Overview

overview

10

Static

static

5

0169fd1fc0...18.exe

windows7-x64

10

0169fd1fc0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    26/04/2024, 18:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0169fd1fc0c7f775ff3e0c696981cf0d_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    0169fd1fc0c7f775ff3e0c696981cf0d

  • SHA1

    6679b027e972cdc59edb776f62cfab347b19b32e

  • SHA256

    fc92e2ef4cfc3ce6cb2ba7b23e253199b017333efe1fcbb60a31334bdd89d63c

  • SHA512

    0583686dda50121f271b48eeba0ceb944a9c79052e5f373621edf82c7fe33b5e4d266d3bbc9baa0c174218f23f467903ffb2581c61ae87ca051d785a073dabc1

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5t

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0169fd1fc0c7f775ff3e0c696981cf0d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0169fd1fc0c7f775ff3e0c696981cf0d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\zssucusyzm.exe
      zssucusyzm.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\SysWOW64\rmrheuzj.exe
        C:\Windows\system32\rmrheuzj.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2432
    • C:\Windows\SysWOW64\wpedjohhxhjlfyu.exe
      wpedjohhxhjlfyu.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2536
    • C:\Windows\SysWOW64\rmrheuzj.exe
      rmrheuzj.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2732
    • C:\Windows\SysWOW64\wsfbugzdjnvdl.exe
      wsfbugzdjnvdl.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2628
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      9982f937a4b42f9c065211ec6881a9a7

      SHA1

      5b3b26693d157636fac9dcc1a8ba352f6bc2cd57

      SHA256

      1a502fceb75b57bff6cee15e07e9475896ecf807bc2d49278dd4b485ce377708

      SHA512

      e0941bcfd517bc41db8866ae06c58b0965028b51c21a9a5694acbef64bc2cc5f13cdfd7ec8953387df0e73448b503a5390b75299e688342ebb91aee77cc2e530

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      db24e44698a85f329340c32b0a0be05f

      SHA1

      d147463ab0a0f4f02b5e126065ec78517b5e0622

      SHA256

      89967d501bbcd5782592ffe223929c0664fd8ea9921d40977c9ef9c1fa6cc8cf

      SHA512

      afbacd9beadd26f0baf89a08ccb0c657fb04fc49e1df16b226734bc7ac7b315254f8399f3e7c3934f28b9981ee49389784ceedab3b32f4249fd706a23f51be19

      Download Submit

    • C:\Windows\SysWOW64\wpedjohhxhjlfyu.exe
      Filesize

      512KB

      MD5

      dc5da9674b733befd5fe8a02ed02b477

      SHA1

      ba767945b0fc1be3a448b5ae40a750b6b954f152

      SHA256

      1c734da8927a6c054dab954c072d024935275848eb3a6d3cd1282a12408d8fe9

      SHA512

      1ef994f7dc4a8ba18cbc886dfa6fb783ecc0fc411f92d7dc8c4186e542e7f2f3aca239a54d66aa291d8014589fb7df93181bd0f5f15ffd01e95cf6791d5ac6ab

      Download Submit

    • C:\Windows\SysWOW64\wsfbugzdjnvdl.exe
      Filesize

      512KB

      MD5

      e918c49dbd165ba444ebfe6f30376e2f

      SHA1

      40721c882319490be6dacb4e835c53a2e09d96e7

      SHA256

      0b12aade2eb6d5e2a215fa9eaeb482bd4af80a09232e40c152152da59faf1f25

      SHA512

      da144ae3fae56f9d8bdb8ec3408b86ee9150674ed4507574b6ac14eb20b3e97cfb0ba098744c1e59e6df1c80301301c5115cd3774556aa944aeffce127af43f2

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\rmrheuzj.exe
      Filesize

      512KB

      MD5

      e6444070163fce56b1a040b250f40651

      SHA1

      e8a7182a0565ee4a48b257409f96f474de2ac690

      SHA256

      53daaa02e8f06b2bd3de5a76635fcc4123b9ae531a933f56bf8232d227a888be

      SHA512

      639773b001a144f24f53f3e819000995f0e940435c0f51bf7a6530837c5cbbb83bfaa3fda2123ccdd918e5bfccda26025c8befcfdbf4df897ba4b6dd1b479c6e

      Download Submit

    • \Windows\SysWOW64\zssucusyzm.exe
      Filesize

      512KB

      MD5

      c3841e9ea77a6fced7d6ffdadd20c827

      SHA1

      b9fb452f9dfcfbdb02e7dbbdcbd28f4ca23722a5

      SHA256

      25021783acae109e7697b8896082ef7bb87fe1c22d3655a2072114aec3ecd879

      SHA512

      93ce781d2dc7ffc5f7468897bbc475d3758166ea365cacdc3f13fcf2b44a5c945937582d52bf3981526d49a13d894c3d46c751ce3a7026e3dd695803a75ae053

      Download Submit

    • memory/2500-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2500-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2972-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download