006e3822bd34991d969220d050e1ac50007f8f642b4c25f69c0ea112aa218722

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
Size

17KB
MD5

a9a6178d60a2a953daeed9e28f9ebc73
SHA1

2c42d3cb2d056d63069a6e0d5fbb1c0ef37f2cf1
SHA256

006e3822bd34991d969220d050e1ac50007f8f642b4c25f69c0ea112aa218722
SHA512

1520a226b22e5197f4b6c0204216ea627b423c88192416f2accfa4e8292d81ea7f1117fdf4417a9a96e526af0c541d86fb74dbf0a1bf303f0cb4af98a7c6154e
SSDEEP

384:H5iFBXU6XXjuDIKkziVam9BvkLflwMrZwaNJawcudoD7UMx9:8BXUQuOz+am9BWljnbcuyD7UMv

Score

8^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2872	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2580	coiome.exe

Loads dropped DLL 2 IoCs

pid	Process
1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\safe360 = "C:\\Program Files\\Common Files\\sfbsbvx\\coiome.exe"	mshta.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvx	coiome.exe
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvx	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
File created	C:\Program Files (x86)\JYH.hta	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1056	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coiome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2776	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\default_page_url = "http://www.52cailing.com"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.52cailing.com"	mshta.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.52cailing.com"	mshta.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2580	coiome.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2024	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2024	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2024	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2024	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	28
PID 1820 wrote to memory of 2272	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	29
PID 1820 wrote to memory of 2272	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	29
PID 1820 wrote to memory of 2272	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	29
PID 1820 wrote to memory of 2272	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	29
PID 2272 wrote to memory of 2776	2272	cmd.exe	31
PID 2272 wrote to memory of 2776	2272	cmd.exe	31
PID 2272 wrote to memory of 2776	2272	cmd.exe	31
PID 2272 wrote to memory of 2776	2272	cmd.exe	31
PID 1820 wrote to memory of 2580	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	33
PID 1820 wrote to memory of 2580	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	33
PID 1820 wrote to memory of 2580	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	33
PID 1820 wrote to memory of 2580	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	33
PID 1820 wrote to memory of 2872	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	34
PID 1820 wrote to memory of 2872	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	34
PID 1820 wrote to memory of 2872	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	34
PID 1820 wrote to memory of 2872	1820	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	34
PID 2580 wrote to memory of 2944	2580	coiome.exe	39
PID 2580 wrote to memory of 2944	2580	coiome.exe	39
PID 2580 wrote to memory of 2944	2580	coiome.exe	39
PID 2580 wrote to memory of 2944	2580	coiome.exe	39
PID 2944 wrote to memory of 1056	2944	cmd.exe	41
PID 2944 wrote to memory of 1056	2944	cmd.exe	41
PID 2944 wrote to memory of 1056	2944	cmd.exe	41
PID 2944 wrote to memory of 1056	2944	cmd.exe	41
PID 2580 wrote to memory of 560	2580	coiome.exe	42
PID 2580 wrote to memory of 560	2580	coiome.exe	42
PID 2580 wrote to memory of 560	2580	coiome.exe	42
PID 2580 wrote to memory of 560	2580	coiome.exe	42
PID 560 wrote to memory of 1940	560	cmd.exe	44
PID 560 wrote to memory of 1940	560	cmd.exe	44
PID 560 wrote to memory of 1940	560	cmd.exe	44
PID 560 wrote to memory of 1940	560	cmd.exe	44
PID 2580 wrote to memory of 2476	2580	coiome.exe	45
PID 2580 wrote to memory of 2476	2580	coiome.exe	45
PID 2580 wrote to memory of 2476	2580	coiome.exe	45
PID 2580 wrote to memory of 2476	2580	coiome.exe	45
PID 2476 wrote to memory of 1784	2476	cmd.exe	47
PID 2476 wrote to memory of 1784	2476	cmd.exe	47
PID 2476 wrote to memory of 1784	2476	cmd.exe	47
PID 2476 wrote to memory of 1784	2476	cmd.exe	47
PID 2580 wrote to memory of 1068	2580	coiome.exe	48
PID 2580 wrote to memory of 1068	2580	coiome.exe	48
PID 2580 wrote to memory of 1068	2580	coiome.exe	48
PID 2580 wrote to memory of 1068	2580	coiome.exe	48
PID 2580 wrote to memory of 1368	2580	coiome.exe	50
PID 2580 wrote to memory of 1368	2580	coiome.exe	50
PID 2580 wrote to memory of 1368	2580	coiome.exe	50
PID 2580 wrote to memory of 1368	2580	coiome.exe	50
PID 2580 wrote to memory of 2380	2580	coiome.exe	52
PID 2580 wrote to memory of 2380	2580	coiome.exe	52
PID 2580 wrote to memory of 2380	2580	coiome.exe	52
PID 2580 wrote to memory of 2380	2580	coiome.exe	52

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1940	attrib.exe
1784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\JYH.hta"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im coiome.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im coiome.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe
  "C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete JavaServe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\sc.exe
      sc delete JavaServe
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -h -s -r -a "%userprofile%\Cookies\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h -s -r -a "C:\Users\Admin\Cookies\*.*"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -h -s -r -a "%userprofile%\Local Settings\Temp\Cookies\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h -s -r -a "C:\Users\Admin\Local Settings\Temp\Cookies\*.*"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Cookies\*.*
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Local Settings\Temp\Cookies\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\JYH.hta

Filesize
780B

MD5
cfae0efb683986503bb789616bad8b55

SHA1
9325f503e9c4d97a7d06d81859f73d245a974753

SHA256
8f1076023a3e05a05e9938b08398e885a516f7442a19cd0de7fd3a87f6c0ccd8

SHA512
e338c41006f670cc98554f1c3a262cc7e4d9dd680bd9d77cc2b5a048a7f3b630f59df6a02fe6542df71647ce3eb7541f86bc3266fad396a9859620a7d26a942c

Download Submit
\Program Files (x86)\Common Files\sfbsbvx\coiome.exe

Filesize
12.0MB

MD5
b62fb28593fc1384c05c5180655beaef

SHA1
50d482ec65dd445e7109decd6e8b5967663a7bf7

SHA256
719daa6e27a70d0f73c6b8b0ec2f43ed94b5fb8f08ef5aaa6c67c976ccd23a59

SHA512
5c1bf99422f039e46c2fef86f7bdd971c2dede671eaaae7a25412e3b868f93e166efd6a9f8df4177503b747ef95eb8c4b0ddeb9d269392c8b15ecee699810f27

Download Submit
memory/1820-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1820-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1820-9-0x00000000002C0000-0x00000000002CF000-memory.dmp

Filesize
60KB

Download
memory/2580-16-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2580-18-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads