Overview

overview

5

Static

static

3

a8b93f9a70...18.exe

windows7-x64

5

a8b93f9a70...18.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    114s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-08-2024 23:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8b93f9a70b9a014d93c23cff9a0c458_JaffaCakes118.exe

  • Size

    56KB

  • MD5

    a8b93f9a70b9a014d93c23cff9a0c458

  • SHA1

    c577079c6a5fe110ec2512ea4b372085c975522f

  • SHA256

    b5044b9badd453f27b8ccb413a837ba33eed8a1ed2efb988d8178b006ffafcc2

  • SHA512

    277734e896e74e2633ae85b7027293b4be6f1b4c3b554eaf6ea8490b5fdd58d4877b9d5e941ae4d9b76c6406a237274c7cea60a04c8ad693508eeab349478de6

  • SSDEEP

    768:6vkte4tpeuKbdsgIrSvrqZjHfJDyRiB96XN/aiY2+b2Io4uu1QuX:Ik446hsdrSvrahyHJzydoNuT

Score
5/10
discovery

Malware Config

Signatures

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 9 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8b93f9a70b9a014d93c23cff9a0c458_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a8b93f9a70b9a014d93c23cff9a0c458_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3432
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:3396
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\Schedule" /v Start /t REG_DWORD /d 2 /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2316
      • C:\Windows\SysWOW64\net.exe
        net start schedule
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4376
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 start schedule
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1540
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Delete /TN qqupdate2 /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2652
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /SC MINUTE /MO 7 /TN qqupdate2 /TR C:\Windows\system32\KB910620.exe /RU "" /RP ""
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1596
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "http://a.8d9a.cn/1" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        PID:212
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "http://a.8d9a.cn/1" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        PID:2196
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r "C:\ProgramData\..\*Internet*.lnk" /s
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1472
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t REG_DWORD /d 1 /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1364
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t REG_DWORD /d 1 /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3352
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t REG_DWORD /d 1 /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1208
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t REG_DWORD /d 1 /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:400
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\SysWOW64\attrib.exe
        attrib -R "C:\Users\Admin\Desktop\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3956
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4836
      • C:\Windows\SysWOW64\attrib.exe
        attrib +R "C:\Users\Admin\Desktop\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4672
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1028
      • C:\Windows\SysWOW64\attrib.exe
        attrib -R "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3128
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3532
      • C:\Windows\SysWOW64\attrib.exe
        attrib +R "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3452
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2080
      • C:\Windows\SysWOW64\attrib.exe
        attrib -R "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorer Σ»└└╞≈.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4296
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2340
      • C:\Windows\SysWOW64\attrib.exe
        attrib +R "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorer Σ»└└╞≈.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2616
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3664
      • C:\Windows\SysWOW64\attrib.exe
        attrib -R "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2772
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2016
      • C:\Windows\SysWOW64\attrib.exe
        attrib +R "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Internet Explorer.lnk"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3884
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1892
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command" /t REG_SZ /d "C:\Program Files\Internet Explorer\IEXPLORE.EXE http://a.8d9a.cn/3" /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1084
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1960
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /F /v "First Home Page" /t REG_SZ /d "http://a.8d9a.cn/2"
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:4336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Internet Explorer.lnk
    Filesize

    995B

    MD5

    52c0fbc774e0e52b32604052e8d4b9e3

    SHA1

    1ff44159f16e99a89bba34321403d006e4011d37

    SHA256

    38351ac8efad3a9991a400ab38c10ed66d213a9ae53406247a85eeec5e7883a3

    SHA512

    353d381f3d8c2522c829f66ca74eabc48c981772f615eb1c8a427b747933950b72f52323209a70f0373e8f3c53b3ed76df8d693d149f8662a840b7be8ab85609

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    Filesize

    1001B

    MD5

    32e32fe4016525e28071c5b6f92212ce

    SHA1

    542d64d5c28c4d93a1cb05a612157fec2491952f

    SHA256

    bc0f2b24cad43c8c726e8f971d537dea12975555b0d228c485b021684c0f47ab

    SHA512

    c1ef16574315f04ee4ed7bc8fd6f1aea8e399bc106b87b5c4ee08c325354dc2409a4582b97bfbb7fee3af82eb55123301f5d990782b3cde1e1b64f28da0c2f0b

    Download Submit

  • C:\Users\Admin\Desktop\Internet Explorer.lnk
    Filesize

    971B

    MD5

    7a2370b056f8dd0b62d9370936fa361c

    SHA1

    11973d289837b9acb196dd087a33ef0b41c7c4a7

    SHA256

    d3c3fd2fe10cc63ed1ccde5de2758d749fd75ba9c06f3921fd6e5ba7ee4963bc

    SHA512

    d4f887798aafe19d2948d6093a855a99cc3ac619d68bb58301fbea259658affc5ab7b96ecf425b1e897e92a919d159170e4b1713298c55587566b1d9d8cf0878

    Download Submit

  • \??\c:\1.bat
    Filesize

    119B

    MD5

    d5eff5318542c068259fbfeeb4a7bd03

    SHA1

    6b3c1767647b3cd4a152579748e1c2cc0993fbc2

    SHA256

    04ba7273397d8d56d774644850e3887f1086bb9a677a5f39994a330ead8f0b6d

    SHA512

    6f1019662ba0de02dcf04bc94dcf62b01a2023e0801cf4eb2bbfe09b665798046b2a07f90dcd7fbd120f67f400124396070f7beb3642da96698b63e76b55e582

    Download Submit

  • \??\c:\1.bat
    Filesize

    95B

    MD5

    4deba2e1afc57c3caefe7eacb9ccd4b1

    SHA1

    c0743c17fd814bc646594b0287d2131636832602

    SHA256

    821fef0f852a845608c675dc408e2e907644f4a362defd8ed1d5103cf6dd2432

    SHA512

    77de7a38e2e8d9d31fb6eef9e06df0b26dd7cd6d4a112eec624c794734d60d18fa1ccaaad6fa184ffd4e407c21a236424842050a6a51625457d883954d36ef3a

    Download Submit

  • \??\c:\1.bat
    Filesize

    96B

    MD5

    94412e25be29f7e1659e31c8ab2be5bc

    SHA1

    495b262ae0000fca51bf676a267d8327ebcb14c4

    SHA256

    a48772d7ce7ac9f3bd9a7b3798d50904bcd8acb6dedcf551f6d42ae5b03ae812

    SHA512

    65ba8041b956f1e0a8fde3f3c7e16cc9acd8a49c22dc2e81db5d7e6bcff887c83b7c26b0fa3914876f209401b3aebc33bbf20673eceefe55b9c43789075fcff5

    Download Submit

  • \??\c:\1.bat
    Filesize

    168B

    MD5

    9f952c697cca8a5a08742ab5aec244fa

    SHA1

    275bfd43e15add75f8b44253f20d81f0b2ccc546

    SHA256

    9cf01ab918ba2c8f9cab253314e9c9a1a4aaef30120a7a369f70666ce9ee9a70

    SHA512

    429ecbd81f25a8b80f8b5d56686378e0a146e8d09bf2aea3c4133d6ccfa312a03af2ef2bf49bafe1453029808ac397c432fccaf8a09fe03fe1d3b3bff6c9f768

    Download Submit

  • \??\c:\1.bat
    Filesize

    116B

    MD5

    b8c989aef23b16baff458f4f6bb701d5

    SHA1

    c6e563d41681923d341f6586166ab1095aff6aec

    SHA256

    6bd1b839bb9dcdaacd497638949c02313124f9aaa874fa87702e9708267f9aab

    SHA512

    be748332001f191d5988b7428d05801a6f5f4dca0831c74bcea200a9dd4123ff5442b1a5a34e0b9775b4649cc9524b91f30500ba85206b816fe1a7831d835dba

    Download Submit

  • \??\c:\1.bat
    Filesize

    326B

    MD5

    4a5179c619f3bde2beb653a994590bc6

    SHA1

    756e4a78a8951118a747135d2c1c6ba7b2df6d40

    SHA256

    b39f4e7fc3e2f4b81d95420fa51140ae6e2f8d067f5712d230bf94466a4d6dbf

    SHA512

    e287dee90ece8fb15b206185809ca1f1fbbdba5c24d0328b36721e6938967609364f65204c4692cdf9aa3ba1178b90e6fc3a779d46679388b24b272dc5791a39

    Download Submit

  • \??\c:\1.bat
    Filesize

    332B

    MD5

    dc51b834f2165f40fd6a65913bd54f98

    SHA1

    c4ae18ef4990413edd6d0676f995655ecf1cc55c

    SHA256

    dbe9750aedbd1782a3dbe7dcefe5442e4fad53a3971e347eb507d695a1bceadd

    SHA512

    e974751f03b53bf989865eca2ca8e35c9cba8e7df5723ff558bad49a033fa418b1aa824346bbb717f266cc4b9d831cbe60debabea0e413134a39bb69a8bb6a2d

    Download Submit

  • \??\c:\1.bat
    Filesize

    58B

    MD5

    55fb781df473de54f3b30a665d6397df

    SHA1

    18f8994676c19267a2096171497b97f89fe30547

    SHA256

    1e053d853b10a5a9a9dc44031ea6ea83cc04b5333a4a497f67e5048da24c4f47

    SHA512

    b7370f5f3935b0d72c04e45184317116f39f88c75a21c003a598d5747f02aacc8232bf51c59c565f0e1af9909c65e562fa022e06047baa6cc412a6a02f164140

    Download Submit

  • \??\c:\1.bat
    Filesize

    104B

    MD5

    bcbf15dad50c1e05bb71e7f71cc50605

    SHA1

    7ebd72d4fb0e0b3b900fabbf8e20879daf1c3a3c

    SHA256

    f17536ce9310dabc67a7d77f3dda7f558df8a7ec020a28c4f5ad49a4392ef274

    SHA512

    9770f4732b503c5748081c8bd83ce94b678b491a54cb79d7fd66d6056ae73ba70b7ccd7689fef4dd3ad55c76ac0d424e83247c176cb5678438e7613b347c866f

    Download Submit

  • \??\c:\1.bat
    Filesize

    59B

    MD5

    2795473ff56ab7ea5a83a15d49c3ea7d

    SHA1

    213d5df664c9a647f50ccf0ba12b811dffc39683

    SHA256

    e8b333df378cc32fd4bc7e5ec5a6c6fcf8dde7b5247f9ec285542c9f35f91a3f

    SHA512

    b0b99165e1960d70e50ccd22810d4a78aa076e7d768338dff2360337593aeb9d36edab7a57a670f902b1127a60ebcf0c198b178030776790d247611f3ead5c1c

    Download Submit

  • \??\c:\1.bat
    Filesize

    105B

    MD5

    d3a377597d24397eeda92cc1adc7f454

    SHA1

    8abe4122390fb6c723313e598ac5e1c068d39523

    SHA256

    700364031cf29de88137cf296f852dd9a2841276bf98c7b1d38e0bae42893c76

    SHA512

    a50f339d6587739f936b649381bf958227155abfb90fd991aa36043cab997af3b60e03998b368b7aadc3e2b7df34fa04f5dcdbc7ab1fbe927612606be2f68535

    Download Submit

  • \??\c:\1.bat
    Filesize

    120B

    MD5

    bf2fd75fb430508a639dd722e4b0e03b

    SHA1

    bdf58481ee453fbab4099cdf3985d513d445eef6

    SHA256

    cafa362f29d45543c27935a2e14207803fce1850662d1068f9ef05eccdd2bb2b

    SHA512

    ce65e326921083282de45a6d98199af421bf9ed0243b973de55b78157245920304c58d018a516da1b8515289071022a0cab0761800731b8dab5570580481cde0

    Download Submit

  • \??\c:\1.bat
    Filesize

    132B

    MD5

    2f3aaae300791512a1e034513fe2b1fa

    SHA1

    24adeff67ebc673e0791a144e1a0ef550232e079

    SHA256

    70ed510e6a669b3cf7807c86169e3297d7b6bac0edf5786cc33e893fa1d34ed0

    SHA512

    ec99cb5cd855eb755368064aa966bc91c316780bd3079f0c5cd5defc450dd55f91d54f8d602a1c4bba1d0560a80b7fd1f0fcf522247ec86076f931500dec90d5

    Download Submit

  • \??\c:\1.bat
    Filesize

    245B

    MD5

    b1e610d00294085ff0166fe2fb81748d

    SHA1

    13ffd4e440ce6e23f90a07331079e7b7d4f79756

    SHA256

    8feb9f65f2e3d85332fb5d376f0592d3c913b12ec9721d2b2482434462ef88f0

    SHA512

    77eb44d16cc012e4604801c29f58815a927410e2154bfdee4f56f1a117c9fa0790ad6c8465ba914099ee5fbb8470e445f828750a99837871dfb92f6d723992d0

    Download Submit

  • \??\c:\1.bat
    Filesize

    222B

    MD5

    c5eb34c23c8cfe6040231551a9a3599a

    SHA1

    11d975ad7acf209d42767255691dc5f16d70b4cb

    SHA256

    7aee6f2c0263e8712eb2c557e7951eaaea6a14d4ded2ca3bc769c3849aff0099

    SHA512

    cf9109b9910650ffda8639caf41b0cf59e9a1bb4a709725a06efc3fc824bc680889704795b62f66d29c2567113a6f2628c7d49181ca48ac5d7cd466baea3b5a1

    Download Submit

  • \??\c:\1.bat
    Filesize

    196B

    MD5

    0022713363f3e6dab01c79bdea2de586

    SHA1

    673d120abac59809a511ad1c21015b5cd4390861

    SHA256

    6039a3dc1037f9d8cfbc280572b2b316747e1f46b2b4c4b294b05642d2d62ecd

    SHA512

    e1be058285d6816b46adfdfde37fdc7a8a5fb81917be80dcb860def96fc8745dacca5a424f8f329baa13ac0622567ca71f64636cf7638d3c15409087b6f52730

    Download Submit