Overview

overview

10

Static

static

5

03c0939221...18.exe

windows7-x64

10

03c0939221...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    03c0939221cc821ef6e2c3aba337b6b3

  • SHA1

    8aa2dcf1b9fa074a4768b1e8f4cf8549cd23d574

  • SHA256

    9c633bf015525e859c9eda2f617c57e186621a1aaf8425bc8b3957699fe3dcff

  • SHA512

    199ef1ce49d1e1a7d2763d767d8463c0625bf402e70c53f9210259605c887edc943813c408d260c0d71dfeaaabc0c98ed253dfab7e8ac31788e85880073dbc5b

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\03c0939221cc821ef6e2c3aba337b6b3_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Windows\SysWOW64\hoqhndukez.exe
      hoqhndukez.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4916
      • C:\Windows\SysWOW64\jxdrhqcs.exe
        C:\Windows\system32\jxdrhqcs.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3580
    • C:\Windows\SysWOW64\tedgbewhtlxhtdn.exe
      tedgbewhtlxhtdn.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2592
    • C:\Windows\SysWOW64\jxdrhqcs.exe
      jxdrhqcs.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1528
    • C:\Windows\SysWOW64\hhojiepeyhbap.exe
      hhojiepeyhbap.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2140
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    4212f3b35083714e27745cb3d98300bf

    SHA1

    a14212d5cfd561755afd4d71d916fc01bbe1c638

    SHA256

    ef11027ba8284944a7e5d94964f0cd84223122e91e69218291fc3861dac3f379

    SHA512

    b159e626c45bfbfc2a4762373d6db20afe343a3945d1a313aafa4fdcbcb9581acedff4b937cde6caf44340121ddf0fc6c0ecf7e99e6f649a574f80363cb68d88

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    cf10c47ef6cc0a051d6c73910b8314de

    SHA1

    359d6447051289ce514d93ffd2e304adc5feb12b

    SHA256

    aa8f77594d23808de4639d3e77dd9778205df82206660069998f96c0f9fbabed

    SHA512

    62629d1d0f97ed9f92810e9c1e9ec7ea8894d4b2c56a869eef9dae4f304955d1512614bbbc6ec356588236b75f946078766226756c57f7dc126ea679d2918a99

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCD7F6B.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    b9e1c83ef2ca0d7502a22dab38c5c0d5

    SHA1

    514b446026670de1d7fbfe390ffff7a6a47311cf

    SHA256

    e374f4495b7d39c19d88d5303e45924b1330dfa17b231aee726f53f2572a811b

    SHA512

    94251b72c4c0501a4612bef07e569947c681425330f9b2cd2358ce5083662bf8a79bd206e7ea9d2327b07eb71a190486027dafe43dd1313a9a1d0279694b2091

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    e0f4f22debdd7d43668a8637aa2df8f5

    SHA1

    65afb52f6e95b67c127c3ba2dd75168bd135ba1c

    SHA256

    a0adb847a9110859c21bc667d73fb73fd7fbb59650abb9fbb7ae73bbf083efbb

    SHA512

    cd03f642c67c70229035f90c9df1fe53e04c97db129fbf69175348287e6ebb8c2993723ee887abfb2bd8024ad1efd81a21645014706a6b3d7b7ed8a4cf07b494

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    98e77ed950a6b6d2e5a2bcb82bffc570

    SHA1

    19f49783b00d70dfc7306bf790533adec4e9707a

    SHA256

    11a2302b104d347466390e0ce4db7169a6b66551e9c3b26ab48c47787f59e9be

    SHA512

    8f7f2dca0fda466b13cfd5e081784291dbefcf32614717ed615369eafff462e0d064e3b1795223a4307438e01de6ea3bcd5b09a02b4e01748c42b814744804f4

    Download Submit
  • C:\Windows\SysWOW64\hhojiepeyhbap.exe
    Filesize

    512KB

    MD5

    767f44e4bd35a198107e81eafa1ca34b

    SHA1

    11146042bcfbaf9b04c49d0d7f6ff901ac0acb9e

    SHA256

    c0281c800ff91e2231f09ae4a03faf41b8fb46a8b67ba9851413135255e4e426

    SHA512

    7052ace8b8058778d1a88c44be7ba6ac8bfdb2cd6358811af3671cd1bd250cd9a1900683f35acc5c08c1eaa69ce76873c9c52d37ea03fa6332c60e745959109b

    Download Submit
  • C:\Windows\SysWOW64\hoqhndukez.exe
    Filesize

    512KB

    MD5

    5466049bbba5dd7a807a24205aa1824b

    SHA1

    5d0f2bc9c73125b6b82b11381c9028ea7a195ded

    SHA256

    0ef78ff75810497ecac5e5dbefb9d808759e4b1471bc2378de380c6281f26089

    SHA512

    91ed35190a9fdfdd972dbf776320369ba0a3a3af67c800945b88c9da441ececdec2e5bd7f163f719230bb3a08d05a5c2a148880521f82c0f094f0f68ebcdcce9

    Download Submit
  • C:\Windows\SysWOW64\jxdrhqcs.exe
    Filesize

    512KB

    MD5

    71340d7c9f83f2f987436beb6b8c728b

    SHA1

    817008e29934a5978123e751036227614b8fba10

    SHA256

    4a9a3054105855ada899b1304e1b7eafe3b2f3e82b6472ac2945316b3b5d7845

    SHA512

    101dc3a945d27a215e1bac3850ef536ce93b441e92ebb16610d0a14c4bd064f961f268ddaf7dce5423b568ed655239f17be12d5aaf955d7f97989b207e0b7f4c

    Download Submit
  • C:\Windows\SysWOW64\tedgbewhtlxhtdn.exe
    Filesize

    512KB

    MD5

    0f26f169d5b1dcf790d2c34bc151b324

    SHA1

    30d37ed4bbf48b7066f0ddefd7c1a49018389675

    SHA256

    17d8bf625a6804b4b9a36ea2468a035a49966b6321f22e23c2810823372259c9

    SHA512

    6be9718351c325dc87e895cfc13752bf1b1687413de526d260b447ddd7aa5d923fe10cd308f37126ec1b4d789f4c5273c5d770a691c7f92b59a227548f8c415e

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    70a20d80add471ad2b2673ec565c5272

    SHA1

    1b31011a6936f3a21d2d3dbfa575f378aef9e806

    SHA256

    d78e2fa40b4035de6002f10f62f6df95f354762618c06b028757791a8b03785c

    SHA512

    a67412e3218ba3fcbba8065396c55d5e9811384368f107b4123731485617327be980737a1a9241428433a541c73c45bea2a8d5c36ea80567844c7d737088b7f4

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    2c21a4e6af97c6df1deecfaf28beaf54

    SHA1

    6dc75ac3c1f8e9aea62ce940b8b40911db7e32c4

    SHA256

    660d27d786455a9b81c5b3b16e1edbc356fd8de4b49eeb47888bc31ac45735ca

    SHA512

    8357432e6c1ced90f14207b934549f866d003850eca31f8c50b84163a837ed924a0f26ee7d82c338ef2972dbe35301fb11d8586fee6cd4b5d7c93d622faafee7

    Download Submit
  • memory/2112-587-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2112-39-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2112-38-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2112-36-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2112-37-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2112-40-0x00007FFCB5250000-0x00007FFCB5260000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2112-35-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2112-41-0x00007FFCB5250000-0x00007FFCB5260000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2112-588-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2112-589-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2112-586-0x00007FFCB7730000-0x00007FFCB7740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3112-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download