Overview

overview

7

Static

static

3

769c163703...18.exe

windows7-x64

7

769c163703...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    769c1637033775fea79330ca76984390_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    769c1637033775fea79330ca76984390

  • SHA1

    7bbd2dd9410be78153f0dc51b568ffa8c2d14717

  • SHA256

    96b045abc98114cc47bd1ac23029fe2b8a12ac16c2f34a0c14cd7bc9d7710f6f

  • SHA512

    c1b06406d050561f51304e83af379f8a4b4dc6a798dfaee26bc9ee552e5e6e0f7531aaf128c5cafad08224e7d0b8c38f63aa8a7a6e9f79b47d35e771bd67a4f3

  • SSDEEP

    49152:YJAKL1A4GFERnJfYMKAUVB7bsxr5fy8ckyyoYXtGqOipLCgvhB:BKL1A4G6nJf9aBHsxr5fy8fy7Y9GqZFj

Score
7/10
adwarebootkitdiscoverypersistencestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 60 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\769c1637033775fea79330ca76984390_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\769c1637033775fea79330ca76984390_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\SE205.exe
      "C:\Users\Admin\AppData\Local\Temp\SE205.exe" /VERYSILENT /SP-
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1252
      • C:\Users\Admin\AppData\Local\Temp\is-B83Q8.tmp\SE205.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-B83Q8.tmp\SE205.tmp" /SL5="$9005C,1954047,54272,C:\Users\Admin\AppData\Local\Temp\SE205.exe" /VERYSILENT /SP-
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4904
        • C:\Users\Admin\AppData\Local\Temp\is-N3457.tmp\IEMaoSvc.exe
          "C:\Users\Admin\AppData\Local\Temp\is-N3457.tmp\IEMaoSvc.exe" U
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1572
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\IEMao\iemao.dll"
          4⤵
          • Loads dropped DLL
          • Installs/modifies Browser Helper Object
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2232
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\midas.dll"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:3220
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\IEMao\IEMaoBar.dll"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:2896
        • C:\Program Files (x86)\IEMao\IEMaoSvc.exe
          "C:\Program Files (x86)\IEMao\IEMaoSvc.exe" /regserver
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2976
        • C:\Program Files (x86)\IEMao\IEMaoSvc.exe
          "C:\Program Files (x86)\IEMao\IEMaoSvc.exe" INS C:\Users\Admin\AppData\Local\Temp\SE205.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:1008
  • C:\Program Files (x86)\IEMao\IEMaoSvc.exe
    "C:\Program Files (x86)\IEMao\IEMaoSvc.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\IEMao\IEMaoBar.dll
    Filesize

    2.0MB

    MD5

    4fd418575fc880292165cfe1459698a8

    SHA1

    bce2f459b993b51ea12c995795830250d370a228

    SHA256

    f67fd91b26e2a7965d623bf8c6ab500abb92443a474eec5482eb961864e9d40a

    SHA512

    ae8ce98370eec8fc0eb123e008ca91f5fe8e0247dcf3afdb5d03d8a1947d6fdce0eb685fa28683e286266858baf3ce532acd21fbc39fc867026af0e45b61045a

    Download Submit

  • C:\Program Files (x86)\IEMao\Site.ini
    Filesize

    648B

    MD5

    c32cd0022b2903bc8e5df113f1a1c6ed

    SHA1

    5cc5c6f391b3762fd282f4f2a7f3d218179fb1cd

    SHA256

    3bd51bb4288d9e4626e720a04f8b5d45fa02cea665dcc2c6012a73f8686768af

    SHA512

    ea6b0a9fc9d72cf7ce3790f2a0590812cc309781697f14adb371c5c31dad7e8e6e360f1d54a1e960d71bed7934f2b31ea6e574db49c2af3b30c9e18556464197

    Download Submit

  • C:\Program Files (x86)\IEMao\Update.dll
    Filesize

    570KB

    MD5

    c8386a40d92c22459e759ffa9410cea3

    SHA1

    248e1f688b439ad774cd5c6e8b4b537b3f337c6d

    SHA256

    4c2aca3c43cc6bcad5ba469efb4492dafefdf865a1d29e062efec220be512dc0

    SHA512

    c18fdcc47632120af36cd814e0e7bd8a1de39a4e77805c6c193f5f3592aefffc9c3c4f7e2f31150872ebdf84f2aac87f2bb14d4eec4c17730b0f67b2c3d9121f

    Download Submit

  • C:\Program Files (x86)\IEMao\iemao.cg
    Filesize

    44B

    MD5

    52b7ba72c99fbd0a6c6c9c4b9f70cb89

    SHA1

    0888b49e3952d6a202b2a5bc6a6d0ba97304a134

    SHA256

    9458985fb8c27599bdf14f013146c382256e1b91de4c397e03c17bb7b4c10a8a

    SHA512

    2a7ba4ef10cf1213f793048c43247d318915a4c246f03dd5dfc245def539b13f2680f44a9833eda4713e32fdbf8b060965f946983d23cc51e88fd29cb354d715

    Download Submit

  • C:\Program Files (x86)\IEMao\iemao.dll
    Filesize

    764KB

    MD5

    f7ba4f7ed7d31e823ad386e44512220d

    SHA1

    393c9c99eb4e7ae040d38c4cbbeaa4df7d36bf3c

    SHA256

    47dde1ea825b5f0dccc2675404c5f545c25225bde240571965f388a05e6d1be9

    SHA512

    bbeb4c9191f2c3d3d758d1de63573fd7250f38e6493a78518bfc07d993401eea0a88d05c0d9178ab88145489a792de7edc645e875e5d83df1453a43cafa95796

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SE205.exe
    Filesize

    2.1MB

    MD5

    9c4905c83ff4757aa4af814ff541dbff

    SHA1

    bb6e9e6a15762146ecaa518dcacf3cec099030ef

    SHA256

    b28f07326f5b491544b74903e691cb69146398be5c2b209c353acd530c1bc6a1

    SHA512

    ebfd4d124442b45f5ee1b760594149148255900a1a4706f939f16600731db2569167e5ad0cb073af2a4fbd09bda10a2ddc8289ca40c7e5e9c9abbdc0c9cd4d39

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-B83Q8.tmp\SE205.tmp
    Filesize

    696KB

    MD5

    8aa8c628f7b7b7f3e96eff00557bd0bf

    SHA1

    9af9cf61707cbba7bf0d7cbed94e8db91aff8bd6

    SHA256

    14d4fa3ea6c3fbf6e9d284de717e73a1ebb5e77f3d5c8c98808e40ade359ea9d

    SHA512

    5e0a4765873684fce159af81310e37b6918c923ccede0c4de0bd1e2e221425109131830cff02e3f910f15b0401ee3b4ae68700b6d29a5e8466f6d4ee1dcd6eeb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-N3457.tmp\IEMaoSvc.exe
    Filesize

    2.6MB

    MD5

    4af78d4339b984a67f73c7f38d19b898

    SHA1

    5bfe2be35cb0146583c1b8c4ef6ed9080f42a9cf

    SHA256

    36aee391a9711e586c2b92e5a60c106feb593b28735820e8aa1d2fed655d811f

    SHA512

    fb132fca362317d6814448a69068ae99e82c31ce96c3e3a076a6123850ed20610220547a56447308291ebebfa0cfbfc9eae542613e344582bc3eafacfb33b61d

    Download Submit

  • C:\Windows\SysWOW64\midas.dll
    Filesize

    430KB

    MD5

    43b9337ca111defa4da637a3121e7a7d

    SHA1

    40f15faa582609408194e2317f14a949388874ef

    SHA256

    e5d2be36e26d90a1926b641e25689ecd9ae4f796bc3ca40ba75b30ef33f67fbf

    SHA512

    25c34deb29fc478c68dd7dd582571025db4cebd9a3d824caa98e9a1f74c1ffea4c983964d9657517d5fc1522efa6e3dbf23224bd24fa215780e39eae13acac60

    Download Submit

  • memory/1008-160-0x0000000000400000-0x00000000006A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/1252-16-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1252-13-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1252-167-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1572-30-0x0000000000400000-0x00000000006A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/1932-169-0x0000000000400000-0x00000000006A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/1932-181-0x0000000000400000-0x00000000006A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/1932-185-0x0000000001D80000-0x0000000001E14000-memory.dmp

    Filesize

    592KB

    Download

  • memory/1932-189-0x0000000000400000-0x00000000006A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2976-155-0x0000000000400000-0x00000000006A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4904-166-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/4904-25-0x0000000000400000-0x00000000004BE000-memory.dmp

    Filesize

    760KB

    Download