Overview

overview

8

Static

static

3

743c70dc9d...18.exe

windows7-x64

8

743c70dc9d...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/07/2024, 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe

  • Size

    59KB

  • MD5

    743c70dc9d04d9b39f681a13658a3953

  • SHA1

    22379799d963acd5a88707518bb798965e3cab3e

  • SHA256

    0765299e68651128f2edf3a3f849ce4d38ee4982a81379890cd3e129a9fe92e5

  • SHA512

    8b877f07e1878e0d491f3a65585c8ce410fa31561f47b92d0203ff6de19fa0d6d877294d34bd31ea43fcfe67da3db429cfa587f082c59d953df27938f4a8046f

  • SSDEEP

    1536:gS9sf3ewWNlLC+U1xf4Trnm4GDvJO7kEy:gS9sfuwqBU1B4TrmBOAh

Score
8/10
defense_evasiondiscoveryevasionpersistence

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcodewget2.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3516
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat
        3⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3368
        • C:\PROGRA~1\INTERN~1\iexplore.exe
          C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3288
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3288 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1528
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1596
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat
          4⤵
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4332
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:4936
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:4320
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5052
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:4560
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:732
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
            5⤵
            • Sets file to hidden
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:540
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\PROGRA~1\FREERA~1\tmp
            5⤵
            • Sets file to hidden
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:4920
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4504
            • C:\Windows\SysWOW64\runonce.exe
              "C:\Windows\system32\runonce.exe" -r
              6⤵
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious use of WriteProcessMemory
              PID:2196
              • C:\Windows\SysWOW64\grpconv.exe
                "C:\Windows\System32\grpconv.exe" -o
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4884
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 D:\VolumeDH\jni.mp3,MainLoad
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2864
    • C:\Users\Admin\AppData\Local\Temp\inlE83F.tmp
      C:\Users\Admin\AppData\Local\Temp\inlE83F.tmp
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlE83F.tmp > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3412
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\743C70~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~1\FREERA~1\1.bat
    Filesize

    3KB

    MD5

    b7c5e3b416b1d1b5541ef44662e1a764

    SHA1

    8bff7ea2be2f3cf29f2381d8007198b5991ca3ae

    SHA256

    f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1

    SHA512

    65dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc

    Download Submit

  • C:\PROGRA~1\FREERA~1\1.inf
    Filesize

    492B

    MD5

    34c14b8530e1094e792527f7a474fe77

    SHA1

    f71c4e9091140256b34c18220d1dd1efab1f301d

    SHA256

    fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

    SHA512

    25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

    Download Submit

  • C:\PROGRA~1\FREERA~1\2.bat
    Filesize

    3KB

    MD5

    6cbd1848e570354769fb56efd38f3594

    SHA1

    d17d48036cdbd6a928729a16a34babc2bd49708a

    SHA256

    cd0076ca521c3a3a8845fb6dac00fc93da9803bca9e03c904516b3493f7ba13d

    SHA512

    ff8502603849d56807be7a4990d4f17459a7a60c446283e8656dc69b5dae6b4ef833e521f4b6a24a69e7867a03d8688bac14498a21c7aa950d9d889b61d8e2e5

    Download Submit

  • C:\PROGRA~1\FREERA~1\2.inf
    Filesize

    230B

    MD5

    f6dcb2862f6e7f9e69fb7d18668c59f1

    SHA1

    bb23dbba95d8af94ecc36a7d2dd4888af2856737

    SHA256

    c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c

    SHA512

    eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75

    Download Submit

  • C:\PROGRA~1\FREERA~1\4.bat
    Filesize

    5.8MB

    MD5

    66e9fcf7b704c5d5a927ec325abeb35f

    SHA1

    38eb04e8badf8639bf94e2bacab1ae07f444ed08

    SHA256

    b975c6436a235afef309488701cb53d521af49181d09c085d1f73c1110582900

    SHA512

    a5a619db7df71d81ba25753855e280b59a26d414862cc4f61733f2a40013e683a3c7fe97403b1698680a991eca015ce0134ab994a18718a79fcb82bd24bb94ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9JI1NA5J\favicon[1].htm
    Filesize

    802B

    MD5

    b4f7d6a0d3f6605440a1f5574f90a30c

    SHA1

    9d91801562174d73d77f1f10a049c594f969172a

    SHA256

    e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd

    SHA512

    c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9JI1NA5J\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp
    Filesize

    629B

    MD5

    7c51a3cd196c154af76f7d57a475487d

    SHA1

    f2067dc3665cf3c7269eaec7022642bdc4a6a375

    SHA256

    ea89a5077fca265853fb87b8dbfc7c1c9bbf6a8d360cb0a01e6a6ce133086937

    SHA512

    efc22e2a44b93210aa1a5e44e98e01b57fff75b24023e093d75886c6103102e4e12f9e7a16b40f29d3fe63393e02b196df0c05aca9ae2eb29b8279950ba08f1c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xcodewget2.bat
    Filesize

    36B

    MD5

    0b53221b1332efb76ebd2ab7120ff78f

    SHA1

    e3dda4d21e35819eaf50e50c2aab2950ff1505b5

    SHA256

    05bbda79058985c35a48637dcbc66c73176e1f7e4c95e8aef8b762066b780388

    SHA512

    877637688f255d94b94feb3b2444678836db41644f6e1a7d1f902c8c12bab45785393a8f210215eebcdcb3526002632863bf54f026047aa1edee8481b26dddcd

    Download Submit

  • memory/2388-7-0x0000000000930000-0x0000000000956000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2388-135-0x0000000000930000-0x0000000000956000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2388-110-0x00000000003B0000-0x00000000003B3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2388-0-0x0000000000930000-0x0000000000956000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2388-1-0x00000000003B0000-0x00000000003B3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3288-85-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-78-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-104-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-100-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-106-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-99-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-107-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-98-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-97-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-95-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-93-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-92-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-94-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-91-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-89-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-90-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-84-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-56-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-111-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-116-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-83-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-82-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-79-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-105-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-77-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-76-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-74-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-54-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-55-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-53-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-119-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-123-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-121-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-120-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-117-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-118-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-46-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-81-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-73-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-64-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-51-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-156-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-157-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3288-158-0x00007FFF88B50000-0x00007FFF88BBE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3836-153-0x0000000000460000-0x0000000000469000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3836-127-0x0000000000460000-0x0000000000469000-memory.dmp

    Filesize

    36KB

    Download