Overview

overview

7

Static

static

3

0487873707...18.exe

windows7-x64

7

0487873707...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    131s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04878737071b22a2c2ca138defb34cd6_JaffaCakes118.exe

  • Size

    108KB

  • MD5

    04878737071b22a2c2ca138defb34cd6

  • SHA1

    d09d2f7565c888272af4180aaa84dab444fd1b7c

  • SHA256

    b838a44f3df6cf6d09e9ef42f25d3139ee4cb96dcfb1047a689c7836d201c90f

  • SHA512

    ea479e9f17d182de471c7e08d55dd14ccc7589ceb0541941d70de9704b055738386457d8010a451eee5ca9e0b6db04a48afb6b43930974a8052b93cfd3ca5f24

  • SSDEEP

    1536:eaWDboVghDhHy/PqZBQ0jFjWq0Wn0gMT7fuDSMCd1oQPR2oz:90M6hDhHy/PIDjFj90gdSNd1oQPR2oz

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 19 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04878737071b22a2c2ca138defb34cd6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04878737071b22a2c2ca138defb34cd6_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\nResurrection.bat
      2⤵
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\SysWOW64\PING.EXE
        ping -a 127.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2728
      • C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe
        "C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" ?mac=4A-4A-30-0B-A5-D9&mdx=c6f2f93133905f75da4b02ccc19ab66aadb7bf1cff0c81595de38f51cd60c62c&ver=53-10-34-65-6
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:920
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4588
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:920 CREDAT:82948 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            PID:3920
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /pid 920
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4708
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\download.html
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4980
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Users\Admin\AppData\Local\Temp\download.html
            5⤵
            • Modifies Internet Explorer settings
            PID:2212
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /pid 4980
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3424
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1804
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2692,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
    1⤵
      PID:624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe
      Filesize

      108KB

      MD5

      04878737071b22a2c2ca138defb34cd6

      SHA1

      d09d2f7565c888272af4180aaa84dab444fd1b7c

      SHA256

      b838a44f3df6cf6d09e9ef42f25d3139ee4cb96dcfb1047a689c7836d201c90f

      SHA512

      ea479e9f17d182de471c7e08d55dd14ccc7589ceb0541941d70de9704b055738386457d8010a451eee5ca9e0b6db04a48afb6b43930974a8052b93cfd3ca5f24

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ipsjwqu\imagestore.dat
      Filesize

      4KB

      MD5

      294fc8f4558aeb3b17a439c7ac73a3b0

      SHA1

      15664cd150f9e493c4998ac8d343d841f38071fd

      SHA256

      98a5654e84231c5aa13139049a6c6d0a6a2f8c433cbae4ccda96829aed9f9d86

      SHA512

      9e64b9455eb0f07cd18df2532583fccf26d6282fed364664912f23eb1bbd7f17c0571695cc222796492775531abeb20f75debbaab4759b566d9e32fc67303eb6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHVIU6BA\favicon-trans-bg-000-mg[1].ico
      Filesize

      4KB

      MD5

      5879b2763fc53367a29f1e64721976db

      SHA1

      edee687feb0438fbb4fdf6e0b9bc941f2a0c464d

      SHA256

      b5f794efdee46f6e8759441cfb2bdc36640f50e47cad9f11cea18bed48e6c43b

      SHA512

      6b04809dad6d927b7c9fe0d674b8e14c9bb374ea069558e53468e33da76be44c8de6221f90f719462bcea90bec1a90ece58a706e440229ec78d81ba9063ad0f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nResurrection.bat
      Filesize

      339B

      MD5

      5a98d5d2215c0ccd886a044cd89d9858

      SHA1

      14f5e6416dfd8cc6c8957b38f9b9ce494d215917

      SHA256

      fdbe8534c2667ed467ab87c09ca74d98bacbccd3509c991161187d7d42041490

      SHA512

      ef89962d86628d6c2f3144ef6e16bb56d4c97ae67d9d8df62c6d9f69cbcad642dd6ee5a5242cfaf44c95d717aaea1709acedac4ecad2eb849534aa600a476e24

      Download Submit