Overview

overview

10

Static

static

3

bab4bcf372...18.exe

windows7-x64

10

bab4bcf372...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2024 06:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bab4bcf3724fd8d549946b75de0869fe_JaffaCakes118.exe

  • Size

    18KB

  • MD5

    bab4bcf3724fd8d549946b75de0869fe

  • SHA1

    75c906818933a736d7184612656b0c9a72d5f403

  • SHA256

    33099620b69be4a1c2139eb26290dd7fe66b2bd8924d1cc99330c469bba09016

  • SHA512

    22c5260880e103cad4dd02d60ef1b325e47672a07cfee103623cbd0f94a5bd4ec420ebc0cb852b9459856516f663fa335d6538f4cb07eab997dea012391aa6f8

  • SSDEEP

    384:vHi3ihkJoR/Edf4ONy+W2bW+GGUvTbS1woKaNJawcudoD7UNh:vHmiWxy+TgHXcwAnbcuyD7UN

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 5 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bab4bcf3724fd8d549946b75de0869fe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bab4bcf3724fd8d549946b75de0869fe_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\GXK.hta"
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      PID:2184
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im coiome.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im coiome.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2740
    • C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe
      "C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete JavaServe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\SysWOW64\sc.exe
          sc delete JavaServe
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2100
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /im iejore.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im iejore.exe /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2316
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /im conime.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im conime.exe /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2940
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc stop LYTC
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Windows\SysWOW64\sc.exe
          sc stop LYTC
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2816
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c attrib -h -s -r -a "%userprofile%\Cookies\*.*"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Windows\SysWOW64\attrib.exe
          attrib -h -s -r -a "C:\Users\Admin\Cookies\*.*"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2328
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete LYTC
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1868
        • C:\Windows\SysWOW64\sc.exe
          sc delete LYTC
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2492
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c attrib -h -s -r -a "%userprofile%\Local Settings\Temp\Cookies\*.*"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:484
        • C:\Windows\SysWOW64\attrib.exe
          attrib -h -s -r -a "C:\Users\Admin\Local Settings\Temp\Cookies\*.*"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1056
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del /f /s /q "%userprofile%\Cookies\*.*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:528
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc stop HidServ
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2128
        • C:\Windows\SysWOW64\sc.exe
          sc stop HidServ
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2244
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3068
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete HidServ
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2084
        • C:\Windows\SysWOW64\sc.exe
          sc delete HidServ
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2140
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del /f /s /q "%userprofile%\Local Settings\Temp\Cookies\*.*"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2108
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cacls C:\Documents and Settings\All Users\Application Data\Storm\update\%SESSIONNAME%\*.* /e /p everyone:n
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2008
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Documents and Settings\All Users\Application Data\Storm\update\Console\*.* /e /p everyone:n
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2936
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\bab4bcf3724fd8d549946b75de0869fe_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

4
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe
    Filesize

    2.0MB

    MD5

    fc406d6e5a5f97c321d192f6a50e54c9

    SHA1

    37558c616c6f5f42a6fb2c2c8d63917eb0b1cded

    SHA256

    45c0e56f882088f923c5a27abbacf7828ac7d26687df96e2e61dcb8e1d0cdca2

    SHA512

    e3f81ec327c47e9a61c064bbd5fabcf729468c72a992d8333be364682b2f51785a935f600c573e76dbebd7039c9371a7d54a5033d148059407e98560d52a8b5c

    Download Submit

  • C:\Program Files (x86)\GXK.hta
    Filesize

    785B

    MD5

    74ccbce1e5800180a01fb299767e310c

    SHA1

    5eee44303a3800e0ac31a103538dccfe4ffa57b2

    SHA256

    7c800551aa79c34f689c2d87e3b24c2bfaca0d2815538650abe445c3cb3a77ec

    SHA512

    581385678a72de017f99b41d565d5acd8b2ffa322e20ae9489803b6043fe6696ccab38c43ae5583afda73cb3f33b4fa33813c543ffb4e34b17394d1ec6fae6c8

    Download Submit

  • memory/2596-16-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2596-18-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2596-21-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2976-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2976-6-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2976-15-0x0000000000280000-0x000000000028E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2976-8-0x0000000000280000-0x000000000028E000-memory.dmp

    Filesize

    56KB

    Download