Analysis
-
max time kernel
144s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
20/08/2024, 21:47
General
-
Target
b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe
-
Size
168KB
-
MD5
b0f6f38e4b86506db3693830c859086b
-
SHA1
eb4a26d8fe794f5a16700d0c91def7117c4ab98c
-
SHA256
39294884fcde06ac7e3bb2a9eab94ecf6e8ab5f5119e77b420a38c5cd0c634ea
-
SHA512
c205885d3e89a5777f785e26f6e01ab6f99f050ed8170ff153fb94529505eb4464f9596f43b2e6d1e5b326e0a914267b4d39ca3b5a6f70c3564c3ab1d1d90577
-
SSDEEP
1536:KgIM5N4czoLRpCt98SaE4cku5V72OXZR1VuCEWWAEbIge3+T:7BeRzSaEkuj728ZR1VuzWWpF
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 32 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\julia_fun219.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?716284⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat4⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf5⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlBD5.tmpC:\Users\Admin\AppData\Local\Temp\inlBD5.tmp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlBD5.tmp > nul3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B0F6F3~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD556549c84d7a957254335210e4f1ca51c
SHA1a37fa510e1d45ffb36c2fa77533c3550d0ce098c
SHA2565fcf6702b130d29a455dc7230428a6594d971ea410196057736a961216f95744
SHA512b0af71897802a36d5ad5ad2114059d511f086e5594bdb8042414d72f11d0b911f5846e1a7ca1367058da65c097695cd383938b693262b7bf02b41c1e499beef4
-
Filesize
342B
MD56f3081c972b3d6958375e4fdba9842ad
SHA1fefa13528e5cdf69353e49c7382722303a5e06bc
SHA256e1ed4ed4bbc96a7dd61c268dd50696da7321709552ab4eb62e4a4bf4836c8738
SHA512e56855d750fc2d52f5ad9b76331872be3330a681ffd2ba7662b1616669b1a2cc0d00227dd4c4447668bd531c50e3faac4a80cd3b1ae1943a56247deafadf7fdd
-
Filesize
342B
MD5f72e995c1431207e5bb15d1aad2eddb9
SHA1a2366a515797fe120b77dfb09e02ca7a34ebaf68
SHA256e5ede669766d2285db04d725b8c052039a625570e9790c54882aa0a3f9c0bc60
SHA512c5a35728702a1f9fda46d3bb471c09c1c7bff30cda861725334f4b669cbfb2d788848a9243512170e29d70a8030dd3a89eaa074da3ead3a5021e2331d38d1a1e
-
Filesize
342B
MD555f2c41438e1f6fd25dd07a6adb34693
SHA195b99a27d550d01a10748e850ce39ab503359897
SHA25669893bc034fc183418e6af195424dd44dc4342fb788723d700b1185752d76a15
SHA512d54c260ce472c22cf992f53dfa31563a8c1aa137a4897e7b946401980c20ee20cf1b0b0eb125cf54363cf10c9e7721b3ecf1b5171cbe2e5a8b44cbd395db8dd8
-
Filesize
342B
MD5dcd1d1edf62ede38d83040ecaaf966d2
SHA154f35c37293f2389c7d8f08a06410d87794dba7d
SHA256eaea659172488d469f97c9a68320164b19e35d51f482fac5699b560baba20e9e
SHA512ad4c3905c662e7dde736d51989ccbfe3186c84922e3b46eb156b7b45a6f8616dd1756345cb632c2eca18f322606e35a1e1b8b0cbcc72e39fd90125d4f0266df9
-
Filesize
342B
MD55777fed784362153e8fbd7949679054b
SHA17b0b7022f7139aff65138324dd5e0b9ea6b23858
SHA256df6edbf4cdbc6086c31c4e94e5d9b00d30d7ef59d030905c12d7a6889783f999
SHA5129e23628ae3c005ea213ad3f47d8b90875466ec545291234ce962ec7ca0c2bc78f298ce5d6b61eae37e18571169fc63e3e38a1502b44a6d32cbcd391585f167ae
-
Filesize
342B
MD5146761c84801e647224d1665405ca27f
SHA12fc335874ced5d918c9f2fda20451f9eec37c7c0
SHA25611138a03739c0d644e4e2496b33c7c2c05d62490bf6e5e08f4e57df55056f26f
SHA512d9deee29f74ca2035fbe7c2fbc61bba3fa995ceffb6a43f8e0ba84ea730ee710f99376d73ce44e8335842683e15d495aa60621bbe1746be0c1c3bea3a103bb6e
-
Filesize
342B
MD5fb159b0c8f8f1dbe0e454fc9595daf8e
SHA19cd1462ef5057567dd571284045fe79395f54115
SHA25674f2490fce7d9b6d9c1152f555c6db7194c5588282b42eba8d2fab8f34c0c5c7
SHA5123e7bdaa504015d7ec0a19d742afa692f6283158a8f84dcc348f7fe05839594ac76c250b9862d81d00400b4517fb587a6640bee7b01ce272cf53c4fd5a5938d3b
-
Filesize
342B
MD51e2f9ab4aac7d83ae32f547c020aa86e
SHA100f5d8516c08615b5aa9342fafaf1849bac6144a
SHA256576a71d84991cb87562163ad6b5237a03b4398fe6bfa8f3c67e31955e12d414a
SHA5128b81ccf5b6efb3e19e57383f2c4a445e9e7defbe893241f53cfd9ac9f5225674f610b6977c9216d89c80064240147addec3ebba5ef9d6055c7a7d3c995eac2e1
-
Filesize
342B
MD50caee91ea8fc1343661f486e81a8a29d
SHA1a79535e8cf929f9f64db6b0847eabdc786c0ceaf
SHA2568c0c567d866033f0875e13af15aa3edefa981d28fa8405f8f6e4a47d4c0c121c
SHA5123415dddb5b641bf649a0457e70228e5191581d03adc61cc62a7a561f9130b2f0af4db5b5cf2f2c520ce7d326c8b7b1e44508a4e71ab0fbd2223e947d28ba5d63
-
Filesize
342B
MD501b8cdeb2fc6c50bd7700768e253704a
SHA17015382675f7f304a15daf892ccd0f4fa890cacc
SHA256cab85ad08d59d7a007792f10213fa4125ed365a811798792a3a6970f7d18eb0e
SHA512fddbfd7f3fc2ac2b3faf4c9d1cea21618b1b43579bfd2e5086d6f5eee79e124b33d3f389e69630c1399087e5f85a523c24a71bd70ccd5b533ac6ffb78d73d98f
-
Filesize
802B
MD5b4f7d6a0d3f6605440a1f5574f90a30c
SHA19d91801562174d73d77f1f10a049c594f969172a
SHA256e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd
SHA512c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
53B
MD523962a245f75fe25510051582203aff1
SHA120832a3a1179bb2730194d2f7738d41d5d669a43
SHA2561abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80
-
Filesize
660B
MD5d980f89e4088711df685a0aa09e8f5a7
SHA1dde805f4fa5e016e122e4240e20ff844113717d7
SHA25628f62bd59962d06d903ea079466c66985caa306251717235a0d470a1b0f62d09
SHA512fa2a669d846081d71dcada405d3c4bdb92229ba2b4a9f8fd4e461d7c4d51012d3d3b893466f814c8178b9980119703d1a3f7eafeff281a2eb75465e504df9ee9
-
Filesize
3KB
MD5286fe459674aef6eee17f6ac79a15fdb
SHA1233dc43099c575a67b05fc1076e676324fd6e63d
SHA256872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2
SHA512c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD5d4917ae9072a10d8e12ef3b282b25b3b
SHA1bd9ec6c6395997525ec7c15ecca2f115573cc14c
SHA2566f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b
SHA512c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d
-
Filesize
247B
MD5ca436f6f187bc049f9271ecdcbf348fa
SHA1bf8a548071cfc150f7affb802538edf03d281106
SHA2566cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591
-
Filesize
12.3MB
MD5ae9300f03a6d2e49c898280284d8d74f
SHA16474c770a4054910bf90d8815644d0be4b57e3af
SHA256aebff64a27473f65e988ba96056c9fdae9fb256990b58a7920c935ce6a38b5c1
SHA51207bbd545e940854b70e0028e84d1c2e25bb8ea185d9e89fcb2ee929436cfb44c505082b997605c7c1a7cfc161b2bb9918935d21b4167958aba4ff9cc86366f6b
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB