Overview

overview

10

Static

static

5

048866b558...18.exe

windows7-x64

10

048866b558...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 06:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    048866b558a343c2f35aeb4bb4421502_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    048866b558a343c2f35aeb4bb4421502

  • SHA1

    0af31d426a1c4a947a11b437b9778fa4d8ec47e2

  • SHA256

    db3ba4ab4b8a631ffcf16fcfe79e39cb56d73f2880974db02ef48621b52a4062

  • SHA512

    ecd7c188e7d6372652b38788322723ed23f067636102f260bbf04832cb97c35e7bbb0d4087a316a8ab5cc418c6b6e79598a3e212188aacb5925228341b046f17

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6k:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5f

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\048866b558a343c2f35aeb4bb4421502_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\048866b558a343c2f35aeb4bb4421502_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Windows\SysWOW64\yseozfxuyj.exe
      yseozfxuyj.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\SysWOW64\uzrmsqro.exe
        C:\Windows\system32\uzrmsqro.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3444
    • C:\Windows\SysWOW64\hhdjvrszuulgyqj.exe
      hhdjvrszuulgyqj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1084
    • C:\Windows\SysWOW64\uzrmsqro.exe
      uzrmsqro.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3292
    • C:\Windows\SysWOW64\zsfkvpgprehqb.exe
      zsfkvpgprehqb.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1136
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4332

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    0cc3b6fe25c922c471d5444d415e13f0

    SHA1

    e728b350e248b6dedc2e41755d64d18818bd113a

    SHA256

    dcecf8ab9f57658252ce6f41ea0bd5ac5192ee71ff3c4a5163b646d565a8c490

    SHA512

    ec23bbbd9b8e4eb8aab116d1957908267f7391a6c144299ea3f3b7cf38cfa7081a93683b21f4a113403c69789d2557a9ee06f7d1440e3977929c4882f36c0f46

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    a7ee00a1b8cb01b6cd74548724b39167

    SHA1

    7b4b64a1fb3e51c552892d03b1f7dac69d45c461

    SHA256

    4b3b779a8e22e6fbd00ed6380070144d1fac1af6923397b3a163002905b8a366

    SHA512

    0621d4f4df5c87cde7041155330551fa91e0c2cd5b37036aaed09773d994e2610313b54684e90ba07bad8624ba7991a1c6b34d2af728150f6148f9d83c6ca8cc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    602dad6ee0e60cde6698692534ef100b

    SHA1

    c3e20be4cf62746964ff865964f4f354d412bfac

    SHA256

    596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598

    SHA512

    bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    f2b02cff0e45ba7939c3e4fdbb8cd4ee

    SHA1

    7872c024c6f9fed82e0c30ac4f5470b68a8ade99

    SHA256

    bd2accee819a21ac736896a93138bca43b60c486c50e308c119b579521f2b325

    SHA512

    08c833b1f4e5d2fd794d6d807c9b9c4060361fb29920f4e122217e1133355531ce0965afae0ee54701188c4b1b578e719e0b10e4f1ffd4a37e8413676e1acf1e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    a9b47b04db06a098aed742c830aa6b20

    SHA1

    14c7b2998fb5a359ff913da10330a434a6b2c742

    SHA256

    86cd4e165602bac8acd642e34adc975edec6cf02f651c632ef8ad284ab8530e7

    SHA512

    b4837e8197a86821ef47e0897666fb6dc92661df9a501224eef25a590e950554f18cdb85c3483f2894b7085cfd08ed0fbce83743684e6405be7a1af515568c65

    Download Submit
  • C:\Users\Admin\Downloads\UndoGet.doc.exe
    Filesize

    512KB

    MD5

    cecad4491bf44ed962cf3cc60d5304bf

    SHA1

    84aba3b82a4bbdb1a8bf8893d96cbacf5a91515e

    SHA256

    865c2586c19c87dc31bd01943a06238438fb917545fdd297f63cf05ac9e23000

    SHA512

    0c6bee1430c5ffb5c2594369532265e37ecb3a548738c47163f586fdfb7619c8a1f6b81163fbfb65f0cda1c9a09231f5a1495ee41e1e9efcbbea46004ca38f57

    Download Submit
  • C:\Users\Admin\Music\ShowMerge.doc.exe
    Filesize

    512KB

    MD5

    188b89bfa8947bec01a8cbe512a4ef65

    SHA1

    9b4ebfea8133f53194c1b2d50e2ade6ec9799643

    SHA256

    6a52ae0e994cf4d9840f7d211ada6f2eca0c0f12bdd857604c1d03f9c3900d24

    SHA512

    c42b325f79db693fb3f43cfe089f3e82ebd766e0533311ac1cff3d31c702787e50a9a9028adb9cdc445b6600a24acbd300a896c54e51d5a65fab312694e27a34

    Download Submit
  • C:\Windows\SysWOW64\hhdjvrszuulgyqj.exe
    Filesize

    512KB

    MD5

    3093801c3b9bd13d472abe8636b61fea

    SHA1

    363bc6fcdba4cc8cea5514b49a7c7bca69b34981

    SHA256

    78844120fa6f5b9a32d06edc1b24ca8d4c3509cd7e82c800fdc1889a933c984e

    SHA512

    ba089fe2260308458cbb833ba8f1b94f7ec38daf5fb2ba68c3f4da73d055c07e8724ab79c06497c93846e11122685733befb447cc1c4e40caddc909ff29c74fd

    Download Submit
  • C:\Windows\SysWOW64\uzrmsqro.exe
    Filesize

    512KB

    MD5

    ead67ba8bec973e51c290254e0794b8e

    SHA1

    fbe54ba0a8d2bf7344bdb3e838416a813258d4ee

    SHA256

    f8d5ffaf0d2625fbdb4fb9836be4ad8b90b3565c16d50066fd44fb439bb86e8c

    SHA512

    2acf9a5a600c841fbf2fea76b505805d312ec28dd687c941d4927881f90918111c5dc5710db8e240760d24fb44d4eff0c351a3bff7268ed264c84d110c147652

    Download Submit
  • C:\Windows\SysWOW64\yseozfxuyj.exe
    Filesize

    512KB

    MD5

    62cde52fe4b1d0be4c882a7b7cafcfa4

    SHA1

    04663944567b9dd1a8e0418bd001904422d5ac81

    SHA256

    34bae6a3e9e9e4cd93b4aa55d4b40fc38062246b23d3fa73db675e8eb1f1ecac

    SHA512

    7f1e2f0c3c41b0f14cc6bf01e166f1ec3328dddcf7bfc45d956645f7fea97295ee9e88ed14234570f47f335ce79d4e9f3dbc8882cd993e56689d1e422870f6eb

    Download Submit
  • C:\Windows\SysWOW64\zsfkvpgprehqb.exe
    Filesize

    512KB

    MD5

    bf3dda53719d68afdccbdc1e1c111a1f

    SHA1

    4f2c6d8a5b4042102170736ad0c452307e598f98

    SHA256

    5192168a032f221123dec20fb3efd6af4dc7d8cdc6d45773012a4e0ac0daf8b4

    SHA512

    77c86aa0716bac821525ac8bd6c386db362d580e0228b4c857640224db4af75aba0d9178bdebfd3cfd4eb50e220a8c133c14f4032589a51c069bb7ec9ae29316

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    0c0ee514cf94f289ddd716cdea81c6e2

    SHA1

    e43ad222220a61a4ec9d4f5cabfdfada5863d2ec

    SHA256

    f041ec79485ed36b92af4620831665df355efc8d3f6ae8a0d6e372f9b32046b1

    SHA512

    7f1ff64a0e0b65beafb5679846ca36cc6456dfd2c5a2e71db33f04b75887696a1e56459cfb48d9257e5aff3acaf7b2770625b55b78e9739ececfdf7f03485273

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    6d56b6da0957e6c0e7fff634e47516c7

    SHA1

    eeaf552949cae0176b6be562bca5eacafba47f47

    SHA256

    bbd185f66cc8eb5edfd32eb2413593c0973c52da86cde723d3b08be14b7b80e1

    SHA512

    71d162a3e8ddd97820e24d141928d5ec9484c87ef058636b4659fe98eea6ce0b872156fe18d412dc52089b92594b4f355d743fd72e68495890a255cccd9018b6

    Download Submit
  • memory/116-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/4332-41-0x00007FFB847F0000-0x00007FFB84800000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4332-40-0x00007FFB847F0000-0x00007FFB84800000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4332-38-0x00007FFB847F0000-0x00007FFB84800000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4332-39-0x00007FFB847F0000-0x00007FFB84800000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4332-37-0x00007FFB847F0000-0x00007FFB84800000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4332-42-0x00007FFB826E0000-0x00007FFB826F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4332-43-0x00007FFB826E0000-0x00007FFB826F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4332-127-0x00007FFB847F0000-0x00007FFB84800000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4332-128-0x00007FFB847F0000-0x00007FFB84800000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4332-129-0x00007FFB847F0000-0x00007FFB84800000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4332-126-0x00007FFB847F0000-0x00007FFB84800000-memory.dmp
    Filesize

    64KB

    Download