Overview

overview

10

Static

static

3

edd49c94e4...18.exe

windows7-x64

10

edd49c94e4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edd49c94e4b8af4197cebdef16db1c47_JaffaCakes118.exe

  • Size

    18KB

  • MD5

    edd49c94e4b8af4197cebdef16db1c47

  • SHA1

    34e28916827122e4e34c5d1fe6014137b35f9798

  • SHA256

    22ef0fc7b07788143eac54a8da40ad4d576ee70934120db5d1ed87c2c6c519f0

  • SHA512

    927fce05315f8b160ec4b7f4c5684e9939db13d9b053d12d8cbf42713d449fac753bfc4f529b1a0bf529bf8ffc855f3d78dfa6bb619ff01f14925aff440f4ea5

  • SSDEEP

    384:B3ihkJoR/Edf4ONy+W2bW+GGUvTbS1MEUaNJawcudoD7UNh:BiWxy+TgHXcJnbcuyD7UN

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 5 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\edd49c94e4b8af4197cebdef16db1c47_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\edd49c94e4b8af4197cebdef16db1c47_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\TIT.hta"
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      PID:2300
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /im coiome.exe /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im coiome.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2576
    • C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe
      "C:\Program Files (x86)\Common Files\sfbsbvy\coiome.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete JavaServe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Windows\SysWOW64\sc.exe
          sc delete JavaServe
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1640
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /im iejore.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im iejore.exe /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:944
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /im conime.exe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im conime.exe /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:752
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc stop LYTC
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:328
        • C:\Windows\SysWOW64\sc.exe
          sc stop LYTC
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1796
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c attrib -h -s -r -a "%userprofile%\Cookies\*.*"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\SysWOW64\attrib.exe
          attrib -h -s -r -a "C:\Users\Admin\Cookies\*.*"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:344
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete LYTC
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2396
        • C:\Windows\SysWOW64\sc.exe
          sc delete LYTC
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2952
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c attrib -h -s -r -a "%userprofile%\Local Settings\Temp\Cookies\*.*"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1028
        • C:\Windows\SysWOW64\attrib.exe
          attrib -h -s -r -a "C:\Users\Admin\Local Settings\Temp\Cookies\*.*"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1724
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del /f /s /q "%userprofile%\Cookies\*.*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2100
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc stop HidServ
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2888
        • C:\Windows\SysWOW64\sc.exe
          sc stop HidServ
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1668
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del /f /s /q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2000
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete HidServ
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1736
        • C:\Windows\SysWOW64\sc.exe
          sc delete HidServ
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2104
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del /f /s /q "%userprofile%\Local Settings\Temp\Cookies\*.*"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2064
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cacls C:\Documents and Settings\All Users\Application Data\Storm\update\%SESSIONNAME%\*.* /e /p everyone:n
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1332
        • C:\Windows\SysWOW64\cacls.exe
          cacls C:\Documents and Settings\All Users\Application Data\Storm\update\Console\*.* /e /p everyone:n
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1048
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\edd49c94e4b8af4197cebdef16db1c47_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

4
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\TIT.hta
    Filesize

    785B

    MD5

    74ccbce1e5800180a01fb299767e310c

    SHA1

    5eee44303a3800e0ac31a103538dccfe4ffa57b2

    SHA256

    7c800551aa79c34f689c2d87e3b24c2bfaca0d2815538650abe445c3cb3a77ec

    SHA512

    581385678a72de017f99b41d565d5acd8b2ffa322e20ae9489803b6043fe6696ccab38c43ae5583afda73cb3f33b4fa33813c543ffb4e34b17394d1ec6fae6c8

    Download Submit

  • \Program Files (x86)\Common Files\sfbsbvy\coiome.exe
    Filesize

    2.0MB

    MD5

    6e90b312459b8b262081b7a5bbd9123b

    SHA1

    1d9f9fa5d3b498cb9719340b00ee838a9bec50bb

    SHA256

    908b33e35f53d67b116d1103edc7cf7e3e52d087c9884f94ec9d4f2374415af1

    SHA512

    e205b660a6f30932822ba013ed8c8c0b9006fb3a3c43f213b1b875fade5fd3b3eb9adec2b1a8e24793a1f7e6b49cf1bf78778b2497565874bb87792d855355ca

    Download Submit

  • memory/1708-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1708-6-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1708-14-0x0000000000300000-0x000000000030E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1708-13-0x0000000000300000-0x000000000030E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2416-16-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2416-18-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2416-20-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download