Overview

overview

10

Static

static

5

03fc9e8b77...18.exe

windows7-x64

10

03fc9e8b77...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 00:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03fc9e8b77254aea88e4ee6874e6aa16_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    03fc9e8b77254aea88e4ee6874e6aa16

  • SHA1

    37ed01e12640426729ec3445035421cae398e9f3

  • SHA256

    67ae1cb8fb6f1617dfb89958e55245dc791d41f8e3b7af48b175543f243ee46e

  • SHA512

    31633112a32d70680d560e97b93994cdcf15e25973b6062558c1bad4100137e926e27742e4775b3f289464cb39b2314ba93e83895c4ac55fa8da5e0e22ac2f1a

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj63:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03fc9e8b77254aea88e4ee6874e6aa16_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\03fc9e8b77254aea88e4ee6874e6aa16_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\SysWOW64\xmdftzqadd.exe
      xmdftzqadd.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\SysWOW64\oqtyafjg.exe
        C:\Windows\system32\oqtyafjg.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4744
    • C:\Windows\SysWOW64\fvkrzknzetwwzoi.exe
      fvkrzknzetwwzoi.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3256
    • C:\Windows\SysWOW64\oqtyafjg.exe
      oqtyafjg.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4400
    • C:\Windows\SysWOW64\wltximakehzhr.exe
      wltximakehzhr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3512
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    36a3b2bf2697758ff76bbec23d8481b0

    SHA1

    0f9a9b7a540e956420455d9d35608f3632bd47c7

    SHA256

    97c60b59b6721cec4812a7d3875d8979d6b8bfb5981aba4c858e0b63009310bc

    SHA512

    9e4e3f3de1640dfa8ba27093f5ff2bc4d5ceaebc70b2ea3571d36bf8a1a6565886bdb3d0ab7cd890b2ba269b655d6d7772b7fd509db36134e82fefdcccf16bd1

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    a7788490b1bd15bc50334c8ccd6adcd3

    SHA1

    3dedbb977b94847888e39b6d0ecdcdf073d5285b

    SHA256

    561887e6d6f02aab031c5ea973fc13fd45554bbd558f7035ad23b41502999032

    SHA512

    d57fddf429e3f83f07cd9c98b982f5f8960c76e31839c1af2fde60b36fa4c1dab13ce98fb0947b7920e34e69b5418ea6b7da8c8d624a0e730ed0746a46a277b8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    7e9b8521bbbc5260e0fdd781f03bf5f1

    SHA1

    f7cc4f0fb29a65caf8069b469446b9f3692b982d

    SHA256

    f54eedb8ce1de7297ad5f24f9f99cf000bdaa8cbb598e3a9db388325e2558caf

    SHA512

    28bd64e96c226f4d9e06ade1c75eb526487a07ef952f4ba034b0b6b99307491a07b69799d02a9cae3f3ee4cc2c061997be163b6dc1ef5fc250799386aea3a5b3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    f8c903391a951b1986d29038de4fec6a

    SHA1

    bce41c8c065cca0e4095785ae9b231f2fc716330

    SHA256

    c2374f0791c97c811d4713876d8b4bfcaa11cbdaa7e87f6eafb81afae8908cab

    SHA512

    611d22974d66db6f48dcbe093980cffe0e7b80b687167d30647ea947f278a318e3304faf76d40e450a60e1ead20d90d6ff322df1528d73999e54b870c1b32c5f

    Download Submit
  • C:\Windows\SysWOW64\fvkrzknzetwwzoi.exe
    Filesize

    512KB

    MD5

    cfc5dd55198c1a4ef4c3df8e07dc8b8e

    SHA1

    3f076e61dee2ebbb61b730aeaedc65072b257daf

    SHA256

    c30d0bc505c27cab98f9168b8086ab406ce9482eab2398e8cb3d11a9bcffa2b6

    SHA512

    05a2a8f91d5c9bd5aa6090e5326fcbca842471e73fc923314f46a440ac8a4583a2574d8419cef8df99ed6ca174d5062ddbcaeadf870923bcbbd9a0852b0ff7df

    Download Submit
  • C:\Windows\SysWOW64\oqtyafjg.exe
    Filesize

    512KB

    MD5

    e36531d28fe79a562950066675bb5775

    SHA1

    4b026a0ff197df7d6660ae16c656d62702d8b15d

    SHA256

    3dd8bd64ef2b1f8fe6bde634abc92d1f6078635ff5bbceb9d4eda8e6ca623108

    SHA512

    a9188b8d1ea3eeca4327a2d3e2e693c974df5346d62e9d634b7dbf181f262cd575b7d8f9c9c34a6b4129d04ff249bc16ad22697f7069b88da66e354f632f742e

    Download Submit
  • C:\Windows\SysWOW64\wltximakehzhr.exe
    Filesize

    512KB

    MD5

    4679f32f8d6c113f077e6f59647fabf9

    SHA1

    ebb03748c1f22f5296926bac0c57560d418236d2

    SHA256

    8ce3fb4c22257c2f18657bd516eada7aa2664ab86d7e4fa6841c673438eb0ac4

    SHA512

    9d32df82c9657dc820d375fd9f0b0241f7e34509c7c5601109054f707f03d95d09c437104da50db57b33c1e28eef2864b1fc85b88e8e95167572c6095395dd8a

    Download Submit
  • C:\Windows\SysWOW64\xmdftzqadd.exe
    Filesize

    512KB

    MD5

    238f9fd39ad8c8b948fe560ddd6df345

    SHA1

    1a783bd428b922ad63915187f89b232083131f6a

    SHA256

    2793c0fe0bc0a13fe7bce2020921c698e1e4d98ca666485116a41576f96bba82

    SHA512

    377894d20f3b62cfe5c6a959e895a9baa127eee19b7d60ec0d86da409ce17e55abef269e6893a3737de7fa79a3a3c4786d58e44919d8aa4aa7c53f8b05901a20

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    39defd8e2a8df48350a1a60569bc3c48

    SHA1

    916848b0f670a6168dd8662c8b1ede17d375ce8f

    SHA256

    8a2a26e0c53fbe506786f4be241a387b712e79642437bda7bac51326018b61b5

    SHA512

    26976db6acf326788c936d18e0bdda17f9e61077f4a394eb87f748e96e55a843f97893ecc7eb3dcb64e4f4504d51802db421129f8c85f47cc5833f7a40dc6f33

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    519d2e0b0fa0aeba5dc41a1df8723c01

    SHA1

    74d8feedda883150ed4d3a2225d14a8750915699

    SHA256

    1ba43ff30a82ebed99cce8bff9098a5eeab90f4fe706562613c2450639e01513

    SHA512

    72e2d29224feef5d1df530a35d9c2131350c8bc2366508624f6e36a5212b38aea47bb5fc4ce03080e964a7be242ae92882bd65091e24f3733e3362a0b7f52c2e

    Download Submit
  • memory/3396-37-0x00007FF7E1A90000-0x00007FF7E1AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3396-41-0x00007FF7E1A90000-0x00007FF7E1AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3396-40-0x00007FF7E1A90000-0x00007FF7E1AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3396-38-0x00007FF7E1A90000-0x00007FF7E1AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3396-39-0x00007FF7E1A90000-0x00007FF7E1AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3396-43-0x00007FF7DFA30000-0x00007FF7DFA40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3396-42-0x00007FF7DFA30000-0x00007FF7DFA40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3396-111-0x00007FF7E1A90000-0x00007FF7E1AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3396-112-0x00007FF7E1A90000-0x00007FF7E1AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3396-110-0x00007FF7E1A90000-0x00007FF7E1AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3396-113-0x00007FF7E1A90000-0x00007FF7E1AA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4992-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download