Analysis
-
max time kernel
44s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
30-11-2024 05:19
General
-
Target
b4f4957b8ace5c6a91d9178a03f33b97_JaffaCakes118.exe
-
Size
135KB
-
MD5
b4f4957b8ace5c6a91d9178a03f33b97
-
SHA1
6cd8463d611c84b87e49f0f3541530eb08e857c5
-
SHA256
19abf7ed826edd9c98b153cc27b816936e1b7078c7c88c50844f05e12cdc206f
-
SHA512
da40e95e2b6560acab16d2a151bfa1e29f15f88907dd73e659c8b16583feed4d6e2847423d0bc2b97ecb951dec72066acc5151f91baf0c52400e774e8b1490ae
-
SSDEEP
1536:37v0kchIvFz70fiVdqDkhSchSWiSDWP/OsWQH6CazASXhXSWLlWT3PmcsYN/Xzgi:3ooF4iVdubWibOQNi3MWL4FksNYFfPK
Malware Config
Signatures
-
UAC bypass 3 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 32 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4f4957b8ace5c6a91d9178a03f33b97_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4f4957b8ace5c6a91d9178a03f33b97_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c start http://youporn.ru2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://youporn.ru/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2908 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\ProgramData\Media\rdb.bat2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
-
-
C:\ProgramData\Media\plugin.exe-wait2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Media\watcher.exeC:\ProgramData\Media\watcher.exe3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97B
MD55303b5018a6cd19200b98d31ab04f25d
SHA18285eb92f131111e40d2dc864d3b386dad6b9129
SHA256464648d492af6bb50cf65ddcbdca3e90d4b224ccc6f4ce3944d439b6c32da524
SHA512654aed00850f6b7e424a5ec5acad086a51fb54f5f944238979f43fa1aac430661250210fe5f38dcd78e46311adc7e6b282cb5c41bebfe5a7d297afd6db6de21b
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD5f9b537a2b00c7b695076dd6805f4af5e
SHA1e0b683d522506e18ccd6b5ed3571c7d2e4a5ef31
SHA256562522b4aa35f3ab3b102c9c0c8a816e59ba105f006525c5df2509594d2d156b
SHA5123d52e4ce726fb07cea6564511e663373d51c4388ffd0fa444231d6c9c5a80227e0161b41dd4329b3e1d00cc164db36f733909fab4fed6c30563ca9568e41ee97
-
Filesize
342B
MD526fad44d4185032e9bb3c5e359fccd17
SHA13feb77892fab7b2cbb5bc0244c518a13896fb3ea
SHA25624d93ecf52278a2dd4c7b50caa1125b482b631363026209104bc98027c644573
SHA51272461d0dded96cfa22d6f07f818cbbb0bcf5ef817f0c9343b6cbd7100e08a67c06d93d0ce047eb6f55222dd227d5901c316acc48e10ebe33259b2fd5e15159d0
-
Filesize
342B
MD5acba8da094c8447cf39328eef1fb0069
SHA1783504d080007a6b8f946031b769b09ef93e8b0e
SHA2569e54f0691f434141a2be051b61dc650fc373cde5d5cc7d8b21251ed29e62e041
SHA512fffe519c407e8b9ed81072c30ea5ada19389d669b9b5562f235ab2079d6d14976e9f68afa728baa86667abb20b6e20da63a2e32ccf3e3447494f46d8cdf3eb16
-
Filesize
342B
MD5acb4feb08cf5697cc4672b10b0d2a504
SHA18ecf104de7906a1fffa235463925213653a53b4d
SHA256332d7a82e259a88c79489431739853c6d1f782b6f39fa6d4c66ae2c7b785e48b
SHA512b56e02da410a6899b94ba1c09aa4a86a032ccd72b53139758a5743cdb39778cb523def80120d202f07301680ce95d84be8d8cdd36f74b86c063854091c6cb329
-
Filesize
342B
MD528f1045047ff1bd336e16c507d742331
SHA13691eabafa7eca033b5ca5e58e6c814f7a386888
SHA256912aba959a3eafe21d5992cdc040cbe92a36e4b4adac2870d229e2e0f3a8338c
SHA5127116a033c274942c68d5cc46d7318db9df69dd36f17f0013f5f0d95f35a9a9a2edbaf5079853ad60afc9f4d07fbb1c20a63261523421eb5ab4ca84dac04eed16
-
Filesize
342B
MD5abd93b63a39297aa165571ac56fd6739
SHA17043f64e2dba65561f2d04ce1458a6083b1ac50d
SHA256e3b85d7fd798931126c3789efd813c33d33edbfbb8627077b45d2ab3be88020a
SHA5124f886ae8bd54095e148dabbac2d0c4396099a10ab945b1e187722253b38affbfb6ab310c89bca8873017e2417247bfad3b181447469a0b273fdb27c4425b5148
-
Filesize
342B
MD5b00061bc6409940487f13a98bdacb6ef
SHA1dd5f27ad7c4e60f19f3163c592beeacc2c9fcc2f
SHA256c3c9009cacd91c0e38b78d9e65feec5987fc269a2b52fddf2156aa63d1aaad90
SHA5121fd0eaa2816316998c7b6e6796f40d3135cc0e55aa78b6f6077941ebbb83b2d390340dc64f8666f84ce52129c9ff7e1ba424c2ee0e80a1ec1b6ad1d5d3533b9f
-
Filesize
342B
MD556bebefcbb860f09435f68c8fe3dd89a
SHA14338f3e911ddfc3ad69c2dc3dbeb8f98a31dca56
SHA2569b930b8122a75d37a1568cc5e713a6532acab5901a83fc5bbc7b153ca7ad0ec9
SHA5123a2b828364eacc96661e3cca9e6000e401d011b4d6f2aedd24464c73503c34da838d73b62f8d5e98dbbd044847b3719c10f3dc35de3af5ac21c9ac90584adf9d
-
Filesize
342B
MD5aafceb97b429fbfa8ed7fba6e4cb9bfe
SHA16ddb206980e588bd2903b36bfebf183dddd03387
SHA256ea5d509aba17f38800e04d9877cf1e81dce90d8ceaa593bf99f7133f093d43de
SHA512d2f0e03ac66608104a2a37ccd64785de5e07d4ddacc37f529630ec3a74675ce4b14391a84686de46246a9aafc0014c82e862d79072942eaeb0d7ed78f42823d9
-
Filesize
342B
MD5892b36b66826dc247459d78e5bbd6347
SHA1b05f5f892ae055ba1cceb1d12eeeeacc4c96b961
SHA256cecd41953298a6dcc3f437e7bdc80dbad8e5b5222d0c5cfd56c1a84851062e73
SHA512ad4652de28bc9964e11c5dee9ce92ac1d9ba1a433b068efcf4da26adb1b6399b050528affad5f5b26a9f159a7398bac92d3181378e94b819109b5211758649ce
-
Filesize
342B
MD5b8baeb3460595caf8dd5c46a58d52653
SHA17c62e71260df6e930b79bc98c3732d1020f697cb
SHA25670d40faeebc6ecad7d65eb46a1bda1fea560def0e4bde3db8402c6e6d09dd946
SHA51254438f26c8e12b5b66887189922d12fed5acf7c4b3be18fedd8cd996ee5a59781f2328646cfad02f3b1fbfb4169b7df19224c15894a34ef543e0a6280d7a3578
-
Filesize
342B
MD5b3773f2e39c53d7c11de67cdfc7c68f6
SHA138f5e3b601ada50e0f0035268dcd02adf6f13400
SHA256b5b3e2f26ec736c451858b2da8722372183bbdb705e71529d0ab640459113235
SHA512dbb31d30a695bf9eabb1893e6e5760337efda11381d77683f9b5fa845712252edf16e4129840f28a8c371673b32a59a41c2fc10607117e317d6ccb45c73c764a
-
Filesize
342B
MD5837d0a7babbdceb6cbcfacb33b3243ef
SHA1df64f557f605b2c26bbe3707069fb52803bb39d0
SHA2568bbf312323a1c42a2e06f78c1c58b266ba1e540d4d04edec1151fac84b1117b0
SHA512677dd419ecaee858d220efd56a34a7b32b1f0b48bd1cbeb9e3aa4201adf81fdf9ff3b6b91b7db03ece63fae270411627ac04067de010cb98ed26609a52b25cbf
-
Filesize
342B
MD566ea51c65fb3b4f949918778e707889e
SHA14e463519a9b0fbf4799db3736f8e94a27f33d750
SHA2561a8a40c8bb57e8788163d6f51af8bb01d6e8ea09fdaa7b0290c4ed248fe5662b
SHA5121b759264e5c6626e3930f43fe56ffb6d53ab4c1f31a22521587f69b3b66916d8d36bb61842fbc7199000cf325777f4acbef2193726c873af5490cc718624ecc4
-
Filesize
342B
MD5c402a9177d23269671054a0e191140a3
SHA10c25709f84d910d8947bc7d79c1ecb7316d83f30
SHA2562bed7495ee76c4477452a400834767daf0529c878c5680cfae77cdfd0ff70a2d
SHA512f686a35e197641f08b567a0abc298fedc3689c574c6ce557b039016fc3edefd163c9e49648e176ae4a98cf553780bbd25df1f5ed6065004f02bb88aa705fd99b
-
Filesize
342B
MD5467ed9e312e1a4eeb655639f0c77edf6
SHA15a71b2ac58916c0b0b201c1e1fdb28fda0b1c4b0
SHA25622313e887124a1232e9bbe5e036a0b50ae647d89916f2c42d61fddbb86a1edfc
SHA512b7dab6834954fa4fe8bec2010eb9b8b53c1ba40b75efcaac2542d0dea857cf260f8975649a990a63e820d5f84f9edfa95b2d43da584212dd9c27f795d9baf1a8
-
Filesize
342B
MD5e183c37b3241f0181f1adbd5e5d63040
SHA1bc545ac88eec050e508bd019f63ec21e82b6d79e
SHA25697e65d2dbe1836a2feadd904145a6547a9153242007aad72fe117f743230e17a
SHA51252341e0d006480009e74bf1cdb392419b45d61d7aca510e333749cd317a642991b3909d408bdad4d35da3ea17a8f594bae4f17d021abceac144f2cff083ebd8c
-
Filesize
342B
MD52e0a33048e621ef4fff36c82b5cedca8
SHA15250a946da79c1c2360d29de8a1d80140edebd9f
SHA25681991c5a42edc652e4761d697d9a695b760e59a190071017962c06cd6ec4c0aa
SHA5120072cd602d56cad140d7c9b23943ee7aa83c4ac81b2202638da05b4ed441bf235b1996e25bbd0c397f2a8556da9b54e2c6f0735fd5131e2678767d946ba7167e
-
Filesize
342B
MD576ce0cdf98865c413984b5dcb6bad6ba
SHA1b98d3e9f7cec1fecb541073388cbf9d06e64c389
SHA256e9ee3a3d08a62802c72362cf8585b1c9db0d73de4e37dac7f3df68bd60bfd7e9
SHA5128e5ea44f9ceebf14f08b93582c07c0d6c8332a251cb2628fe8f6dd6a98bc1f7b97fa2b09d06a1513ba92e8ce742bb217d16273957a6cfc51d8d9eaeabe471fe7
-
Filesize
342B
MD546b9e5dd72bd512d9416a550538b0ca6
SHA16d7fe8cfa89f8294af61761eadecb8587db5edb0
SHA256471477c6190ca841f1916cb44927021ac9e6595f261f57ec245b01bcaf41c511
SHA51298e259fc83c8b913331a40edb075c3fd43aaf3667cb382dee3d0b6ac9017e10a121902ba77698609b6722ca51847cad29cdab5af3c6b2217da43a1749c34a3ea
-
Filesize
242B
MD529af204b4a932e96de28a550ddf9cb25
SHA17c0377846ae8b912a9485849036d555b88ee1b28
SHA256fabf97cdec497d425abfb139028f820ecc87bcfb89cc0a090dace8b0e0dd1038
SHA51256c2e53d12f44c6ab0d1c8ddf7af7ac25854c53ae0ea7898446614cec16c4916c7f6f676b860335f81d357c028797be30fd4514d7cbdf99290c67749775e01eb
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
135KB
MD5b4f4957b8ace5c6a91d9178a03f33b97
SHA16cd8463d611c84b87e49f0f3541530eb08e857c5
SHA25619abf7ed826edd9c98b153cc27b816936e1b7078c7c88c50844f05e12cdc206f
SHA512da40e95e2b6560acab16d2a151bfa1e29f15f88907dd73e659c8b16583feed4d6e2847423d0bc2b97ecb951dec72066acc5151f91baf0c52400e774e8b1490ae