Overview

overview

8

Static

static

3

8545d00334...18.exe

windows7-x64

8

8545d00334...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10/08/2024, 07:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8545d00334e198ef9e858586c45b78c1_JaffaCakes118.exe

  • Size

    71KB

  • MD5

    8545d00334e198ef9e858586c45b78c1

  • SHA1

    ad7846039de0163ef3bbaccf8e22bd506f8ff2cc

  • SHA256

    a41422a859b3cdbc59032046a034973274e0ad26d6eda7e23bae790f88e3f7d4

  • SHA512

    989fa41d82fcfa051588f7244470e06c14203b21e75494d06ca635ab596896431431afd9ee633d0dc3b26ad4b7dbad451d2894eddc0b40824e7a2cfabe8f3ce5

  • SSDEEP

    1536:+XcS+oXb+AcjJ3wN/g5hcxiqNGZSsBIGOP6vzgCNUoxHww:icS+oLwjNMg5yxiqI4UIGOP6v0CNUKHR

Score
8/10
defense_evasiondiscoveryevasionpersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Sets file to hidden 1 TTPs 3 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8545d00334e198ef9e858586c45b78c1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8545d00334e198ef9e858586c45b78c1_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\system\zhahss081216.exe"
      2⤵
      • Sets file to hidden
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Views/modifies file attributes
      PID:1708
    • C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\system\zhnahsdf081216c.dll"
      2⤵
      • Sets file to hidden
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Views/modifies file attributes
      PID:2132
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Windows\system\zhnahsdf081216c.dll a16zhqb
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "c:\zhqbdf16d.bat"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\system\zhahss081216.exe
          "C:\Windows\system\zhahss081216.exe" i
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h "C:\Windows\system\nbhsyh32b.dll"
            5⤵
            • Sets file to hidden
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2848
          • C:\program files\internet explorer\iexplore.exe
            "C:\program files\internet explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2692 CREDAT:275457 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2192
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\8545d00334e198ef9e858586c45b78c1_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Documents and Settings\All Users\hsyhdf16.ini
    Filesize

    149B

    MD5

    ad893bb2f87189236cfb1e166f348ba1

    SHA1

    4951cc77f27c7e9269a3b7527d1c13c57b74e275

    SHA256

    7196a0b3e5c8449da210301c1ef10c2b4ec6306cc1d1fa298fec25cc0261d257

    SHA512

    3f0345f142f2d2d1bc0d730df3911bdbe8905582b0e0749e36a09203dbcc0de4dadcdb64088b7a35ff9943fcaf7a4935463977f2097277a042347e72c574a3c2

    Download Submit

  • C:\Documents and Settings\All Users\hsyhdf16.ini
    Filesize

    184B

    MD5

    076f4b3b30bc964b1f113c0d388e3849

    SHA1

    b1fa853c1e3274c3256beeaf87cbc615408c7620

    SHA256

    293dbe90ef169c4514fc0bad11b341be6417b91d7eaf571b90f92c70a7dda8a2

    SHA512

    e33999522efc00c965a1f5b5c09b980bdc8f2bc0c8ce641fdecf0cc96a7747a17b7129d4a0f873a0f7971797c7a5bf084a57fb6be4b32ae1d8f049f19a1953d2

    Download Submit

  • C:\Documents and Settings\All Users\hsyhdf16.ini
    Filesize

    224B

    MD5

    c48fc4da29b985047014d874dd3fa195

    SHA1

    55cd1e0bcfd073253cd662f48636b1a5197457b2

    SHA256

    2f05e9621c327bdf10660d6cbfc0915c740fa577a7d66a8161082fd27890267e

    SHA512

    067b31ac04fae01e765b0c6c87f9070c2f27c7c9724aae9a7eaf3365e0e3e432bfefff63ff59d04e7159f79bb6376a5e6736225436fa03f0b64a7e45fc2a84ed

    Download Submit

  • C:\ProgramData\hsyhdf16.ini
    Filesize

    184B

    MD5

    9433bacd59e395f4241c26ccb16c19cf

    SHA1

    1bf0fccb6b283460988a3953a495854a1ae74d4d

    SHA256

    f4a7f97d492d7afa06d654585db4222f02ce9ab98679e205472e3cb64a945b77

    SHA512

    b4184c1a6d5e22df625ca97f04e947b26ca2a40eaebfa9c4103abf8cfe0450873ab2c8855db2da58f832b506a0907eb3af702b1bcb68a09d57c3d50fe2205f80

    Download Submit

  • C:\ProgramData\hsyhdf16.ini
    Filesize

    97B

    MD5

    cbdb3cafd9b0da2a8b4a5b1a7649f014

    SHA1

    3a5a512dba8f2a3a8224f2172318f6b7ce18ff50

    SHA256

    b48f6739d26fa95055fa128bc316629a7285c9f610b4bdf8e0d3cc5b8897b789

    SHA512

    a92fb4ed636eef7a3a8471bbcfcb256a0a9c0530fbad1d1be190edfa055fa4c5d41ee29d333075f658e6f14bb74a3bd7ab74e85a6be7ba3453b7b628d2308025

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    12d3ff01317f38749e4d813ca1d64318

    SHA1

    0da3b5c0eeb5ec1ec2fb68e370900f1c7a74dcac

    SHA256

    5aec131b9ab55118067cc7f3e8d27d507e9a1a30f8b6550fdfd44e054b91ff9b

    SHA512

    a0edd70634ad5e9a6b2898abd3c13fb1ac62674a308947ed9d2bb22527e3828ef9405d74342b65a7e1f161e29879d781d33781a51f22c3dd2807433b53bd6aa0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ed29cbe50c390d9b24d56f2e711bdbb7

    SHA1

    325b5a63d9f83034762c7ed78a64d86ca774c848

    SHA256

    8ccb569dad7b8f23ccd298335d590819d2cdffe6709c11f103aa6acda3c4d877

    SHA512

    e5747af6cdf373d3aeb71ec98991ec1bbadb27840be0a56475b4b18323590da23533a49f62c8d06754af3eabb253f4feb015b2f6c124629988a80753a302fd53

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6ba05bd91776fbd99ab4e3c103beaa77

    SHA1

    ca929bc2be0e41f3c1a6b1f8a7259ab0e45ddfdf

    SHA256

    4d80aa3d8b8f4f3663a47790d821116d020f48443caa8fcf51a6c2f13874734a

    SHA512

    0402f56dcc96e35cf2b070bf1111d3c54f9b4f9e0a85c468572c8393f038fb93cb926286d40eaa2c9bc63faf6e06db84cefbf778db2b2c0499699a31907d68da

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    12cc83cfe5d3e86dda37ce34065db454

    SHA1

    deff178a5b865334abffa3e3a78f39be615ea3e5

    SHA256

    754f0244b63967e97c26d740f0d20d3fa2db77a9a69ef5b5e27e3ea68eb05d78

    SHA512

    b81b9eb6daa78d972c1a88344b7cfb867d65d76934c47c1645489959366b787e28bd6d2099dcb80e883d7bda9284f6234d40015081a428ab79ee3854c5677282

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f2cc89a111025fa54fa0a8f56458e821

    SHA1

    947fa90509790b5a6880e6f7123b90e956bddd45

    SHA256

    599b57e119bef93b97216285ac3e163d916431fd8e278a171dfdd5e38e8c6cd7

    SHA512

    c575ca2ea6e2a90442c1fcae12acc47ed3c0a2572765e2ba4f81483e8ad53cd3928cfdf8b872a923f9d8e09bfc32b4a1f0c3aeb46206cd6ecf9839e419e4019d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    08c464c3cfb706941203546c15d61fe1

    SHA1

    2c945f02ab386d312fbe88ba61b17e9032f7583e

    SHA256

    8e0cca5021acaeb674ebffc955c38be539320d5fa432ff0926bf774eff4016f9

    SHA512

    ad889d3e0b88d3a100b2a16e5638f76324b8cc6e23b30739fb7e07c470853ae013895577b650481002932474093ee2eecc79609612f2e50d3ae798b9d0fa357c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    23862f8d4b4a386f3ec3be22a45032b0

    SHA1

    48d76756b1918f56951ab80cf57fd10695858a5c

    SHA256

    eb6a2aec36ecc59deb2b0768d3881a5c807db0cb305d2c975df34fd7e99ec5cb

    SHA512

    4e67a525d214804ef490ca608358d53a143dac85b1f1aeb6f6344584fafe0e10779a9ad3220f158927545f8fa9f037b85fe8e60bbd8f43f8dd9131eca22fd235

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d8da6af30a587049d63f72fae89bc23f

    SHA1

    458b983cd260837d33607716d97dedcea57a0cb3

    SHA256

    8bb08f48c54f5efc24f905a5fddaaf71f00680a5a600efd46a02fc3814d8686e

    SHA512

    b9e3cb433a36ff0a3163cd26a50d70e4532f28020909a9fb17b32bb5810f4134d681dc3849646da30390ae898b88b647d2535554452271a8fa9ba789e76c587e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1f7bf321e13dc158b1df65302a1137fe

    SHA1

    a791e1421b824802f0dc461f30bb863cb774f4a4

    SHA256

    6fa0d4827ca93ec406877f4c754d354ff696d96d64d3d1eb69c8a08ecd6f6783

    SHA512

    12a275a6b66a8d7140c456340ecdfa72ae25ca37ade391c6c7ce39a805e9c19411513eef5649256f96b2d063bcde660d7b05c048a00b815955a930aee4333be3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabE86F.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarE8EE.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\system\nbhsyh32b.dll
    Filesize

    118KB

    MD5

    ad353f16bb0abfea48b218d52eed7821

    SHA1

    13244905005719c593711aff82fbffcbdff46704

    SHA256

    806248101f49de3a1fbd58c9475f7ce0227b9ec286d9f738e6f7975cfcc2004c

    SHA512

    1afbbfb8df4230bbdda15f2e7689cc4b839e02b5ac11418299be96400a156ac6965c8c8602eea912deea3a8ba9b7d450b2c31bb7696e336c72bd25f32568f8f3

    Download Submit

  • C:\Windows\system\zhahss081216.exe
    Filesize

    71KB

    MD5

    8545d00334e198ef9e858586c45b78c1

    SHA1

    ad7846039de0163ef3bbaccf8e22bd506f8ff2cc

    SHA256

    a41422a859b3cdbc59032046a034973274e0ad26d6eda7e23bae790f88e3f7d4

    SHA512

    989fa41d82fcfa051588f7244470e06c14203b21e75494d06ca635ab596896431431afd9ee633d0dc3b26ad4b7dbad451d2894eddc0b40824e7a2cfabe8f3ce5

    Download Submit

  • C:\Windows\system\zhnahsdf081216c.dll
    Filesize

    28KB

    MD5

    feeda2bf6726950a2c7b935f1f715bd2

    SHA1

    c9ad17c561c44d0bcb07b8782cd2ab9951d74ab3

    SHA256

    39ed600dcd9e5bf438bd1b90626bdc978a5d78afa3e567107ae7750ea4bb0532

    SHA512

    e6e0b2cfa0649f71095eea9f7cb939c4b8535fc1d5c9693d4c167164d60393a4cc9eeb753c828fc8571ecf40a7021f4c8b5326f9eb36dae5866bc6f27f49c92f

    Download Submit

  • \??\c:\zhqbdf16d.bat
    Filesize

    48B

    MD5

    f9b63340821732540490fd995249cce1

    SHA1

    4bb6fdca753ef7dd14d6ca9aec09d0338bc4f24b

    SHA256

    c61895d622f8a6a0fc5faaeb3e70e06dda4750773576071f658cdf8048d8f308

    SHA512

    fe0b63c2ae8174696207d9b121f1eebf5543999dc489c7b93d8e571f6db7a7d3b1c7c604551590991124802bd69f4d725413082aa546b1359e7baeae915ed739

    Download Submit

  • memory/2944-474-0x0000000000130000-0x000000000013D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2944-21-0x0000000000130000-0x000000000013D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2944-40-0x0000000000130000-0x000000000013D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2944-470-0x0000000000130000-0x000000000013D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2944-804-0x0000000000130000-0x000000000013D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2944-806-0x0000000000130000-0x000000000013D000-memory.dmp

    Filesize

    52KB

    Download