Overview

overview

7

Static

static

3

067f620409...18.exe

windows7-x64

7

067f620409...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    96s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    067f62040949050c5e47620a6bbd7055_JaffaCakes118.exe

  • Size

    108KB

  • MD5

    067f62040949050c5e47620a6bbd7055

  • SHA1

    12a04896d8e22a76252ac3ce1e74eb95d4ffad19

  • SHA256

    d69868cb989e25a136eaa658f66f687ef02736fd4b52070c491ec699a061dec7

  • SHA512

    46ad2d7f796ef36eeb8f0f76307eca3da2f9bd74282eaa5039318e863ada57eb36aeedd9e8f16c6efeac148aa635daf61715aa92e2d4b3540120718e0258f4a1

  • SSDEEP

    1536:eaWDboVghDhHy/PqZBQ0jFjWq0Wn0gMT7fuDSMCd1oQPR2oF:90M6hDhHy/PIDjFj90gdSNd1oQPR2oF

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\067f62040949050c5e47620a6bbd7055_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\067f62040949050c5e47620a6bbd7055_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\nResurrection.bat
      2⤵
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3748
      • C:\Windows\SysWOW64\PING.EXE
        ping -a 127.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1924
      • C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe
        "C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4640
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" ?mac=EE-6C-63-75-98-CE&mdx=ed3d2c21991e3bef5e069713af9fa6ca7a86131338bf955e0a56311f264aa6aa&ver=53-10-34-65-6
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5064
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5064 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4920
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5064 CREDAT:82950 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2936
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /pid 5064
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1436
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\download.html
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4380
          • C:\Program Files\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Users\Admin\AppData\Local\Temp\download.html
            5⤵
            • Modifies Internet Explorer settings
            PID:8
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /pid 4380
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4160
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft.KuaiLeKuangBen\SMSvcHost.exe
    Filesize

    108KB

    MD5

    067f62040949050c5e47620a6bbd7055

    SHA1

    12a04896d8e22a76252ac3ce1e74eb95d4ffad19

    SHA256

    d69868cb989e25a136eaa658f66f687ef02736fd4b52070c491ec699a061dec7

    SHA512

    46ad2d7f796ef36eeb8f0f76307eca3da2f9bd74282eaa5039318e863ada57eb36aeedd9e8f16c6efeac148aa635daf61715aa92e2d4b3540120718e0258f4a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\374sd3b\imagestore.dat
    Filesize

    4KB

    MD5

    c1afe2b4b6948f50d6f9a57cea6211d4

    SHA1

    8b7a57f19396cb448ccc5766c79b1127e52d0b58

    SHA256

    8d5263bd968a872978721d17a725bb54ab9d0a052f822b14c9077caeab3523f1

    SHA512

    00002348e3a13799b91fb9a2ff310ff66fe723dbfb4e6e51e4abb4940ff4851d704cf89fd932f15530d3acc58cd769b0929c1d694661cb341535a282d93e461d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G40JFEW9\favicon-trans-bg-blue-mg[1].ico
    Filesize

    4KB

    MD5

    30967b1b52cb6df18a8af8fcc04f83c9

    SHA1

    aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

    SHA256

    439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

    SHA512

    7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nResurrection.bat
    Filesize

    339B

    MD5

    a98052a0eb984a28c4d966b36be3af73

    SHA1

    641cce390deb06c64ed7c8f4fc5be7ce08715f7e

    SHA256

    2d549938b17c99736c4b159f4b2269ed41ee72d463d17e9dd6804a3013f6a116

    SHA512

    a0f67fc3bf1e86ba1552089ff18f368e8a07f04519ec9822b416b974949c42ef76a2b0943fd3e3f2e7e2f9ca79e4f78039c2ec6277132ef42ce76e4e554604c3

    Download Submit