Overview

overview

7

Static

static

3

1b4a34e0d7...18.exe

windows7-x64

7

1b4a34e0d7...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b4a34e0d73123d8678b8e9dcf71e75b_JaffaCakes118.exe

  • Size

    980KB

  • MD5

    1b4a34e0d73123d8678b8e9dcf71e75b

  • SHA1

    435e4b4ed57da91c57526f675da684fb1f4f27cf

  • SHA256

    2793769b0b5b8154971ffcdf6758ea9def6dfd75e3ebbfb1c3bf81aafeea401a

  • SHA512

    0b12049a9de7997b98c448b4bb05d2962dcfed5846856b5b6aa52b915ec4b58af46aafc481f88b62b7c961d2e44385f72334e3b6a6856b499453797594c76e00

  • SSDEEP

    12288:nj84YFQ/IeTLHQBLfgmFgvMbF4rYrPUXMWmf7O4FwlTcpreytAG9wrqCH5yCv1:nVAHr4/mzO4Fw1wAG925yk1

Score
7/10
vmprotect

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b4a34e0d73123d8678b8e9dcf71e75b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1b4a34e0d73123d8678b8e9dcf71e75b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" C:\nod816.bat
      2⤵
        PID:2304
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4376
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4376 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3016
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Windows\mssoft.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4760
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im qq.exe /t
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:456
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\nod816.bat" "
        2⤵
          PID:4580

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        df3b51cc5929f3af03350336b1afc568

        SHA1

        48453c44facbbea059f9da8565cf25b1c2cb9ce0

        SHA256

        2375353160c5f8c4cadce5954ff4a7cc5b9c403890f0404791ff85c8ec0dd748

        SHA512

        d8eaa0761def6d74462748aa794198b5f32fa593662bf373c81e1d300f3f76ecc1c723cef52774caa6482527f26524fd2677a5e2253285cb6d0984b044347e8a

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        d88882c2c4e8d4328ca1c22129dd11a6

        SHA1

        77410a39e16927c86e8649587eda322d0562b36d

        SHA256

        859f5d9deb56f81892956821debcd76cdbb885ef20580a97bea6ec6d0af37e79

        SHA512

        1920ee5e52a2a28abf38dfa7f7f77b1bd70beb3ff85e0b34cf35f6d2beee90311663d6da7141931fca2574a2fc0a173d40cc01427e0cf818fa97d7428ce4e4fb

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC1F8.tmp
        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2f2u7jc\imagestore.dat
        Filesize

        5KB

        MD5

        b94a4f2601938bcaf22d965db4119e89

        SHA1

        1ea47d5ddce126c817b572d065a286fc7370ac44

        SHA256

        d0fc76576ef8ecdd4d2eed78a5910ef1d46830aab8c1107559bcfc9d3606b356

        SHA512

        7c86c2975b1112250b6bfe736d0c92ac866acd50e0d9f7f0bb29783d3eef7ae6b2e55c748bf1505ca1872ffcbe67779d9787d3b20c335839e307fae2be581f91

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GU2A83AM\favicon[1].ico
        Filesize

        5KB

        MD5

        f3418a443e7d841097c714d69ec4bcb8

        SHA1

        49263695f6b0cdd72f45cf1b775e660fdc36c606

        SHA256

        6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

        SHA512

        82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NNUT9QBP\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit
      • C:\Windows\mssoft.bat
        Filesize

        25B

        MD5

        3d7c7b33e3c17d8a0ff01e4647ba538b

        SHA1

        1c6f75ddb631093d3f6563d00eb0e0b959779e38

        SHA256

        f2b5fcb625c6d60c62be2d371d45910506c4a650e6e1a994d0f284740d764c8e

        SHA512

        9ac3b3359c342f8d1d5c7b31abbe5a3797b1d642e907d3c1e8706dc632ac1d9215c4eeaeed454e552217a44cac6e71a3c6bbdb670f0df5450922777bf3b84a15

        Download Submit
      • C:\Windows\rxing.bat
        Filesize

        18.2MB

        MD5

        de9b364971e516df97025c91f56a52b7

        SHA1

        f2d0b2dc72cebc45855ba1ef830bdeda81bccf31

        SHA256

        55cd4824054e26f311118fc1630be26f33c1d8fda552fbe5146c9ca7dbad503f

        SHA512

        9777a6ce9bf44fd5d426acc1ddc73910908b9fef1ed942c72e7a4c77fa689f3f91c053cd61690e75b8ae59948ff36e937e5b4cbcd197dff574d32e4d11bc6e1d

        Download Submit
      • C:\nod816.bat
        Filesize

        374B

        MD5

        c9c561c8d6c771461a8ffa1adfab82a1

        SHA1

        ab0d4ecd4e6750cd9c88d007dd39fa8e9abfff0d

        SHA256

        fc5f49def9045d1f16ed8b63ee17dc9ecb8813348070a5c34d4ae073184dd077

        SHA512

        1591a86ecb930b594b2b0be8ef8675dfad7b3b73fef28ebe95e9dfacb8fa4e743f1d3052b01d6bc009a86d12505be6098c698bee2ae52c911c6421c8e4137712

        Download Submit