Overview

overview

10

Static

static

5

052c5374e6...18.exe

windows7-x64

10

052c5374e6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    052c5374e64f482cc2707fc2ecf4a678_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    052c5374e64f482cc2707fc2ecf4a678

  • SHA1

    71e879e41f9817f2271e29296428807f911f8f72

  • SHA256

    812d151c8495635d0171d6ea6c3a7b907a5c163290115baffe80a51672f0783f

  • SHA512

    1e1103b9fe1ec12981f58f9ea82e02f89ce7e457306aebf7529ae2cad6ff5105fa6888a79af4f3d594298933c9e92899ddbc035a07894e421b4740b102cf5436

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\052c5374e64f482cc2707fc2ecf4a678_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\052c5374e64f482cc2707fc2ecf4a678_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\SysWOW64\bpxcpnggfg.exe
      bpxcpnggfg.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\SysWOW64\garmgdaa.exe
        C:\Windows\system32\garmgdaa.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2328
    • C:\Windows\SysWOW64\grwegcenqsygmdh.exe
      grwegcenqsygmdh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2588
    • C:\Windows\SysWOW64\garmgdaa.exe
      garmgdaa.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3040
    • C:\Windows\SysWOW64\znbvbuaodbyrv.exe
      znbvbuaodbyrv.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2368
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:788

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      674e7a439bfff12d6ba99df539c22a33

      SHA1

      a309ec676f5ed37e7958dfd9b65463124f40dc10

      SHA256

      d00fdc5ebdd7aa5b3254ee1d5234b4541ea9277a709fbf12bc65ac7ffe68ccb5

      SHA512

      9bc8b6d3ba8e6d290d2e93744f1fc3d9d1ec6982f43a1b0f865cafd8100b0bf7b16cf5e513fd378c354c283309218c9e78291fcc35dd28a5ca7d0b2800381905

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      31f2c09c8dd0e0eec03088db55d1eecc

      SHA1

      e30eab946ebf53c0d65e060010eb3db9f2176ae6

      SHA256

      edf41069568644f104b671f5253fb1f993b9c42c4ab48930dee9236fe1c7ec26

      SHA512

      ef0e2d8aad033f6961baf782d7392e14aabdf35a434bff86aedafcb90bcd281b0a06792070cf33471aba5a1ba6f44d191b446e2fbcb25eed53301975c45e69ac

      Download Submit

    • C:\Users\Admin\Documents\SetConnect.doc.exe
      Filesize

      512KB

      MD5

      133be2031271ada34d7f539ed2a5b489

      SHA1

      2edf6e61434876a25c70a9ea90b76cc0cf0739be

      SHA256

      20a19c75b7b299bc62333c3d509d1ba95d4ccf2ab180e86870748c870b46e533

      SHA512

      66edf8866a25fa3d837816effcafc25b7449da32d0baada6c39e4a097466dbc0340913a97a215c10f038ee23c6da31c51b455d62354ba4c59b682f43ad378d70

      Download Submit

    • C:\Windows\SysWOW64\garmgdaa.exe
      Filesize

      512KB

      MD5

      34c7faabb0d20fa6767eaadb004dfe11

      SHA1

      75e67ea79af7d9a145093675d4b64192159e680f

      SHA256

      cd407f536465036b5c7034521a4b65126d44960470b68150f502176700e48e19

      SHA512

      99bcfb43a3181ec3a1e43a2940d5e51bd70b7b939680494ca2264855f8d4a2e95e9bdf9a6b77332205c750ccbb15c7ba0bb9a4583148c26072a48f3a200ccd6c

      Download Submit

    • C:\Windows\SysWOW64\grwegcenqsygmdh.exe
      Filesize

      512KB

      MD5

      4af2c087f2f60a65df393000483ecb93

      SHA1

      245942318f75a527261651dbca716521b1f77467

      SHA256

      8f6c530dc139fdbff26f2e10cfae71ff207d45f4e755f959db31bf6dae0ff29b

      SHA512

      a45c60d6846cd4852c0bb1f56ee6e9f34ed564bd3c5af9cd596c996b04f214eff56cfb21a2a288fb6db4e0c1dfec9674323186a1696ab24469dadcd28d3bfb4e

      Download Submit

    • C:\Windows\SysWOW64\znbvbuaodbyrv.exe
      Filesize

      512KB

      MD5

      1492f3135f3465271c24b7c1d973f615

      SHA1

      2b64c7af3a17fcbe825628c90a28269506040e66

      SHA256

      67d5c09d97287c46e918449ded4f7ca29ac9bd786a288a192c2aef61b0208732

      SHA512

      859c60565a678fe0e783ed0dfcd355fc525a575972175f5d1b9e2f3a4792f0fc96272906a611a9372a0c2ee0952dc17d426b8a58556ef2d9be56fd70ef23ca4d

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\bpxcpnggfg.exe
      Filesize

      512KB

      MD5

      cfe2b05d2963a992dc192e32b0bd0ba4

      SHA1

      8e49be20809ac861c0a63b3cf43a18159612c9bc

      SHA256

      0cb348f3dbd1e9668ca7a4078d65566789f79df05868c6fdbec7707165775a2c

      SHA512

      ad4101cb28060e30d7d718b67def6e52fc06f60ead12aef71e0549ff201fd9bc21df95971cc71588530b4309936da35348b76e59b1301ce70d4d74082215dfd0

      Download Submit

    • memory/2456-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2456-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2664-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download