40391a2e93b44bb4cf5ed4e34f27aedbbaa2a641b84f7b2b5cfa56bd49f34af1

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe
Size

17KB
MD5

bc407613dcd8bc244da23b87b4dca7ca
SHA1

2d4fbf2adb16dd9ecde292ff317f3a3cb721a230
SHA256

40391a2e93b44bb4cf5ed4e34f27aedbbaa2a641b84f7b2b5cfa56bd49f34af1
SHA512

e22118600602bc64dd078f8df360e3eb283e4ec9459b0116cc8eef212978e680c6638a00471a26a348711d7296948452a19983e83760b0b6789ea264a225f197
SSDEEP

192:c1JdDV4Paqnz9tND2wFFFWOO4Tuu9kqB6EGqgNtGnyWOE+LArUpYCMFaNJhLkwcQ:cGx5V/jX91ny3OtaNJawcudoD7U4xE

Score

8^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2604	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	coiome.exe

Loads dropped DLL 2 IoCs

pid	Process
2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe
2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\safe360 = "C:\\Program Files\\Common Files\\sfbsbvx\\coiome.exe"	mshta.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvx	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe
File created	C:\Program Files (x86)\ELU.hta	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvx	coiome.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2532	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coiome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2260	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.52cailing.com"	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\default_page_url = "http://www.52cailing.com"	mshta.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.52cailing.com"	mshta.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	2844	coiome.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2684	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2684	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2684	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	30
PID 2368 wrote to memory of 2684	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	30
PID 2368 wrote to memory of 1540	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	32
PID 2368 wrote to memory of 1540	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	32
PID 2368 wrote to memory of 1540	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	32
PID 2368 wrote to memory of 1540	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	32
PID 1540 wrote to memory of 2260	1540	cmd.exe	34
PID 1540 wrote to memory of 2260	1540	cmd.exe	34
PID 1540 wrote to memory of 2260	1540	cmd.exe	34
PID 1540 wrote to memory of 2260	1540	cmd.exe	34
PID 2368 wrote to memory of 2844	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	36
PID 2368 wrote to memory of 2844	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	36
PID 2368 wrote to memory of 2844	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	36
PID 2368 wrote to memory of 2844	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	36
PID 2368 wrote to memory of 2604	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	37
PID 2368 wrote to memory of 2604	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	37
PID 2368 wrote to memory of 2604	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	37
PID 2368 wrote to memory of 2604	2368	bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe	37
PID 2844 wrote to memory of 1912	2844	coiome.exe	40
PID 2844 wrote to memory of 1912	2844	coiome.exe	40
PID 2844 wrote to memory of 1912	2844	coiome.exe	40
PID 2844 wrote to memory of 1912	2844	coiome.exe	40
PID 1912 wrote to memory of 2532	1912	cmd.exe	42
PID 1912 wrote to memory of 2532	1912	cmd.exe	42
PID 1912 wrote to memory of 2532	1912	cmd.exe	42
PID 1912 wrote to memory of 2532	1912	cmd.exe	42
PID 2844 wrote to memory of 2508	2844	coiome.exe	43
PID 2844 wrote to memory of 2508	2844	coiome.exe	43
PID 2844 wrote to memory of 2508	2844	coiome.exe	43
PID 2844 wrote to memory of 2508	2844	coiome.exe	43
PID 2508 wrote to memory of 1640	2508	cmd.exe	45
PID 2508 wrote to memory of 1640	2508	cmd.exe	45
PID 2508 wrote to memory of 1640	2508	cmd.exe	45
PID 2508 wrote to memory of 1640	2508	cmd.exe	45
PID 2844 wrote to memory of 756	2844	coiome.exe	46
PID 2844 wrote to memory of 756	2844	coiome.exe	46
PID 2844 wrote to memory of 756	2844	coiome.exe	46
PID 2844 wrote to memory of 756	2844	coiome.exe	46
PID 756 wrote to memory of 1616	756	cmd.exe	48
PID 756 wrote to memory of 1616	756	cmd.exe	48
PID 756 wrote to memory of 1616	756	cmd.exe	48
PID 756 wrote to memory of 1616	756	cmd.exe	48
PID 2844 wrote to memory of 1620	2844	coiome.exe	49
PID 2844 wrote to memory of 1620	2844	coiome.exe	49
PID 2844 wrote to memory of 1620	2844	coiome.exe	49
PID 2844 wrote to memory of 1620	2844	coiome.exe	49
PID 2844 wrote to memory of 1952	2844	coiome.exe	51
PID 2844 wrote to memory of 1952	2844	coiome.exe	51
PID 2844 wrote to memory of 1952	2844	coiome.exe	51
PID 2844 wrote to memory of 1952	2844	coiome.exe	51
PID 2844 wrote to memory of 1648	2844	coiome.exe	53
PID 2844 wrote to memory of 1648	2844	coiome.exe	53
PID 2844 wrote to memory of 1648	2844	coiome.exe	53
PID 2844 wrote to memory of 1648	2844	coiome.exe	53

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1640	attrib.exe
1616	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\ELU.hta"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im coiome.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im coiome.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe
  "C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete JavaServe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\sc.exe
      sc delete JavaServe
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -h -s -r -a "%userprofile%\Cookies\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h -s -r -a "C:\Users\Admin\Cookies\*.*"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -h -s -r -a "%userprofile%\Local Settings\Temp\Cookies\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h -s -r -a "C:\Users\Admin\Local Settings\Temp\Cookies\*.*"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Cookies\*.*
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Local Settings\Temp\Cookies\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\bc407613dcd8bc244da23b87b4dca7ca_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ELU.hta

Filesize
780B

MD5
cfae0efb683986503bb789616bad8b55

SHA1
9325f503e9c4d97a7d06d81859f73d245a974753

SHA256
8f1076023a3e05a05e9938b08398e885a516f7442a19cd0de7fd3a87f6c0ccd8

SHA512
e338c41006f670cc98554f1c3a262cc7e4d9dd680bd9d77cc2b5a048a7f3b630f59df6a02fe6542df71647ce3eb7541f86bc3266fad396a9859620a7d26a942c

Download Submit
\Program Files (x86)\Common Files\sfbsbvx\coiome.exe

Filesize
2.0MB

MD5
74292bba8e9ea1c4c4fc67669613dceb

SHA1
45bea6a217a64217e2ed529bf9ec00488afb81c9

SHA256
6a99bb350b2e5d99b76cf172297cc4ea9cb6755d94f167cce17e07101da46859

SHA512
c379be1b8bdf5856a803afc3369c877ca586208bc9f60481e9b2c498f54dbb03614d476849e01c4db954971f753e3e84db63c78e3080cb87d48be2173c521a2d

Download Submit
memory/2368-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2368-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2368-14-0x0000000000290000-0x000000000029F000-memory.dmp

Filesize
60KB

Download
memory/2368-13-0x0000000000290000-0x000000000029F000-memory.dmp

Filesize
60KB

Download
memory/2844-16-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2844-18-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2844-20-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads