Overview

overview

10

Static

static

5

ff46d7cf04...18.exe

windows7-x64

10

ff46d7cf04...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2024, 12:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ff46d7cf04286ea87e6d3abab99479e7_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    ff46d7cf04286ea87e6d3abab99479e7

  • SHA1

    a3026c58722922488e0bcc9cc384cbdae8895e51

  • SHA256

    fe64d0f316f53a6d15eebd5022671736f59d57c7b31ac6736df4499ae34d9342

  • SHA512

    f2ec8542315d97060eef1c725afa84e57c1b1cb60538c0498a9cde89776b3a1287bd2f2d6cd74853e08c34500f747d7e70743a726204732e281a9747b7d24514

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff46d7cf04286ea87e6d3abab99479e7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ff46d7cf04286ea87e6d3abab99479e7_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Windows\SysWOW64\qvdlqiraqs.exe
      qvdlqiraqs.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Windows\SysWOW64\xkcdmxdi.exe
        C:\Windows\system32\xkcdmxdi.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4728
    • C:\Windows\SysWOW64\iadyxccuyzbchnw.exe
      iadyxccuyzbchnw.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:512
    • C:\Windows\SysWOW64\xkcdmxdi.exe
      xkcdmxdi.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1580
    • C:\Windows\SysWOW64\ljiqxiivehoig.exe
      ljiqxiivehoig.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2596
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3216

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
          Filesize

          512KB

          MD5

          dbefc5132d17c104af08703147d29dd7

          SHA1

          2b3ce2e7a35d1f006b06aa7ad8fa7bbd0f291cea

          SHA256

          1038e4534d0f219f56494ca36262e95a3e459b598b9388e0fceb734c05fd3381

          SHA512

          1de29aff67b5070e577fd81289f66e03f19087a10f728c67bf376c39767e4f333dae1a8da00e392b35b933020947d32057ff73cafdc05687da3a03490e6bf73b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TCD7505.tmp\sist02.xsl
          Filesize

          245KB

          MD5

          f883b260a8d67082ea895c14bf56dd56

          SHA1

          7954565c1f243d46ad3b1e2f1baf3281451fc14b

          SHA256

          ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

          SHA512

          d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
          Filesize

          239B

          MD5

          12b138a5a40ffb88d1850866bf2959cd

          SHA1

          57001ba2de61329118440de3e9f8a81074cb28a2

          SHA256

          9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

          SHA512

          9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
          Filesize

          3KB

          MD5

          8a39cfba1825a2e9fd14a4b32f35f24b

          SHA1

          82e59960eacaa8dc6516581874a21971a687996e

          SHA256

          5fc4c08958b13371c7981e4239213fe313c5512991529b1003fde09f5f336a81

          SHA512

          ebc68554ffe048f17d393d79442e3d286f597d0bb3cb4aa7b0241c24e5386219bbfc3c10b7cad9162f90124e5e02a5b2b1094cc467efc3c40c54f31cc29497b3

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
          Filesize

          3KB

          MD5

          9e55f39ead048d5d733636721e1d47ee

          SHA1

          b1978a012bdb86b59aa1ce0745e060aac2f304de

          SHA256

          ab210606293d4c0a905b897e9256dd289bb41bf9d1610a0b124929150b8480a8

          SHA512

          64de09d829def5c072d7fbb5c86d5c7ba284a6595573b187561bebc78787966ef3b4a0317eb30bceb6dce64de0fa9b401b45bb839229e7ef64fed01a65b18219

          Download Submit

        • C:\Windows\SysWOW64\iadyxccuyzbchnw.exe
          Filesize

          512KB

          MD5

          2e019e53863ad2048b332b694ff93170

          SHA1

          46cf1e9293ee6f1bcdcf8ea95f73269744d0c517

          SHA256

          e9fa200dc4508b1f9a80f0fc1ee9731f58bfebcf284bf342a0c05a522e1796d7

          SHA512

          feec9e2341831e51dfda5f0aa797e66ce7b47f2cbe729d1db324f458af5d5be1aa1863305fd4a4ee7e231824a759d0708aafbca21c3ba10391aa98f0fdcef36b

          Download Submit

        • C:\Windows\SysWOW64\ljiqxiivehoig.exe
          Filesize

          512KB

          MD5

          fd85eba180b4401a537308b151ab9eb4

          SHA1

          3d7328191e32bac94fc681f4a6cd83ceeff55b84

          SHA256

          09aa677b57420eba9cc678a55ea996a172fbf5e229d3bcd6294e53998dcd3285

          SHA512

          667dca8007ab3c736dfc7b6f09c1e51433c05b49eb6ab7d69686bb77151632c596fb78112045a996599d9d642a73edc18887f4b82f6138687d05cdc416910e7d

          Download Submit

        • C:\Windows\SysWOW64\qvdlqiraqs.exe
          Filesize

          512KB

          MD5

          552540d5c9fd7d8a56a117f88d8bf6b7

          SHA1

          38a71e16a94718c5b5f700f6e0ff7ab1802746aa

          SHA256

          65949fafeeeca12a1a3e9b93ee8733f77b3b0bdeb915a436d01ac82c4939969e

          SHA512

          46a692039fb996a121cce94dbce6d1314e11c845a76b442e0825361aa3aa02d487a8f38fe236822d5deea31ae33fbc4840fc765484336719333a3fdb0f99c029

          Download Submit

        • C:\Windows\SysWOW64\xkcdmxdi.exe
          Filesize

          512KB

          MD5

          849bc61a2838166c997e87018d1152ee

          SHA1

          3a31b801f657d1d6c10e7dd27f58a06e7c3c8f8b

          SHA256

          d8d12a1ce7ebccee8f5a69f819db17a1a4071ca36d9e46183b122a365a644557

          SHA512

          f718d81bc0d8dbadf400409c4ab2e08592d8f05fc70301f856881e50f7b85810817fe6b3cfbd91d6aa4f8cea66aff36f7702b4d745ef39cf8768750fb763cb46

          Download Submit

        • C:\Windows\mydoc.rtf
          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          Download Submit

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
          Filesize

          512KB

          MD5

          7ae86ebb2bdf24f2bd7e10f3434de110

          SHA1

          a092f79e26e6746019e0bf9a4054fa0363bb579f

          SHA256

          ac1fbb9e5eb194126bc53dc615bf5daf310d8ffae03e9ccab193300a65089ea5

          SHA512

          6ce19380afadf470b26fc3ab6d444a7b5a286b3c896e8e531407887320a836370f4449da395db2acf9b627c7c40dad1ceb2117bdb59259d304df7cae2191d568

          Download Submit

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
          Filesize

          512KB

          MD5

          32bd62cc5ebe35b667f51af1bb5454a8

          SHA1

          01b10f58857b9b77012eaa466e2cc90dae39138d

          SHA256

          15d4b00daaf48ae5a7d0b9369534ff5d5212a42482ac4e7415ac5d280f010a21

          SHA512

          bfe9f206baaf3ab2dc8ed8ef57af33b5db58d233848cb24afae820be47852744ea6e421361f57f13b352e9228c1e3e9789304ec79ec28996660bb265e9ffca19

          Download Submit

        • memory/3216-41-0x00007FFF57850000-0x00007FFF57860000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3216-44-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-46-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-47-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-48-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-49-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-50-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-51-0x00007FFF54EF0000-0x00007FFF54F00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3216-52-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-53-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-54-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-55-0x00007FFF54EF0000-0x00007FFF54F00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3216-43-0x00007FFF57850000-0x00007FFF57860000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3216-45-0x00007FFF57850000-0x00007FFF57860000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3216-624-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-42-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-40-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-39-0x00007FFF57850000-0x00007FFF57860000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3216-37-0x00007FFF57850000-0x00007FFF57860000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3216-38-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-568-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-587-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-588-0x00007FFF977D0000-0x00007FFF979C5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3216-620-0x00007FFF57850000-0x00007FFF57860000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3216-621-0x00007FFF57850000-0x00007FFF57860000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3216-622-0x00007FFF57850000-0x00007FFF57860000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3216-623-0x00007FFF57850000-0x00007FFF57860000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4612-0-0x0000000000400000-0x0000000000496000-memory.dmp

          Filesize

          600KB

          Download