Overview

overview

10

Static

static

5

f5441e675d...18.exe

windows7-x64

10

f5441e675d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 07:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f5441e675d9e0e6453ec9ecf8cfe8bea_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    f5441e675d9e0e6453ec9ecf8cfe8bea

  • SHA1

    095dd32280f4fb97e439ffc551bcd2ffc3f0a050

  • SHA256

    82d8f7e5b4df88d9743b8ca4a1f2a5473eba9c85316819009be8738be98d8834

  • SHA512

    f26d14ba0c514d14c9e2ec800e1b5a7c91027a034dd13e51cd5b0eb961ccd6244b38e8b9cc95d8fec83277250cfdc4ae96ea8d04cae80d8d32da5cd56e546700

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6r:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5y

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5441e675d9e0e6453ec9ecf8cfe8bea_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f5441e675d9e0e6453ec9ecf8cfe8bea_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SysWOW64\rarfvdlexl.exe
      rarfvdlexl.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\SysWOW64\lecijxna.exe
        C:\Windows\system32\lecijxna.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4500
    • C:\Windows\SysWOW64\iwzcymgkuefsstq.exe
      iwzcymgkuefsstq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3464
    • C:\Windows\SysWOW64\lecijxna.exe
      lecijxna.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5108
    • C:\Windows\SysWOW64\blnykhrqzpyab.exe
      blnykhrqzpyab.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4744
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:5112
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4832 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4012

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
            Filesize

            512KB

            MD5

            08da1b4825560c29a6549ea0c3211162

            SHA1

            141a8fc6fbcc5838444bd1e4f7b34dd32e70459b

            SHA256

            52c1d30bfc5678fcf19669a1d04b1b38ba9f3d0594801c1f3be78982d1f85f07

            SHA512

            062831973d2a71862878293d67fe21aab5189b5ea49f621862ce31fa9870dc6fe1bb338441748c1f92004f03ca8237457117c7383e2c4adae791e3bb6af0133a

            Download Submit

          • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
            Filesize

            512KB

            MD5

            50ed52c0147ddc0946de5330fffd7d53

            SHA1

            35c0cf143e97918b8f9bc53a8cd05f4fbefb1015

            SHA256

            d3cbbd84a4f1f0a4421df5492a1c799c8f3d0061ca5139dcff90ea02438d0ca8

            SHA512

            d42ef3a9f511b38fef12b9963d27163b42a9964175326ad050bb5c8987fe5b1d87fef8a4c4b0e9b29f06058a6bddbfc4361c1b0dad33c838268abd9fe6143934

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
            Filesize

            239B

            MD5

            12b138a5a40ffb88d1850866bf2959cd

            SHA1

            57001ba2de61329118440de3e9f8a81074cb28a2

            SHA256

            9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

            SHA512

            9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
            Filesize

            3KB

            MD5

            ac2e6a5361703d8aff7bde5ec22ca7c7

            SHA1

            1d33213326815066e665b761c06744970eb789f1

            SHA256

            1e8eeca64c67d05c6d32c44c9814dd74a59fd5b3f3c07233be584abf862125d9

            SHA512

            08e6a46697c9b1f3c5a131f6a680ee069388e388006e849f86001cc8f856ac22619b666cbd1366397658278f65b422e440188ce68fa89ef51da9c42de3440ca3

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
            Filesize

            3KB

            MD5

            94478eb6e6f0d07f93a199d9b10ba613

            SHA1

            eca3e40feba91967f30d1673cbb2b2b5cdc1168c

            SHA256

            d7b9d92c098936a591c982df8b7a125fefed3d94d232632959aa9da83097efab

            SHA512

            28b23c2a82730193e719ffcbde54ee7a35b9b32bedd8d729d1b620da4d80df1ef6014af230fcbe71b6cf23b77b957d984a3f6ac8bbf90a204d357a876c7d2c7c

            Download Submit

          • C:\Users\Admin\Documents\SelectPop.doc.exe
            Filesize

            512KB

            MD5

            b843e84dcf79ddf84b8e39bffcfa8efb

            SHA1

            f8c7351b06686a52d90d6f6dea4dea36a6bf66cb

            SHA256

            5248966a99508772e19e3a5cd08d8e27eaebbb737d2ff84dc64f5eedf0ae1298

            SHA512

            0fc4847a8a0584df2298cb8a4865da6516447419de933be4425ed5af8ef52ed75c3ee1f96d909380f3e515daaf0a2759eb1ac05821beab1c888fe832efcd7432

            Download Submit

          • C:\Users\Admin\Music\RevokeGroup.doc.exe
            Filesize

            512KB

            MD5

            c743f7e80e2ae1ec8bd79bd43b30bd1a

            SHA1

            b85d9e8056d99937b71793c41aff826a4c0dc61b

            SHA256

            24d7d9366537ef37a515152990bfa9e5274fb9da02d6984e5aa6351cc5260c58

            SHA512

            5ea5366a6feafa4d2f03f2572af7cd1971bce2e0c9d946c8225325af287ecf0b39b7696eaf8046d4f46cbef342cc9b1fad169330d7d4570871de2a93ec61e6a7

            Download Submit

          • C:\Windows\SysWOW64\blnykhrqzpyab.exe
            Filesize

            512KB

            MD5

            56365ef3eca285153ea9cab8476035e2

            SHA1

            7dae02732db3d45ea35ae93b09672c293e5f22ff

            SHA256

            5cfa13a2758663f4fcc66fc7a76b774d5bbab41783b1072c0e7d15e7311ed012

            SHA512

            bd5dd63a8064b122a18e6e8f62b7f61d3c06cdad8f743a9434186a484da20de19be51a9c81b8200b649bc35986a751b668f58849bbe1f30d7be6fec224f628e7

            Download Submit

          • C:\Windows\SysWOW64\iwzcymgkuefsstq.exe
            Filesize

            512KB

            MD5

            623f58009f2de2acd4c9fda2957e9951

            SHA1

            a174249211c183d333355e7a343732ff7da94fe5

            SHA256

            dc5cff8459e4dd9c8bc2147fe13bb0f309df5c948824141aa5c560af9b0a76a3

            SHA512

            5c9ea801546b0aeb61393d98b3ce253fc5408ef4201408404ed6013e3aee261f7ed3e8990ff8b3666138d9585ded7c4dc5fce9adf147108aefeaed262bb216f9

            Download Submit

          • C:\Windows\SysWOW64\lecijxna.exe
            Filesize

            512KB

            MD5

            be9e603dc54a421c7ea1f70a53933be2

            SHA1

            ff3e74efe2143e140dbda702f03fa3488fa1b93b

            SHA256

            0cdcaf07ebd53a9cb75c3cd3003055007928fbd9b93042642d44ae918eb6e983

            SHA512

            deb243dacced3e20828770b0e3770a7ad12c915cd1819e860506f623f4315f6049b6400600291c613db17bc4281ca5591cd77c3efd9ad5ec326f2d3b75407a26

            Download Submit

          • C:\Windows\SysWOW64\rarfvdlexl.exe
            Filesize

            512KB

            MD5

            289372e1b85871a5f7cb96da612cf9e1

            SHA1

            a0afa02ae380a72cea978a79f7e9457d292df00c

            SHA256

            b17f0add5d621959f1b7f6791ec44cd9ea7885fbff325c162c635ed407778582

            SHA512

            2b58155ad507875da6775329680e29d90e0700596cd568f5d60168a09ae6eaa4d3680774098abfa9cd0a53643e9429615ef4599f8eb8c84d927b7609119da52d

            Download Submit

          • C:\Windows\mydoc.rtf
            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            Download Submit

          • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
            Filesize

            512KB

            MD5

            1f2e5b9d210a485c8f7a157db6f20627

            SHA1

            99cf88470f54078cf24b92390e1debb486f35bef

            SHA256

            ce59b1c41c865f4a1d3c2d983f2402b50fe9500d7202f9f129931f34953d6713

            SHA512

            113df574edf932d56afaad734f144aabaf37ccb6ef0b6cf8ffc38e825650aa341cb5d9c2c6caa71e45efb755da551946ffee7556635ccd4a022c69670cc8a6b8

            Download Submit

          • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
            Filesize

            512KB

            MD5

            28d8361061c1a00bd45ac40ff06b287c

            SHA1

            fe971e447b8cb7ebf7a99d3337145262c27d36a5

            SHA256

            32233fbeffc15aebbb76b1dbdfdfb31cb89355734cab9d3e7904355bee28f6d0

            SHA512

            ed50e4c666e65c4ff36ffeaf8b20e88069d9074c4c7b23bd6d9c1c4ae35215aa4687bd6080d898cdf2c3d1faae449c8887d20a331db218986972981dee47a237

            Download Submit

          • memory/2296-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

            Download

          • memory/5112-45-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5112-141-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5112-49-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5112-50-0x00007FFC00310000-0x00007FFC00320000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5112-51-0x00007FFC00310000-0x00007FFC00320000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5112-41-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5112-38-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5112-40-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5112-42-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5112-44-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5112-39-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5112-91-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5112-48-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5112-46-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5112-92-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5112-47-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5112-43-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5112-37-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5112-137-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5112-138-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5112-139-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5112-93-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5112-140-0x00007FFC02370000-0x00007FFC02380000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5112-142-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5112-143-0x00007FFC422F0000-0x00007FFC424E5000-memory.dmp

            Filesize

            2.0MB

            Download