Overview

overview

10

Static

static

5

04e09d986c...18.exe

windows7-x64

10

04e09d986c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 09:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    04e09d986ccbfcea90d12af9c5a8c899

  • SHA1

    e021eeee851c96d55d79359b54fc84135be5728a

  • SHA256

    e456129f312197672d56f5e2a26260b722184805755ede006ca07a17d07c3e06

  • SHA512

    f3a5edb54b75c5710eaef549ae1d1fd92c0e2de57334e9c90bf5b03206333e62cd1c121bba4cd03558ff75fc2e584f409f5e2fd7d93ba64d86ca9abfb9066955

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5J

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04e09d986ccbfcea90d12af9c5a8c899_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Windows\SysWOW64\ldseuqmnts.exe
      ldseuqmnts.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Windows\SysWOW64\ixgjnsyg.exe
        C:\Windows\system32\ixgjnsyg.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4628
    • C:\Windows\SysWOW64\dnxeijbenenrapv.exe
      dnxeijbenenrapv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4664
    • C:\Windows\SysWOW64\ixgjnsyg.exe
      ixgjnsyg.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1896
    • C:\Windows\SysWOW64\sqnxbmulfppew.exe
      sqnxbmulfppew.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1332
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:5744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    ea4e91f563749037d17071888ce833a2

    SHA1

    2a7a0b4dbbde599978f54f84b4f670786079de2a

    SHA256

    755b92502380624cf1b56c5f8ab1fe1dab9c109e20b9829d449fba09a0fffc69

    SHA512

    39a81f3360947f280b0ec195402597815f85bbb9b9016a86c7b995ac25355ff905928a110bddc2bc21717b6c6357585c30ece077034779152ae11975bcab27a0

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    2c0af9c1cbda740920c8f542518cdbc2

    SHA1

    599eec05ee7fe8bd0f102d321f25ee1582913fae

    SHA256

    2ea91481807ecf92020bd2e7d9b97290a2066605ec6b38528a4b151b895c9820

    SHA512

    dba95602921c6597e5234332427c76d887d00c97dc4aa16ebd7feded18efd549d041a371f9a7853e7a2897dd4a1dfacb47dc0c5073ae99f82d8e69e737f85026

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    707a7804af52e6627d2282e025e67448

    SHA1

    d8b3015cfebe7cb30d6e2fba2e36b50468a4ec28

    SHA256

    7151c25ff695ee9b53785af1fd3b9d1d0be4b04f60ec0c25184e27a1641157b4

    SHA512

    3dd35fbfeb5bd72fe9323fa889a9afbfbe4513a14e17742a1fec19fb0b2e02d13fa4bf80f97ef6ddb333dbad107a4d87527a669505ece95492d8a510939fdb76

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    68a1e4949b464f3a8f8302583337e5cb

    SHA1

    1064e2f339b1265e06d88d5b61a614dbc0013f08

    SHA256

    805f27c1cd6caef4e9b6cb6ff533a9950081c45b5002c2e65456720d0ee39b1c

    SHA512

    c68be308528b8286b3a6fbc97cd8412e2df197c50adbe5d80886253ec1ea659c45446e8e80949a59bbbd2b230323e17376db21f09c5b471a76cd5b70ec64d5e2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    f62118fb5fd6694312d7eca88faecf14

    SHA1

    af6e5b826288d59fdd296688177803400b2fecbb

    SHA256

    2e4f95c19d13f79f309be9381266945ad1c9408f9851eaf17385c85c170681db

    SHA512

    7f3bf50380eea5b83909f5668ed7479257898b160c9d8ea6e619c5d3c6ed82a1b8d7a2b0d586ea3daa4831d8e4b8052f8ba2b3ea1b651513f2ae058d38594a98

    Download Submit
  • C:\Users\Admin\Documents\InstallExit.doc.exe
    Filesize

    512KB

    MD5

    72b4dbc8bd7ea56c8b0ede50ec8742df

    SHA1

    0250e364ad6b68d108408b0e0c62bc91bb24601e

    SHA256

    b9c219f6f1ecfd5c14af89ba183182cb4727e9dd800771a2f9dfdb8342fdaa70

    SHA512

    c57eda222f706a7178b392e2ea073810ffcd1880d6f3307cd4ab450e50324c881b3a22e7d1f728bd02cfacf8f48cae63b380c70b9d20f7e83aea61482580603b

    Download Submit
  • C:\Windows\SysWOW64\dnxeijbenenrapv.exe
    Filesize

    512KB

    MD5

    154af760ac5e4f9732fc878612854b50

    SHA1

    7c60a3afd0d3c5e9389323000d4117c48891c7c0

    SHA256

    2cf96315013dc03ffa3743a40e42ae68b90d7dff15a8f606246fd493c6ceeb4b

    SHA512

    34d97b6a1b990e733ed9e7564b95e37ab1b405ac4af5f9438efd01b7323a5a4b52329a84fce0ce993121a1eec2d3e41c5f062c5892897ec8e02d5a5845f4359f

    Download Submit
  • C:\Windows\SysWOW64\ixgjnsyg.exe
    Filesize

    512KB

    MD5

    d47851bb463ba25a77c9c5c1c881ac61

    SHA1

    04174b43e0b3557ea19b570794564dc1bae4db2e

    SHA256

    ae871bcabc3927dc1aeda3cce9a086cbcc8b9de727a9cd0b0365d42461774c5c

    SHA512

    bdae871ee3476d02d9e6a46b648c73831000848fca0902511dc2a4b11120dbafde29f8e932eff6fb4e41edc9b8f82c04247aa1f27a80a5456f72b326cf0c875d

    Download Submit
  • C:\Windows\SysWOW64\ldseuqmnts.exe
    Filesize

    512KB

    MD5

    d42c795653418d7e418947aab0b074e2

    SHA1

    73a18ed7655e4df6fc7a2d2cea60c6a3744a9c00

    SHA256

    5876b07959f7a9b76abaab21373b73076df2bf4ddd6d761859e3237c4f31702a

    SHA512

    bf1365d3a1f0d1e2a4c603d8ea6ba3ed08b48168b5021168e3b7491ad78f7d019a4c0c7730153fe195417ab20966a38b6e973af915b20db0b03b64806dec8bfa

    Download Submit
  • C:\Windows\SysWOW64\sqnxbmulfppew.exe
    Filesize

    512KB

    MD5

    5ae16defd080be65bf84f5846f44b97c

    SHA1

    f3becea357be8c6a7149453a1676a834bb0e9f19

    SHA256

    e444a95a8f213457845db51681bb85f25f70c466be1363356f4d9d4677dc65b3

    SHA512

    ca7dc85e76c8e57c55275974f643557804d72c4cf9fbd8a4daa55b1103e4e7d5af81e8f6b8f94626f150ec42da325c5ae807235f2040ab8dd3c211edf2740a53

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    a22ad41e4aee85f195dc7557bf01c0db

    SHA1

    4e77092b2075f8c76c27422cdcce0610f33e0d35

    SHA256

    7491cd810fb4813fd137c79e8597fa71eeba09de984be49ef5b4d4f93a762417

    SHA512

    2bcad5dd3551ec4af860dbffc91c3228470746c9c36d7934d7136545806f37cab3472241f6922edcde03fae8eac34589327c3008f59712093f00c0e878e4b35d

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    9f21c3faa2753b7aaa95b68d6bf7cf6f

    SHA1

    4b5d0510be8e30b8bbb09932f2f1a58b545c6694

    SHA256

    7258c0cf748450c2179360dd4207dc32a61e907dbfa528af6b9ab61b443c82fd

    SHA512

    14e27953f56880ee3cb1ce8bc02acc97a4972beda27f0232e2cf8dca2ef9b46d6e23069a0df7b382d61a3aad0173ef4ffbe6f5cb7e3f51d46e778397dbad4ef6

    Download Submit
  • memory/1012-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/5744-39-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5744-37-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5744-38-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5744-36-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5744-35-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5744-43-0x00007FF9ECA30000-0x00007FF9ECA40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5744-40-0x00007FF9ECA30000-0x00007FF9ECA40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5744-114-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5744-115-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5744-113-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5744-116-0x00007FF9EEA90000-0x00007FF9EEAA0000-memory.dmp
    Filesize

    64KB

    Download