Overview

overview

10

Static

static

5

04ed51cbe1...18.exe

windows7-x64

10

04ed51cbe1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    111s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    04ed51cbe1459f77b58a943ff3c3d29a

  • SHA1

    861ee131f85817baaff034251cd3241843131265

  • SHA256

    0f4cbeaeb904a1dcf09d12018ab867d52ef6a9f3c5a45cd72362479b3f39d446

  • SHA512

    994e07bad6535762ae9f9c21abbb8772f0921261814f4d19c44d65a0aa4372b400fb9078efeb19e3d56fbc1460733f2a2ec651851df4986ecefb37d048a9c959

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04ed51cbe1459f77b58a943ff3c3d29a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\SysWOW64\tvryxhiunb.exe
      tvryxhiunb.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\SysWOW64\xcmwahuy.exe
        C:\Windows\system32\xcmwahuy.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4348
    • C:\Windows\SysWOW64\uuwnhepwgtnajwp.exe
      uuwnhepwgtnajwp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2680
    • C:\Windows\SysWOW64\xcmwahuy.exe
      xcmwahuy.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4560
    • C:\Windows\SysWOW64\xgqbwwlptqbwu.exe
      xgqbwwlptqbwu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1984
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    fe60b621b081b8353c436077e9a78fae

    SHA1

    9dddd64117ade0a9eff958887b392456f70228e1

    SHA256

    7ad955519bb805de4bc91c34ed070ca288d3735d90812f54665cc5beeba8b8ea

    SHA512

    ee9a740d2fd54e276366c42dfc6501f99ed16ed36072c8fe87180012f544878aa691d0db0dd04ef408b954eecc0f763c7565ebdf4887fe1e645293f269213ad8

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    4aa8cef4a8e63d376fb70f64c577571d

    SHA1

    922f4203046386ceac14e6427ce252c26753a96e

    SHA256

    f9375f6af8d72e0803f3ac834d961912dd7408fbba75ad54eae979ce100cd614

    SHA512

    a4bcbaa01ef445438ec58e437d0b01186a81c2f852b2a53404761342d813e305bceacace365fe225aa44bf52292a48a264421d3351f728176b977053dcb541a9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    eb43b524fb772218572dc032899fc525

    SHA1

    5ac1808581422b7259d582e4580f23b6651a0d10

    SHA256

    8273ee7d71f4febabe1f43c80e75f05a628daf124b7dbaba83d87412a94b6d42

    SHA512

    6b8cffd1ed9d5c3bf1f07e0e0222b30b1cec001e7f28cd441e742eb1014035968131e7bb809ef32180c3a7455871346ea9c12084785539c526b46d50d3b126dc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    89de3a02339976fc949642ceed9b9f90

    SHA1

    6a2b089fff4f9e505dc8b962374256044450a1ee

    SHA256

    770271d4148d621eb6c14b6669097dae4beec6ff6e03b6475c92b13c82d918fe

    SHA512

    f26cec14adf362642be90dccb0d77f2c410f941523dcea3dbe020e3a841e41ceec550eb0e4142a0e755ed739e1827befda1136b03159ea3a83df99750a1a5e0e

    Download Submit
  • C:\Windows\SysWOW64\tvryxhiunb.exe
    Filesize

    512KB

    MD5

    62c4147cabf74beb6960ea12a2ad9f68

    SHA1

    614f6e2778b252fb07cb715be74698d481049f5a

    SHA256

    cf27d2ed59dbbfb85073538a811d618430e4022f1a796bc98bdfa2edb95af487

    SHA512

    2fd2d6dfd784a8411dc1baf38a80da6b41b9f5f0c025bd9ccb9b0b5dd53ab71804e26a19df623892994574061a5d7aec4e125d1e39aa04faf9d81341871db7d8

    Download Submit
  • C:\Windows\SysWOW64\uuwnhepwgtnajwp.exe
    Filesize

    512KB

    MD5

    3617bae82f2ed39fb0c2a854b851b843

    SHA1

    fd3822f3794a9b4621f812b9715e59603f362ba3

    SHA256

    bff8d761f14cf09e88e5f1dc17cd392191c6242b0f96cb5dd717b7fafcb7d828

    SHA512

    73cd570482e37ec822aa768a4d8783bf1c8274a80706a4491649793d029e9e0938a718ad8d744cbcb5b6cb73fc94c841142eefcc37fcc6c97672053fbc228162

    Download Submit
  • C:\Windows\SysWOW64\xcmwahuy.exe
    Filesize

    512KB

    MD5

    4a26a41d53f224d370a9bac4235856ca

    SHA1

    53446594613b87231a814f5e6f6c11dce81b87d8

    SHA256

    91ffd435f5924a93c83b3a4e709377d2863fe4f6c59dab8b9e2ab2bba54916e3

    SHA512

    aecc9767d4bffff5f53bf7d5cf0c3e6468a15493d0357fef607fec81656589b5758cad289aa7223e391c8ae934c7d8128c8674c0f56e5b393019fb9083060f57

    Download Submit
  • C:\Windows\SysWOW64\xgqbwwlptqbwu.exe
    Filesize

    512KB

    MD5

    085af181e22e2e557df0f3c29360be97

    SHA1

    d693ec6de24da85074bed3c4470c1031f98fb0e1

    SHA256

    831dee89093796f0bf636c6d018fb241c5f8c5fd51c3c53f51145ba995adb4d4

    SHA512

    6a946b48710581df9d506d87e9eaa4de056f87bd6a25737a7373d6cbdf58866e6eee880c5481eb7347a263fc49be43d389d85b7828fd1cbc227c3845a90069e9

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    67768359499830258998f3eff2566518

    SHA1

    ae2c399c7bb0485da18f844ecc69c73699507668

    SHA256

    b8c5f083f1f97bdef9d207fb181ce479c0f358e7bbdef9f62e6b7f3d7f85f544

    SHA512

    0d537b6a97bcd752efa9f79e6fc96d9b8c0e0427edee2f0b7e8475fb9c193360d48a69e7bbf9325266ff6bc2587fa84b4bf9df25eeea165dc2f5ff8facb53878

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    f7f4a14dc4dbf811834d1e837f5fcae2

    SHA1

    0310c0373727a50ae73a7cfb7a545e39f01d24c3

    SHA256

    f458bb9f76199a35e21e6f49d3608a66b757c4fd9c70e87b1ae5c19fe4998584

    SHA512

    09b0a94e7b3243770c1c639fcb8762fa19be03d133e716bc199e1cffbc8b6afdc894dde0a649e85fac8d162800a0d23706e69b9f05b6d8be1cfe89e247c00425

    Download Submit
  • memory/2896-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/3100-43-0x00007FFF03DA0000-0x00007FFF03DB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3100-42-0x00007FFF03DA0000-0x00007FFF03DB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3100-39-0x00007FFF05E50000-0x00007FFF05E60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3100-35-0x00007FFF05E50000-0x00007FFF05E60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3100-38-0x00007FFF05E50000-0x00007FFF05E60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3100-36-0x00007FFF05E50000-0x00007FFF05E60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3100-37-0x00007FFF05E50000-0x00007FFF05E60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3100-125-0x00007FFF05E50000-0x00007FFF05E60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3100-126-0x00007FFF05E50000-0x00007FFF05E60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3100-124-0x00007FFF05E50000-0x00007FFF05E60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3100-123-0x00007FFF05E50000-0x00007FFF05E60000-memory.dmp
    Filesize

    64KB

    Download