382daf01d15fa778669a
-
Filesize
342B
MD52ffeb5d5892bfa69cc84ae38812ad06e
SHA147f2f0ba8831fc6161f5b59f4b04dfa6522f531d
SHA25618cfc7369d48fcb380ed3a6e6858526a4be4c4fd20c2b1712cc625a9fc3cf232
SHA512000aa1b3c9b99ca79fe85443ed47bad50e0f98ce36ea1202bea0d0c8872f8ee37b7fe5c6477224277f50842d0fd1bbb6f8a72c4173e1b95aae63be4ba0d3d4fc
-
Filesize
802B
MD5b4f7d6a0d3f6605440a1f5574f90a30c
SHA19d91801562174d73d77f1f10a049c594f969172a
SHA256e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd
SHA512c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
629B
MD57c51a3cd196c154af76f7d57a475487d
SHA1f2067dc3665cf3c7269eaec7022642bdc4a6a375
SHA256ea89a5077fca265853fb87b8dbfc7c1c9bbf6a8d360cb0a01e6a6ce133086937
SHA512efc22e2a44b93210aa1a5e44e98e01b57fff75b24023e093d75886c6103102e4e12f9e7a16b40f29d3fe63393e02b196df0c05aca9ae2eb29b8279950ba08f1c
-
Filesize
36B
MD50b53221b1332efb76ebd2ab7120ff78f
SHA1e3dda4d21e35819eaf50e50c2aab2950ff1505b5
SHA25605bbda79058985c35a48637dcbc66c73176e1f7e4c95e8aef8b762066b780388
SHA512877637688f255d94b94feb3b2444678836db41644f6e1a7d1f902c8c12bab45785393a8f210215eebcdcb3526002632863bf54f026047aa1edee8481b26dddcd
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
12KB
-
Filesize
152KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
36KB