fd19a1ec4d613c9069056a4af7f974f952a65fc4aca9cc83f4e4ac6e411dbd1c

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 06:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe
Size

17KB
MD5

d3cacdea074e6bf78d90ed52695a5b47
SHA1

d82a12bc6fe6c13e54c8ff01f94e6e6b94858589
SHA256

fd19a1ec4d613c9069056a4af7f974f952a65fc4aca9cc83f4e4ac6e411dbd1c
SHA512

a5dbfeed9ce4d8d4a9796992ab102dac7e34cd092a29c4a99a0b34d61630a059a995f26526fee0fe50012654a6343ff93e01b73bafd00a8847bfd2070578bdd4
SSDEEP

384:rGxNsdqlR5MdvuOJeAYXtOVjXV2aLt/lwk90aNJawcudoD7U4x9:4CQ503JX8OxYSt/lZTnbcuyD7U4H

Score

8^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2268	coiome.exe

Loads dropped DLL 2 IoCs

pid	Process
1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe
1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\safe360 = "C:\\Program Files\\Common Files\\sfbsbvx\\coiome.exe"	mshta.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvx	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe
File created	C:\Program Files (x86)\WNW.hta	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\sfbsbvx	coiome.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1760	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coiome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2340	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\default_page_url = "http://www.52cailing.com"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.52cailing.com"	mshta.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.52cailing.com"	mshta.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	2268	coiome.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2988	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	30
PID 1288 wrote to memory of 2988	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	30
PID 1288 wrote to memory of 2988	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	30
PID 1288 wrote to memory of 2988	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	30
PID 1288 wrote to memory of 2936	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2936	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2936	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	31
PID 1288 wrote to memory of 2936	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2340	2936	cmd.exe	33
PID 2936 wrote to memory of 2340	2936	cmd.exe	33
PID 2936 wrote to memory of 2340	2936	cmd.exe	33
PID 2936 wrote to memory of 2340	2936	cmd.exe	33
PID 1288 wrote to memory of 2268	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	36
PID 1288 wrote to memory of 2268	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	36
PID 1288 wrote to memory of 2268	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	36
PID 1288 wrote to memory of 2268	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	36
PID 1288 wrote to memory of 2748	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	37
PID 1288 wrote to memory of 2748	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	37
PID 1288 wrote to memory of 2748	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	37
PID 1288 wrote to memory of 2748	1288	d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe	37
PID 2268 wrote to memory of 1924	2268	coiome.exe	40
PID 2268 wrote to memory of 1924	2268	coiome.exe	40
PID 2268 wrote to memory of 1924	2268	coiome.exe	40
PID 2268 wrote to memory of 1924	2268	coiome.exe	40
PID 1924 wrote to memory of 1760	1924	cmd.exe	42
PID 1924 wrote to memory of 1760	1924	cmd.exe	42
PID 1924 wrote to memory of 1760	1924	cmd.exe	42
PID 1924 wrote to memory of 1760	1924	cmd.exe	42
PID 2268 wrote to memory of 1524	2268	coiome.exe	43
PID 2268 wrote to memory of 1524	2268	coiome.exe	43
PID 2268 wrote to memory of 1524	2268	coiome.exe	43
PID 2268 wrote to memory of 1524	2268	coiome.exe	43
PID 1524 wrote to memory of 1740	1524	cmd.exe	45
PID 1524 wrote to memory of 1740	1524	cmd.exe	45
PID 1524 wrote to memory of 1740	1524	cmd.exe	45
PID 1524 wrote to memory of 1740	1524	cmd.exe	45
PID 2268 wrote to memory of 1940	2268	coiome.exe	46
PID 2268 wrote to memory of 1940	2268	coiome.exe	46
PID 2268 wrote to memory of 1940	2268	coiome.exe	46
PID 2268 wrote to memory of 1940	2268	coiome.exe	46
PID 1940 wrote to memory of 1144	1940	cmd.exe	48
PID 1940 wrote to memory of 1144	1940	cmd.exe	48
PID 1940 wrote to memory of 1144	1940	cmd.exe	48
PID 1940 wrote to memory of 1144	1940	cmd.exe	48
PID 2268 wrote to memory of 1980	2268	coiome.exe	49
PID 2268 wrote to memory of 1980	2268	coiome.exe	49
PID 2268 wrote to memory of 1980	2268	coiome.exe	49
PID 2268 wrote to memory of 1980	2268	coiome.exe	49
PID 2268 wrote to memory of 1708	2268	coiome.exe	51
PID 2268 wrote to memory of 1708	2268	coiome.exe	51
PID 2268 wrote to memory of 1708	2268	coiome.exe	51
PID 2268 wrote to memory of 1708	2268	coiome.exe	51
PID 2268 wrote to memory of 2132	2268	coiome.exe	53
PID 2268 wrote to memory of 2132	2268	coiome.exe	53
PID 2268 wrote to memory of 2132	2268	coiome.exe	53
PID 2268 wrote to memory of 2132	2268	coiome.exe	53

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1740	attrib.exe
1144	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\WNW.hta"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /im coiome.exe /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im coiome.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe
  "C:\Program Files (x86)\Common Files\sfbsbvx\coiome.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete JavaServe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\sc.exe
      sc delete JavaServe
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -h -s -r -a "%userprofile%\Cookies\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h -s -r -a "C:\Users\Admin\Cookies\*.*"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c attrib -h -s -r -a "%userprofile%\Local Settings\Temp\Cookies\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -h -s -r -a "C:\Users\Admin\Local Settings\Temp\Cookies\*.*"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Cookies\*.*
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /f /s /q "%userprofile%\Local Settings\Temp\Cookies\*.*"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\d3cacdea074e6bf78d90ed52695a5b47_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WNW.hta

Filesize
780B

MD5
cfae0efb683986503bb789616bad8b55

SHA1
9325f503e9c4d97a7d06d81859f73d245a974753

SHA256
8f1076023a3e05a05e9938b08398e885a516f7442a19cd0de7fd3a87f6c0ccd8

SHA512
e338c41006f670cc98554f1c3a262cc7e4d9dd680bd9d77cc2b5a048a7f3b630f59df6a02fe6542df71647ce3eb7541f86bc3266fad396a9859620a7d26a942c

Download Submit
\Program Files (x86)\Common Files\sfbsbvx\coiome.exe

Filesize
2.0MB

MD5
bbacbc3cd6b3ffb0c9596ce8f5ead7f4

SHA1
5ea0d40fb52bed1a3aa081ab68278f9ae7b1eb15

SHA256
f043ca237362e0e3f9fc2c72a115a45a02772fe07ddd35812be30206d36bf3ea

SHA512
8d517295f6d4760fed0036ae043c22cb1938176faf2f7e78a2a351407f534a5611c2bee78ebb984f88e7c47c584c75523a78b1b6c04af03c711f235cfbe07f08

Download Submit
memory/1288-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1288-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1288-14-0x00000000005A0000-0x00000000005AF000-memory.dmp

Filesize
60KB

Download
memory/1288-9-0x00000000005A0000-0x00000000005AF000-memory.dmp

Filesize
60KB

Download
memory/2268-16-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2268-18-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2268-20-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads