Analysis

  • max time kernel
    144s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 21:47

General

  • Target

    b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe

  • Size

    168KB

  • MD5

    b0f6f38e4b86506db3693830c859086b

  • SHA1

    eb4a26d8fe794f5a16700d0c91def7117c4ab98c

  • SHA256

    39294884fcde06ac7e3bb2a9eab94ecf6e8ab5f5119e77b420a38c5cd0c634ea

  • SHA512

    c205885d3e89a5777f785e26f6e01ab6f99f050ed8170ff153fb94529505eb4464f9596f43b2e6d1e5b326e0a914267b4d39ca3b5a6f70c3564c3ab1d1d90577

  • SSDEEP

    1536:KgIM5N4czoLRpCt98SaE4cku5V72OXZR1VuCEWWAEbIge3+T:7BeRzSaEkuj728ZR1VuzWWpF

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b0f6f38e4b86506db3693830c859086b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\julia_fun219.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\PROGRA~1\INTERN~1\iexplore.exe
          C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?71628
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1192
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
          4⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2976
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
          4⤵
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:2940
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:2908
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2956
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:2068
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:2620
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2932
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1224
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
            5⤵
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1196
            • C:\Windows\SysWOW64\runonce.exe
              "C:\Windows\system32\runonce.exe" -r
              6⤵
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              PID:2316
              • C:\Windows\SysWOW64\grpconv.exe
                "C:\Windows\System32\grpconv.exe" -o
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2276
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 D:\VolumeDH\inj.dat,MainLoad
            5⤵
            • System Location Discovery: System Language Discovery
            PID:488
    • C:\Users\Admin\AppData\Local\Temp\inlBD5.tmp
      C:\Users\Admin\AppData\Local\Temp\inlBD5.tmp
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlBD5.tmp > nul
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1204
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B0F6F3~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    56549c84d7a957254335210e4f1ca51c

    SHA1

    a37fa510e1d45ffb36c2fa77533c3550d0ce098c

    SHA256

    5fcf6702b130d29a455dc7230428a6594d971ea410196057736a961216f95744

    SHA512

    b0af71897802a36d5ad5ad2114059d511f086e5594bdb8042414d72f11d0b911f5846e1a7ca1367058da65c097695cd383938b693262b7bf02b41c1e499beef4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6f3081c972b3d6958375e4fdba9842ad

    SHA1

    fefa13528e5cdf69353e49c7382722303a5e06bc

    SHA256

    e1ed4ed4bbc96a7dd61c268dd50696da7321709552ab4eb62e4a4bf4836c8738

    SHA512

    e56855d750fc2d52f5ad9b76331872be3330a681ffd2ba7662b1616669b1a2cc0d00227dd4c4447668bd531c50e3faac4a80cd3b1ae1943a56247deafadf7fdd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f72e995c1431207e5bb15d1aad2eddb9

    SHA1

    a2366a515797fe120b77dfb09e02ca7a34ebaf68

    SHA256

    e5ede669766d2285db04d725b8c052039a625570e9790c54882aa0a3f9c0bc60

    SHA512

    c5a35728702a1f9fda46d3bb471c09c1c7bff30cda861725334f4b669cbfb2d788848a9243512170e29d70a8030dd3a89eaa074da3ead3a5021e2331d38d1a1e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    55f2c41438e1f6fd25dd07a6adb34693

    SHA1

    95b99a27d550d01a10748e850ce39ab503359897

    SHA256

    69893bc034fc183418e6af195424dd44dc4342fb788723d700b1185752d76a15

    SHA512

    d54c260ce472c22cf992f53dfa31563a8c1aa137a4897e7b946401980c20ee20cf1b0b0eb125cf54363cf10c9e7721b3ecf1b5171cbe2e5a8b44cbd395db8dd8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    dcd1d1edf62ede38d83040ecaaf966d2

    SHA1

    54f35c37293f2389c7d8f08a06410d87794dba7d

    SHA256

    eaea659172488d469f97c9a68320164b19e35d51f482fac5699b560baba20e9e

    SHA512

    ad4c3905c662e7dde736d51989ccbfe3186c84922e3b46eb156b7b45a6f8616dd1756345cb632c2eca18f322606e35a1e1b8b0cbcc72e39fd90125d4f0266df9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5777fed784362153e8fbd7949679054b

    SHA1

    7b0b7022f7139aff65138324dd5e0b9ea6b23858

    SHA256

    df6edbf4cdbc6086c31c4e94e5d9b00d30d7ef59d030905c12d7a6889783f999

    SHA512

    9e23628ae3c005ea213ad3f47d8b90875466ec545291234ce962ec7ca0c2bc78f298ce5d6b61eae37e18571169fc63e3e38a1502b44a6d32cbcd391585f167ae

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    146761c84801e647224d1665405ca27f

    SHA1

    2fc335874ced5d918c9f2fda20451f9eec37c7c0

    SHA256

    11138a03739c0d644e4e2496b33c7c2c05d62490bf6e5e08f4e57df55056f26f

    SHA512

    d9deee29f74ca2035fbe7c2fbc61bba3fa995ceffb6a43f8e0ba84ea730ee710f99376d73ce44e8335842683e15d495aa60621bbe1746be0c1c3bea3a103bb6e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fb159b0c8f8f1dbe0e454fc9595daf8e

    SHA1

    9cd1462ef5057567dd571284045fe79395f54115

    SHA256

    74f2490fce7d9b6d9c1152f555c6db7194c5588282b42eba8d2fab8f34c0c5c7

    SHA512

    3e7bdaa504015d7ec0a19d742afa692f6283158a8f84dcc348f7fe05839594ac76c250b9862d81d00400b4517fb587a6640bee7b01ce272cf53c4fd5a5938d3b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1e2f9ab4aac7d83ae32f547c020aa86e

    SHA1

    00f5d8516c08615b5aa9342fafaf1849bac6144a

    SHA256

    576a71d84991cb87562163ad6b5237a03b4398fe6bfa8f3c67e31955e12d414a

    SHA512

    8b81ccf5b6efb3e19e57383f2c4a445e9e7defbe893241f53cfd9ac9f5225674f610b6977c9216d89c80064240147addec3ebba5ef9d6055c7a7d3c995eac2e1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0caee91ea8fc1343661f486e81a8a29d

    SHA1

    a79535e8cf929f9f64db6b0847eabdc786c0ceaf

    SHA256

    8c0c567d866033f0875e13af15aa3edefa981d28fa8405f8f6e4a47d4c0c121c

    SHA512

    3415dddb5b641bf649a0457e70228e5191581d03adc61cc62a7a561f9130b2f0af4db5b5cf2f2c520ce7d326c8b7b1e44508a4e71ab0fbd2223e947d28ba5d63

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    01b8cdeb2fc6c50bd7700768e253704a

    SHA1

    7015382675f7f304a15daf892ccd0f4fa890cacc

    SHA256

    cab85ad08d59d7a007792f10213fa4125ed365a811798792a3a6970f7d18eb0e

    SHA512

    fddbfd7f3fc2ac2b3faf4c9d1cea21618b1b43579bfd2e5086d6f5eee79e124b33d3f389e69630c1399087e5f85a523c24a71bd70ccd5b533ac6ffb78d73d98f

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GL24G53\favicon[1].htm

    Filesize

    802B

    MD5

    b4f7d6a0d3f6605440a1f5574f90a30c

    SHA1

    9d91801562174d73d77f1f10a049c594f969172a

    SHA256

    e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd

    SHA512

    c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f

  • C:\Users\Admin\AppData\Local\Temp\CabBA6.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarC26.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\julia_fun219.bat

    Filesize

    53B

    MD5

    23962a245f75fe25510051582203aff1

    SHA1

    20832a3a1179bb2730194d2f7738d41d5d669a43

    SHA256

    1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

    SHA512

    dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

  • C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

    Filesize

    660B

    MD5

    d980f89e4088711df685a0aa09e8f5a7

    SHA1

    dde805f4fa5e016e122e4240e20ff844113717d7

    SHA256

    28f62bd59962d06d903ea079466c66985caa306251717235a0d470a1b0f62d09

    SHA512

    fa2a669d846081d71dcada405d3c4bdb92229ba2b4a9f8fd4e461d7c4d51012d3d3b893466f814c8178b9980119703d1a3f7eafeff281a2eb75465e504df9ee9

  • C:\Users\Admin\AppData\Roaming\PPLive\1.bat

    Filesize

    3KB

    MD5

    286fe459674aef6eee17f6ac79a15fdb

    SHA1

    233dc43099c575a67b05fc1076e676324fd6e63d

    SHA256

    872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2

    SHA512

    c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314

  • C:\Users\Admin\AppData\Roaming\PPLive\1.inf

    Filesize

    492B

    MD5

    34c14b8530e1094e792527f7a474fe77

    SHA1

    f71c4e9091140256b34c18220d1dd1efab1f301d

    SHA256

    fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

    SHA512

    25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

  • C:\Users\Admin\AppData\Roaming\PPLive\2.bat

    Filesize

    3KB

    MD5

    d4917ae9072a10d8e12ef3b282b25b3b

    SHA1

    bd9ec6c6395997525ec7c15ecca2f115573cc14c

    SHA256

    6f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b

    SHA512

    c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d

  • C:\Users\Admin\AppData\Roaming\PPLive\2.inf

    Filesize

    247B

    MD5

    ca436f6f187bc049f9271ecdcbf348fa

    SHA1

    bf8a548071cfc150f7affb802538edf03d281106

    SHA256

    6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

    SHA512

    d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

  • C:\Users\Admin\AppData\Roaming\PPLive\4.bat

    Filesize

    12.3MB

    MD5

    ae9300f03a6d2e49c898280284d8d74f

    SHA1

    6474c770a4054910bf90d8815644d0be4b57e3af

    SHA256

    aebff64a27473f65e988ba96056c9fdae9fb256990b58a7920c935ce6a38b5c1

    SHA512

    07bbd545e940854b70e0028e84d1c2e25bb8ea185d9e89fcb2ee929436cfb44c505082b997605c7c1a7cfc161b2bb9918935d21b4167958aba4ff9cc86366f6b

  • memory/2208-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2208-99-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2648-47-0x00000000030F0000-0x0000000003100000-memory.dmp

    Filesize

    64KB