Overview

overview

10

Static

static

3

94a9a1a4db...18.exe

windows7-x64

10

94a9a1a4db...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/08/2024, 20:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    94a9a1a4dba2c17a0d445644dee5bf7a_JaffaCakes118.exe

  • Size

    19KB

  • MD5

    94a9a1a4dba2c17a0d445644dee5bf7a

  • SHA1

    0a011919af413d3c455eb1f9bfceb371f0ee8f2c

  • SHA256

    34636c4bd4f06c6b93f5c8d261d92e9fc47fa7181a3d6e17bd351ca293b820ea

  • SHA512

    2038a590783e016a4ee4c5461077ca80cb4b6c6f4749b073edc3d95dff98385bcfcb3adf727c8bef4da6891c992ee33d385db81e8d02f00ee3993e55c631daea

  • SSDEEP

    384:AmvZ/WZ7OLon28o0SWqXRtrwuV3uIOF+oHFM5HU7QDaNJawcudoD7UIw:Ag/WZ7O6No0lq78uV3xOF+olMxUFnbcB

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 5 IoCs
  • Launches sc.exe 9 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94a9a1a4dba2c17a0d445644dee5bf7a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\94a9a1a4dba2c17a0d445644dee5bf7a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3608
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\IVQ.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      PID:1472
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im coiome.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3260
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im coiome.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4556
    • C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe
      "C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete JavaServe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Windows\SysWOW64\sc.exe
          sc delete JavaServe
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:4412
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /im iejore.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5056
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im iejore.exe /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5048
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /im conime.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im conime.exe /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2056
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc stop LYTC
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3188
        • C:\Windows\SysWOW64\sc.exe
          sc stop LYTC
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:740
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc stop Messenger
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Windows\SysWOW64\sc.exe
          sc stop Messenger
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:3076
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete Messenger
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3280
        • C:\Windows\SysWOW64\sc.exe
          sc delete Messenger
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:4984
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete LYTC
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5116
        • C:\Windows\SysWOW64\sc.exe
          sc delete LYTC
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:3244
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc stop IE_WinserverName
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:440
        • C:\Windows\SysWOW64\sc.exe
          sc stop IE_WinserverName
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2336
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete IE_WinserverName
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1440
        • C:\Windows\SysWOW64\sc.exe
          sc delete IE_WinserverName
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2460
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc stop HidServ
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3308
        • C:\Windows\SysWOW64\sc.exe
          sc stop HidServ
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:3240
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete HidServ
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2440
        • C:\Windows\SysWOW64\sc.exe
          sc delete HidServ
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1836
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cacls "C:\Documents and Settings\All Users\Application Data\Storm\update" /e /p everyone:n
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4844
        • C:\Windows\SysWOW64\cacls.exe
          cacls "C:\Documents and Settings\All Users\Application Data\Storm\update" /e /p everyone:n
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2212
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /e /p everyone:n
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5008
        • C:\Windows\SysWOW64\cacls.exe
          cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /e /p everyone:n
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1988
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\94a9a1a4dba2c17a0d445644dee5bf7a_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3844

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        System Services

        1
        T1569

        Service Execution

        1
        T1569.002

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Defense Evasion

        Impair Defenses

        1
        T1562

        Indicator Removal

        1
        T1070

        File Deletion

        1
        T1070.004

        Modify Registry

        4
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Service Stop

        1
        T1489

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe
          Filesize

          4.0MB

          MD5

          3d14fc641fa747ae680e4737de412006

          SHA1

          ba73b566a0aaf3a10500ba57d7ca2cec84d99d30

          SHA256

          385d39ee54e4f21ccc2725601886ea19e9be3d6f5f19b5748aa15627be05b2d8

          SHA512

          563214dc34abf5919edbf990e56ced5c8149c4195a4a0efadb7a8fc172617ae988bf6049294a521b13ac98de2846d99de7372996c4c88f6ec3905f60c2f46070

          Download Submit

        • C:\Program Files (x86)\IVQ.hta
          Filesize

          785B

          MD5

          74ccbce1e5800180a01fb299767e310c

          SHA1

          5eee44303a3800e0ac31a103538dccfe4ffa57b2

          SHA256

          7c800551aa79c34f689c2d87e3b24c2bfaca0d2815538650abe445c3cb3a77ec

          SHA512

          581385678a72de017f99b41d565d5acd8b2ffa322e20ae9489803b6043fe6696ccab38c43ae5583afda73cb3f33b4fa33813c543ffb4e34b17394d1ec6fae6c8

          Download Submit

        • memory/872-12-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/872-14-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3608-0-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3608-6-0x0000000000400000-0x0000000000410000-memory.dmp

          Filesize

          64KB

          Download