Overview

overview

10

Static

static

5

05906c39ca...18.exe

windows7-x64

10

05906c39ca...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 16:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05906c39cad698da162ccf37f3964228_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    05906c39cad698da162ccf37f3964228

  • SHA1

    0cf0214a3cb6a32e5bc139d6dcff6b7cbb2bcd88

  • SHA256

    e1d59c5b329a280bc03ddc31f57e993eb14fb4afa7d80c4feb7b99c787699065

  • SHA512

    3654a9d697e49d2c245d6dd82c49e5e5db9eedb347e7349d443e9a2247115a15fc27294f3def10a83a71a241fc4266e50d84b4d6633eb5304e139c3b9869c26b

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm51

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\05906c39cad698da162ccf37f3964228_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\05906c39cad698da162ccf37f3964228_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\SysWOW64\aukndlxjlx.exe
      aukndlxjlx.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\SysWOW64\bcavxpqn.exe
        C:\Windows\system32\bcavxpqn.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:524
    • C:\Windows\SysWOW64\jxwnerabjzojkim.exe
      jxwnerabjzojkim.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:876
    • C:\Windows\SysWOW64\bcavxpqn.exe
      bcavxpqn.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1568
    • C:\Windows\SysWOW64\srsciqapnrjdk.exe
      srsciqapnrjdk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1320
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:784
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

8
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    51c7d05608434d91c8c11466b0aa576e

    SHA1

    2a0befabe3b5baecdb56e675de35d0ea9caccdaa

    SHA256

    08293eb5061ef6f69181cb348c7f025637f1cfe5c82ad88747404ca32edb508c

    SHA512

    5af81a4d2956f9a990fcfe7a0d2a47a0ec225820accebec60c1f836993c19b3ad7ac5e52d4ad4e389af40dc8ec0acf970ef9aedf7d1be005bae9ce8f3b7e1716

    Download Submit
  • C:\Program Files\ExitSync.doc.exe
    Filesize

    512KB

    MD5

    1e9167016f4bf5c402b2b69d7fa388b0

    SHA1

    003038c8b333a4c815e1df02769c1506674cdf0c

    SHA256

    022e32fe0af6805d032fb233ee8a417f9c629909b3c36862d4b7c298d9a3b321

    SHA512

    aadbfbaf7e170d42fd36354ebe89002f97bd46a51caf93883e695cc5dd785b8d6f5a953527c9418a84ae9d7b2e911100e02c121b46f25706f6b24f394fb73064

    Download Submit
  • C:\Users\Admin\Downloads\SelectSkip.doc.exe
    Filesize

    512KB

    MD5

    9ba0f12057732b95193cccadcd1e8058

    SHA1

    d564f0a9de4f9f49687b49db94aa71dc534b1747

    SHA256

    4ebb1278b2f72a2cff6643159b9c0921d9df8e563b20c7ff1253636d5b01d467

    SHA512

    757e2e3a22e7dd23612d8960c0dc09a7fb6080746301d981a69b0e74d94db4604d9c8ab84075160b575ae8cb7f89018147fd2ea604106ff68ef5a63ffdf53c40

    Download Submit
  • C:\Windows\SysWOW64\jxwnerabjzojkim.exe
    Filesize

    512KB

    MD5

    57556626fd4b7c3138aa57451daf8269

    SHA1

    c255acdc67932ad68a767087fb0736e1ed131501

    SHA256

    45c97ed5e706d32047ef7d583683b540090189b5819511f6a9fc2e1d4b1f5184

    SHA512

    146766fbc68bffc8e31ada4f63a2bec0e78fc3b3bb0e6fd49ad9972b09be86eaf8d1aa5d793f721dc75b21953769b7202061a2eb33bba5c86f5238f0dd3afba0

    Download Submit
  • C:\Windows\SysWOW64\srsciqapnrjdk.exe
    Filesize

    512KB

    MD5

    e8f66fcd7694c8717f0f4efcb8a894f9

    SHA1

    c06fdc67f3295dff31ef5e20a88df7d414e66cb2

    SHA256

    4604ed33df6394399a695d50a7ada4ca8aa050126a9150308315f9967c0a0066

    SHA512

    5520dddc4d4edba2ff86ac0ea027c13dd3cd33607e7a8720a345ce967efbcfb7a97aeedfcbf13b9c71b472c2133ee03a6c886bf5e05f96484b465329b6f253bb

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \Windows\SysWOW64\aukndlxjlx.exe
    Filesize

    512KB

    MD5

    30e6950269e4dfd76d86cdfbe5a66028

    SHA1

    df46283418daf2c81683e7c35c3289892669ce23

    SHA256

    f05bb13d00917f1bedb95d1cd3d518988fce1afc6a20c33a89bbb055133814f9

    SHA512

    f03ada1686a2c11b667bfa4cc0d4461b8ba819d52492cd237fa7d606935198863b679f2751472bd88b7493b2998357e9ae3a400a52a3610e817b3be67d693809

    Download Submit
  • \Windows\SysWOW64\bcavxpqn.exe
    Filesize

    512KB

    MD5

    feb61eff3c401509184485582362cf6f

    SHA1

    fe4781512cf064dc4b01f99de50cce9a9d830af2

    SHA256

    db3dc8ab01ea5111810c6dca3ad3e6c3ccc270f16e3e7a54849faafed162c92d

    SHA512

    c33cdb2cf3fa7fa56ce835010902a768547d140511f0333c90e7d7c93076e22a32f289f06395f4d2ca4f653a9506df4cf13d57b954c497a35983d7aa6f68113a

    Download Submit
  • memory/784-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2240-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2552-90-0x0000000002590000-0x00000000025A0000-memory.dmp
    Filesize

    64KB

    Download