Overview

overview

10

Static

static

5

ea66de35fc...18.exe

windows7-x64

10

ea66de35fc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 16:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea66de35fccee48b59a4b2f6b0a59443_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    ea66de35fccee48b59a4b2f6b0a59443

  • SHA1

    f7b5a0c65b4e0e625fa981189f7d641e3ed86b60

  • SHA256

    834700b75b173085d276886ca050cceba15c2ce3028b66d372447192e2772868

  • SHA512

    46e8f5f8eb12c9a8253e19149c47489a6ebb8ec5d0fa4aebb9c269c49ca74f78d69933e8be82a5739b5fe74c647ead1be4b58baf3128e5bbb8e8fdd236d72988

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5i

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea66de35fccee48b59a4b2f6b0a59443_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea66de35fccee48b59a4b2f6b0a59443_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Windows\SysWOW64\jkfupsiowm.exe
      jkfupsiowm.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4932
      • C:\Windows\SysWOW64\cjswpefx.exe
        C:\Windows\system32\cjswpefx.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2588
    • C:\Windows\SysWOW64\kfzrtmcdsviftmn.exe
      kfzrtmcdsviftmn.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4624
    • C:\Windows\SysWOW64\cjswpefx.exe
      cjswpefx.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4696
    • C:\Windows\SysWOW64\vxljrhednceuf.exe
      vxljrhednceuf.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4392
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    7278f5242464281c6473f2f411cb2df4

    SHA1

    6951eeccb79c86b3e5b3d24a0fa5d7b98466c132

    SHA256

    d3edc087b3dcc197352805db71fa314814d349c5c50d414a977acf660ddf211a

    SHA512

    37583492e4dbce220fe0e39da32806228f2a0ea19ebb0472b0423f08a5b9666ab6c63a60e2dc8b52f0323e1838c14edc236bf34eeb4783c949a6a4887bfd2454

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    419d9e31a6667f860f5d0f6f305d278c

    SHA1

    0f81efe2a4df3a598b98a40f56446629e3180070

    SHA256

    23cb406b0a25aca94be2b39f5e7019ad2fdfda46865e96739b44dfa996f206f5

    SHA512

    a69787722ccb298cd96c89d7957eb168ddee553998aec484f4e9933d43ef3b848f9c52e1e528cde9116b5dd6e1bc88f1272e4a37cb236d5698ad135089e85372

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    a5db7e8cfaa5aac62421513bcca3ec88

    SHA1

    2892f0aaad40d87b7aef9ccb286b9c5ed6f98dcc

    SHA256

    539d4ed112da638eef54e9fba5e852208f0505610d10f136dc8d8a7362bc8c28

    SHA512

    80f3bdf432ec463b3047eeddff610a51736831de3672f7aa5593c219f6a1ff2aab44f43c0577a72d3406e06b98593fcf8e5b36572ae99e1899ee2f8368b96a15

    Download Submit

  • C:\Users\Admin\Documents\InstallSend.doc.exe
    Filesize

    512KB

    MD5

    55971677f8080e56eb6c3c69309708fa

    SHA1

    58c59e7802ed6e985440f10561d239684dcae9c5

    SHA256

    f23471d858841638eed68d058378d0e35895487c6d201e5d6a0bb1dd67d76541

    SHA512

    1e67c914ba3c3ac85251f7b8a6be826b4620d7b7e21c7f4b3f073d9bcd92497cf78222460e66e0aa550c3b69e78ef6afaa210e374f15c36808f93161159a2dcd

    Download Submit

  • C:\Windows\SysWOW64\cjswpefx.exe
    Filesize

    512KB

    MD5

    ac55326d697d97dc9816c2269b169817

    SHA1

    75edf1144ddf86ffc7e4eaf666454db3291ea135

    SHA256

    57fd6dc107c8dd4410e9563afd9538caa732b2ca2c373462476d1401276fc2e9

    SHA512

    80f0e298236209a0bf485292e43f797462095355a67b863511e6aaaf5d596902d107705f2bfd3f04f67c1f9b57f027aad95af29453cd7e7d6d90035f396e71b6

    Download Submit

  • C:\Windows\SysWOW64\jkfupsiowm.exe
    Filesize

    512KB

    MD5

    9783e791bed3f197bb1afadc3bc5c1f0

    SHA1

    41bd99160bfc429bb9849af2494d3cbb1695a43c

    SHA256

    54e2726694be75c28cefeaa7ab1748d9a1c68d24538961ddbb24b0ddda0fba01

    SHA512

    0157268741bb17968031b761ce76fbc5d789391195de795c03f0c1410fee455cb5418b61f1942d9fc0de2f7624b496fb7a06dd15adf23bb8a437630f2b0bc759

    Download Submit

  • C:\Windows\SysWOW64\kfzrtmcdsviftmn.exe
    Filesize

    512KB

    MD5

    30c1497809d3a583b9791f03d0da1c95

    SHA1

    3f851059a8073c4047b0a169d158254adcc8279e

    SHA256

    c5980ae8e72a6926528edb82efc569dc43b8d0ca40ae45f11a5d5c2594cf1ba5

    SHA512

    ddaf60060532eaec400df785a050a2b668d6e89b7d227532abf8f32ce739bdc406eb5fa59b3e2aacf8be488b5638cd1fbb49e51d73faaa27c5f69581c569d3f2

    Download Submit

  • C:\Windows\SysWOW64\vxljrhednceuf.exe
    Filesize

    512KB

    MD5

    ae1545a9d77688f82342d0949dc8beff

    SHA1

    a8278d47250a5d03c4a962ad61b7cc8fcc874ecd

    SHA256

    22008022f49f0b7b7fa26aad14624bb9040bffacf9208b0b7ddea650c9454a2b

    SHA512

    3125bcfcbc24b954cfd8211687b8f9e823f2b234d5248474ac2bc4847767f8516575e43cf78134d1e3757bb44fd918ac182218722b2692673682df00e662f72b

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    6a58553e93df579090eaecfed3ce6d4a

    SHA1

    638992cf112fac9be0b1bc85487fde89fb1c31aa

    SHA256

    866aa3bbf7720cb6dd09588bb75aa9d4336a820c9bd6b3589d1a50464affc32f

    SHA512

    938cff2e3d0c0ba2e47501ddffba601a83448ca53a8213aa1d062aa0826bda74a2d6f6f0071238c50c1c83686ab0b10edecb9caa9898cfd695dd160358e02685

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    54a233fd8b9aeafc244aa9c1d5cfaecd

    SHA1

    1b48bec890ffd29144296e791a284a2d00ab1f6a

    SHA256

    97d83bfa1eb57873d9e23ed1412033854f3a62cc34a070e3f7dd8bb6fdd90fa8

    SHA512

    4a5e4dfd70e7cccd1ef206da6ad552f0cfdd413f85d0afdbb687a298574727291880227c960b8b400aeb70ed02e9a57353fc93a7081686d3967222e6b815b171

    Download Submit

  • memory/2900-50-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-132-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-44-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-45-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-46-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-48-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-47-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-49-0x00007FF817E90000-0x00007FF817EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-133-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-51-0x00007FF817E90000-0x00007FF817EA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-41-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-42-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-40-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-39-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-36-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-37-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-38-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-35-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-107-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-108-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-109-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-131-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-43-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-136-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-135-0x00007FF81A7F0000-0x00007FF81A800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2900-138-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-137-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2900-134-0x00007FF85A770000-0x00007FF85A965000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3160-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download