Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
21-09-2024 21:27
General
-
Target
f0a56c655659240cc96f7d4f80c76e21_JaffaCakes118.exe
-
Size
54KB
-
MD5
f0a56c655659240cc96f7d4f80c76e21
-
SHA1
6fe9160e4d4149f2015dff35565204a01d6fa67a
-
SHA256
7abf8d047720f1a3b523a158aa490d7119c1d21e6ea268050afb4bc4844f161a
-
SHA512
5cf4291d4c3787b478e9c5bd2a8c0ef7102a5753e4f588bda51bb2eb41c935fac3e19cb8b08c5b5b7a69353ae074043d1728fd2a051cd1cf99bfc8a221e1b744
-
SSDEEP
768:95ICSnbvbjDYZPEf/60sclO0s1DoKjSPLsOOLidEMn0OlYIPMMM5muSl:/IzbvLmMX6AlOH1UKjSjSM00P6MuSl
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0a56c655659240cc96f7d4f80c76e21_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f0a56c655659240cc96f7d4f80c76e21_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\glk_300_211.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\dataread\1.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://wWW.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3512 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\dataread\1.inf4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\dataread\2.bat4⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\dataread\3.bat""" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\dataread\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\dataread\tmp5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\dataread\2.inf5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlDA50.tmpC:\Users\Admin\AppData\Local\Temp\inlDA50.tmp2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlDA50.tmp > nul3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F0A56C~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5ba5272488c731e383b4533d3012739c4
SHA192b90312575c98fd0397405c3243749ded02c09f
SHA256edef86ccf6698ef9998425a9a7ae5498253c0ab740957764e187a81853f66a82
SHA5125aef3b6102906041b2ea3c72fc27064080d90e5ebdd1da743d40e84dda1f897d5230d7e263b98830f960f2a0b154fc664215311bbac880139a1a3aedda2f45d7
-
Filesize
404B
MD532f81ec075d2d3c66a43692270ca9f7d
SHA139d27229fcc0041db3c3fb3b840c9fd682100fcc
SHA256de106970e64ea794bed4974cca5a9fd3f03e1155e5be533b4944a4f38a44da71
SHA512cc8ec67b6bd8e36f86594ef678e1c5a5862a7e4f2903e57180f4c1fa8fabe9565cd1077c50d37a75ca95b1f268d86d4abef4dcd74a5a694c886821afdcb6a05e
-
Filesize
802B
MD5b4f7d6a0d3f6605440a1f5574f90a30c
SHA19d91801562174d73d77f1f10a049c594f969172a
SHA256e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd
SHA512c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f
-
Filesize
794B
MD51bc415b31cdff50d79ea2a3d7b4ff2c1
SHA1f5ebab61deebc3d7a4a6676a23b982f1418ae6a6
SHA256582ea6421c80adc1de2dcb34fb8db1926e34b49219d99306693166a6b268d412
SHA512ee9718e829fa7c6b2e3b208fe99acd390d704a4ad037fd9b5ae231db184f48146792fb1ac028a69224ddca2c3195ef2aa5353ee6bc7abe01157773f4a6e50e84
-
Filesize
645B
MD54cafe2ab2ae87e0e3a16f6bd99e92437
SHA145757e5b258e3190ea4d4b092375bded4d5ea4fd
SHA25690896bc5f40509bc3ed86e17cae17da22b4f4ab0e424dc4557b24eccc53429ce
SHA512123a945a361a07a356361e796159406bff31dbfbe68afaa1f22e144dc2b4025d23112844db70e651b9ee41f674d8efb4cd10b23ee4992d9538de7ada6534f2ac
-
Filesize
55B
MD56f40aa13b4733d99a56ea538082114a1
SHA1b267129b905c29bf1a74cad85bf6a31e6f5da4c1
SHA2563f7525c06ba96afb5b39c5c84e229448cfe7da22474a6e351111bc13070e7413
SHA51216d5b9f62cbff8063f9a1db44eb77e9981d659deb6b96603d9fa9365455ad41d6934d386c7740c4c53afa85b9a839b8a0d43db76090f125c9950fba608b3ab8c
-
Filesize
3KB
MD5b21e4f653320b34a01a860b1cf00c861
SHA13de8c41f014512ec793c3452b3c96f832644b0f0
SHA25629a23c064b35e49d619825b67bf8b01ad6ba4c65e50e167bd69416cdca92d4bf
SHA5126f791ca6c1929779e8c72b4c5c3ec79c8bd134845679e17915a4758a03b847efe5454fefe3af8be1eb17277ba73612d1534d09734c171f82b7ac351893cd8d9c
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD56b78cb8ced798ca5df5612dd62ce0965
SHA15a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf
SHA25681f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3
SHA512b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e
-
Filesize
249B
MD5ddf8482343b38e425558a5ea06c99cdb
SHA11109e4d5ef572915cafa82327d4537696d746e53
SHA256c054ba607ea2db904ef8bf8ab83a4e68dbf32c1b41cfd6e71fd550e886f44de7
SHA512aacdc2702b58cbcbb73d11dc73c09caa84cbbc50438cbdaf46557ba38249b881bbe08487341a2deec5372b742b7055e8633f7f5008808a713c0f9611c8809e7b
-
Filesize
5.8MB
MD51e5e8fdd04223758533004b06a0296e3
SHA1a9b4c6a06ed26c91980ffd40e3e85f7a0ad5ebf1
SHA256bf1473e0591fa0f396de9f2f6b2fdf06381afc4c99c2cdd430438da7f94c7a6e
SHA512c1b90a627d7052abb671ac54b2f1b1a30a79a7909060b53cd3d94ccab8fc4494c6e91a0ac496c58bcca94fc5c6bb605e8e797c5fbec73528d306338c99e38982
-
Filesize
12KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
12KB
-
Filesize
148KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB