Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
21/09/2024, 18:26
General
-
Target
f0645e5b020817c4c8a3ed44cce7a132_JaffaCakes118.exe
-
Size
160KB
-
MD5
f0645e5b020817c4c8a3ed44cce7a132
-
SHA1
b07d768f689b7b81f13c39fd775ae313ed70cce0
-
SHA256
8331e6ebc0e5a97a1a1d5a0f1d6bfe0b8e8d474b7f2ddbac3470535274c8f15c
-
SHA512
09eed4d605a2dc8b1789be84e692c38e67c2ca5f53e8adc468b5db30c71e3143c4df33ff22d0d9223a64cdea4df97645c93305d33ad50e6fb4477ff80a254327
-
SSDEEP
1536:+DyIKCj8jmMnWM0AFiEoznntjHJ0tI+I6edPgl+mMLky+s:wv9YmbM0AFiTMoYiX
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0645e5b020817c4c8a3ed44cce7a132_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f0645e5b020817c4c8a3ed44cce7a132_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s_Mg_l_219.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?716284⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat4⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?s"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?s"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?s"" /f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlD7DF.tmpC:\Users\Admin\AppData\Local\Temp\inlD7DF.tmp2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlD7DF.tmp > nul3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F0645E~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5ba5272488c731e383b4533d3012739c4
SHA192b90312575c98fd0397405c3243749ded02c09f
SHA256edef86ccf6698ef9998425a9a7ae5498253c0ab740957764e187a81853f66a82
SHA5125aef3b6102906041b2ea3c72fc27064080d90e5ebdd1da743d40e84dda1f897d5230d7e263b98830f960f2a0b154fc664215311bbac880139a1a3aedda2f45d7
-
Filesize
404B
MD50bac12cff46df657308f5a087ac77352
SHA123ab6ff6a4235b17c582e3b874166180a21a2632
SHA256f61adfc27c9924cc2fbae10c9a2584271683de14b19bf00fde8c9dbadb811364
SHA512661b1a7570643e95b92149dc84081cb8ed9359ffeb14d0273f75e10ab66a649137474f89c6ce278277ed722e762de5cdb58a521acfd55ea7476b1cecec45a4bc
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
802B
MD5b4f7d6a0d3f6605440a1f5574f90a30c
SHA19d91801562174d73d77f1f10a049c594f969172a
SHA256e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd
SHA512c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f
-
Filesize
88B
MD5bcd8edb015ddc9e31e8e1b4657c3df43
SHA1d320e044bc0ed73e557a885a1a47714b8c85200e
SHA25637646c67c0e8429e6fbfc56678a20fd311cb48d0cb19bb5097078968f0673f37
SHA5122a1497b35930c516a0f5bf75be460eff986b08d2ed0331dd702be5533b88198a59a41f39252809ef83b455bcf4d07ab0d9723494e8008a9578d0509a643cd6cc
-
Filesize
790B
MD5b18422bf438bbb7798280375a7bc0976
SHA1c1b77b35e3a38ff2ad119f25e548beb5ff68c2e2
SHA256ee8709e751067193dccdfe218108bdae6a30919d7b6c860bc848c7cc4b242fa4
SHA51223cb9c74905f514a2bf4ef91afc53ceb08230b3ce68e3eab17bb36c674260d143a7e7105958ff4ed5c2a416bddffb3c7e28dcf8060cbf323c7e4cab71f613176
-
Filesize
54B
MD5504490369970f1c0eb580afbcdf91618
SHA1b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971
SHA256a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43
SHA5125495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad
-
Filesize
3KB
MD53ffe7d55ea414adb988346925764a4a3
SHA13899a90cc844e7b170898936a1502f6ce0e88aa1
SHA256e0ed46a071106638ba9b1d6f527c1595a948381ef521e9e27cae56cc43eef43c
SHA51253f482913b9f563e190fc84693b3b41491f6c0248e6148a21ee4355174466d4b3a1f3b1e31e54d22443dd6653e333cc8c818ad4de1f9627024e2a476785d3590
-
Filesize
362B
MD520b164889086c50e2be7e83799886b88
SHA1e813f0d19584247fb44151ea97a212197c9b7828
SHA25676b4794f3b5e9efa322ee0683977f1646501b441f286b89239fddf2c0c2d2fc3
SHA5129ec551ba8254597ab09c733715a26b39c475503a40f020636e8ad727e5ef6cd3bf880d937a8970c36fdd9ed9c2dd3dccb127deef0991fad50eb5b83b38417d79
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD554f23ec52c44483a7bce2706048c80f3
SHA12a32a29bc1270ec194ad2faa14007881fab037b7
SHA256e3364764e027ef1df04b89961ceee6326cab364a7bc03c7b7002e9b6a8a94ce7
SHA512d8492a687cd65629551b32c3a64ef4dcc61d31635d83d60bddebf7a4f9bfaa0b97c2bc91a53eb801fa65f1c795a3bb37f1534c8cd941f073f8b310520494d637
-
Filesize
248B
MD52197ffb407fb3b2250045c084f73b70a
SHA13d0efbacba73ac5e8d77f0d25d63fc424511bcf6
SHA256a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591
SHA512b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe
-
Filesize
5.8MB
MD54c3e8024e0cebb573b4208dd8cf80124
SHA1ac6a42ee517e22632b6527bc670d495487fcd44a
SHA25675688ed06dbf70082faa2ee8daab11aafe43c96b849d12d98a4790bd1a8281ea
SHA512f8551b7a9527f50a5c40b7859c886b5a328f7e9806c623a65c9e0ec0ab5775689cde6e6a21001acf1ef97b3deed839a6a9aa0c62cb7cdbcfb04d15f72c2a6302
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB