20bfa115a8606b230d4e6a1fc7ca7fda8f623b0a783a0cfbfa09201a8ba63909

Analysis

max time kernel
148s
max time network
136s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65a6a7eb140ac1c9ef0036af6880645a.exe
Size

288KB
MD5

65a6a7eb140ac1c9ef0036af6880645a
SHA1

495a0a275b06b7db09b20adf32085d143143c590
SHA256

20bfa115a8606b230d4e6a1fc7ca7fda8f623b0a783a0cfbfa09201a8ba63909
SHA512

5595ddaafbb64f169a2af0b55ef96414b325505ae40c5aec169be0a8c2bfadf2e3dc594714f89829a8597de479cda1b746fb3784bc7f3632c75158e26a162795
SSDEEP

6144:wejcki1BSRm6W2k5F0f2t6b+vClRHUcivtJOkRGP07ByaB22U9F/R:wejckifOm67oFZt6KqlKRvtJOkRGmwtJ

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
2196	jfj.exe

Loads dropped DLL 2 IoCs

pid	Process
2948	65a6a7eb140ac1c9ef0036af6880645a.exe
2948	65a6a7eb140ac1c9ef0036af6880645a.exe

Modifies system executable filetype association 2 TTPs 17 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\Content Type = "application/x-msdownload"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\open	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\jfj.exe\" -a \"%1\" %*"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\runas\command	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*"	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\runas	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\start\command	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\ = "Application"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\DefaultIcon	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\open\command	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*"	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*"	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*"	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\DefaultIcon\ = "%1"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\start	jfj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe"	jfj.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\runas	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\open\command	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\start\command	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*"	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\ = "exefile"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\open	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\runas\command	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\jfj.exe\" -a \"%1\" %*"	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\runas	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\Content Type = "application/x-msdownload"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\open\command	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*"	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*"	jfj.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\start\command	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\Content Type = "application/x-msdownload"	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\DefaultIcon\ = "%1"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\jfj.exe\" -a \"%1\" %*"	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*"	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\DefaultIcon\ = "%1"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\start	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\DefaultIcon	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\DefaultIcon	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.exe\shell\start	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\ = "Application"	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\open	jfj.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\runas\command	jfj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*"	jfj.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2948	65a6a7eb140ac1c9ef0036af6880645a.exe
2948	65a6a7eb140ac1c9ef0036af6880645a.exe
2948	65a6a7eb140ac1c9ef0036af6880645a.exe
2948	65a6a7eb140ac1c9ef0036af6880645a.exe
2948	65a6a7eb140ac1c9ef0036af6880645a.exe
2948	65a6a7eb140ac1c9ef0036af6880645a.exe
2948	65a6a7eb140ac1c9ef0036af6880645a.exe
2948	65a6a7eb140ac1c9ef0036af6880645a.exe
2948	65a6a7eb140ac1c9ef0036af6880645a.exe
2196	jfj.exe
2196	jfj.exe
2196	jfj.exe
2196	jfj.exe
2196	jfj.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1976	explorer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe
Token: SeShutdownPrivilege	1976	explorer.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
2196	jfj.exe
1976	explorer.exe
1976	explorer.exe
2196	jfj.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
1976	explorer.exe
2196	jfj.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2196	2948	65a6a7eb140ac1c9ef0036af6880645a.exe	28
PID 2948 wrote to memory of 2196	2948	65a6a7eb140ac1c9ef0036af6880645a.exe	28
PID 2948 wrote to memory of 2196	2948	65a6a7eb140ac1c9ef0036af6880645a.exe	28
PID 2948 wrote to memory of 2196	2948	65a6a7eb140ac1c9ef0036af6880645a.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\65a6a7eb140ac1c9ef0036af6880645a.exe
"C:\Users\Admin\AppData\Local\Temp\65a6a7eb140ac1c9ef0036af6880645a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\jfj.exe
  "C:\Users\Admin\AppData\Local\jfj.exe" -gav C:\Users\Admin\AppData\Local\Temp\65a6a7eb140ac1c9ef0036af6880645a.exe
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2196

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\jfj.exe

Filesize
288KB

MD5
a73e1620b8278f3a9d40e362654556cd

SHA1
26edc08f6e04419ad39c9d5431727af959e866b8

SHA256
2f2f860bdf4a0e1984422e9abedfadbcf64fbdd5c642361f55116e007c3dd2c4

SHA512
8eeae100ab705708c03b66f85cf982645447b40b5a1466d958ff78a9d8430a9638ae888f54d883ec9ef6864d2d1671baaf2a22231ee637a1872b4e7033b17bc2

Download Submit
\Users\Admin\AppData\Local\jfj.exe

Filesize
41KB

MD5
636ff03b241e36047f7e42f55b28dd8d

SHA1
6c40b90a9cf451ef72305046e58c53d1e741e867

SHA256
b57a852da09411bb066b6fde6e8e50814d782fd129061944d14f2e575d959cb8

SHA512
5c95fb7936539a4fd1462fb53a2d9f3a545d0345d204c71f81f8aa2a3f3d8c620bbf157bcf20a6a7bdfd147fa9c96672aaf3bd3754edc8aae5ce8244df8bb4d0

Download Submit
memory/1976-51-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/1976-25-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1976-17-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/2196-41-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2196-28-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2196-54-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2196-52-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2196-18-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2196-19-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2196-20-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2196-22-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2196-24-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2196-26-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2196-49-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2196-15-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2196-30-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2196-32-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2196-37-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2196-39-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2196-47-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2196-43-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2196-45-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2948-0-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2948-1-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2948-2-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2948-4-0x0000000002350000-0x0000000002607000-memory.dmp

Filesize
2.7MB

Download
memory/2948-16-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download