006e3822bd34991d969220d050e1ac50007f8f642b4c25f69c0ea112aa218722

Analysis

max time kernel
142s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
Size

17KB
MD5

a9a6178d60a2a953daeed9e28f9ebc73
SHA1

2c42d3cb2d056d63069a6e0d5fbb1c0ef37f2cf1
SHA256

006e3822bd34991d969220d050e1ac50007f8f642b4c25f69c0ea112aa218722
SHA512

1520a226b22e5197f4b6c0204216ea627b423c88192416f2accfa4e8292d81ea7f1117fdf4417a9a96e526af0c541d86fb74dbf0a1bf303f0cb4af98a7c6154e
SSDEEP

384:H5iFBXU6XXjuDIKkziVam9BvkLflwMrZwaNJawcudoD7UMx9:8BXUQuOz+am9BWljnbcuyD7UMv

Score

8^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2024	coiome.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\safe360 = "C:\\Program Files\\Common Files\\sfbsbvx\\coiome.exe"	mshta.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvx	coiome.exe
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvx	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
File created	C:\Program Files (x86)\RMN.hta	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1580	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coiome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4492	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.52cailing.com"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\default_page_url = "http://www.52cailing.com"	mshta.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.52cailing.com"	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3372	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
Token: SeDebugPrivilege	4492	taskkill.exe
Token: SeDebugPrivilege	2024	coiome.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 2272	3372	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	84
PID 3372 wrote to memory of 2272	3372	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	84
PID 3372 wrote to memory of 2272	3372	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	84
PID 3372 wrote to memory of 4844	3372	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	89
PID 3372 wrote to memory of 4844	3372	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	89
PID 3372 wrote to memory of 4844	3372	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	89
PID 4844 wrote to memory of 4492	4844	cmd.exe	91
PID 4844 wrote to memory of 4492	4844	cmd.exe	91
PID 4844 wrote to memory of 4492	4844	cmd.exe	91
PID 3372 wrote to memory of 2024	3372	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	97
PID 3372 wrote to memory of 2024	3372	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	97
PID 3372 wrote to memory of 2024	3372	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	97
PID 3372 wrote to memory of 1980	3372	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	100
PID 3372 wrote to memory of 1980	3372	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	100
PID 3372 wrote to memory of 1980	3372	a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe	100
PID 2024 wrote to memory of 4816	2024	coiome.exe	102
PID 2024 wrote to memory of 4816	2024	coiome.exe	102
PID 2024 wrote to memory of 4816	2024	coiome.exe	102
PID 4816 wrote to memory of 1580	4816	cmd.exe	104
PID 4816 wrote to memory of 1580	4816	cmd.exe	104
PID 4816 wrote to memory of 1580	4816	cmd.exe	104
PID 2024 wrote to memory of 636	2024	coiome.exe	105
PID 2024 wrote to memory of 636	2024	coiome.exe	105
PID 2024 wrote to memory of 636	2024	coiome.exe	105
PID 636 wrote to memory of 2368	636	cmd.exe	107
PID 636 wrote to memory of 2368	636	cmd.exe	107
PID 636 wrote to memory of 2368	636	cmd.exe	107
PID 2024 wrote to memory of 1832	2024	coiome.exe	108
PID 2024 wrote to memory of 1832	2024	coiome.exe	108
PID 2024 wrote to memory of 1832	2024	coiome.exe	108
PID 1832 wrote to memory of 4576	1832	cmd.exe	110
PID 1832 wrote to memory of 4576	1832	cmd.exe	110
PID 1832 wrote to memory of 4576	1832	cmd.exe	110
PID 2024 wrote to memory of 2132	2024	coiome.exe	111
PID 2024 wrote to memory of 2132	2024	coiome.exe	111
PID 2024 wrote to memory of 2132	2024	coiome.exe	111
PID 2024 wrote to memory of 3236	2024	coiome.exe	115
PID 2024 wrote to memory of 3236	2024	coiome.exe	115
PID 2024 wrote to memory of 3236	2024	coiome.exe	115
PID 2024 wrote to memory of 3768	2024	coiome.exe	117
PID 2024 wrote to memory of 3768	2024	coiome.exe	117
PID 2024 wrote to memory of 3768	2024	coiome.exe	117

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2368	attrib.exe
4576	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\RMN.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im coiome.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im coiome.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe
  "C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete JavaServe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\SysWOW64\sc.exe
      sc delete JavaServe
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -h -s -r -a "%userprofile%\Cookies\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h -s -r -a "C:\Users\Admin\Cookies\*.*"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -h -s -r -a "%userprofile%\Local Settings\Temp\Cookies\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h -s -r -a "C:\Users\Admin\Local Settings\Temp\Cookies\*.*"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Cookies\*.*
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Local Settings\Temp\Cookies\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\a9a6178d60a2a953daeed9e28f9ebc73_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe

Filesize
12.0MB

MD5
9b91cf028d266e1b962022e610a99b25

SHA1
f2764ef3c0482c277c9b1d3bbf9ebb442b1bcb0e

SHA256
1a0cf30a91fb092c5792d14dd0dafa6f7e61d1ff1b59de9fa2944d980d909630

SHA512
ee4867a9137ee8c84e8287db8bfb11cf90c0eb7ebe4c9c66ea8c4cd67b89e9578a3d019fbaed0d3da4464f6e80c1d47fbc189b793005430030233a4e0f3d7273

Download Submit
C:\Program Files (x86)\RMN.hta

Filesize
780B

MD5
cfae0efb683986503bb789616bad8b55

SHA1
9325f503e9c4d97a7d06d81859f73d245a974753

SHA256
8f1076023a3e05a05e9938b08398e885a516f7442a19cd0de7fd3a87f6c0ccd8

SHA512
e338c41006f670cc98554f1c3a262cc7e4d9dd680bd9d77cc2b5a048a7f3b630f59df6a02fe6542df71647ce3eb7541f86bc3266fad396a9859620a7d26a942c

Download Submit
memory/2024-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2024-13-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3372-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3372-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads