Overview

overview

10

Static

static

5

052c5374e6...18.exe

windows7-x64

10

052c5374e6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    052c5374e64f482cc2707fc2ecf4a678_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    052c5374e64f482cc2707fc2ecf4a678

  • SHA1

    71e879e41f9817f2271e29296428807f911f8f72

  • SHA256

    812d151c8495635d0171d6ea6c3a7b907a5c163290115baffe80a51672f0783f

  • SHA512

    1e1103b9fe1ec12981f58f9ea82e02f89ce7e457306aebf7529ae2cad6ff5105fa6888a79af4f3d594298933c9e92899ddbc035a07894e421b4740b102cf5436

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\052c5374e64f482cc2707fc2ecf4a678_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\052c5374e64f482cc2707fc2ecf4a678_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3732
    • C:\Windows\SysWOW64\bpxcpnggfg.exe
      bpxcpnggfg.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4508
      • C:\Windows\SysWOW64\garmgdaa.exe
        C:\Windows\system32\garmgdaa.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2744
    • C:\Windows\SysWOW64\grwegcenqsygmdh.exe
      grwegcenqsygmdh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2880
    • C:\Windows\SysWOW64\garmgdaa.exe
      garmgdaa.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4984
    • C:\Windows\SysWOW64\znbvbuaodbyrv.exe
      znbvbuaodbyrv.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2036
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    cd538103f3eb87bba24b1c7ab4576076

    SHA1

    f35a473bd46866305b62f4b7604092c39f286d3c

    SHA256

    c3215d1b825dad5369e7e223b2114766cb1a203c117d4a88b19ea6828e4d4211

    SHA512

    8943c88f95430a76f1cce34333582a83983864f414e386a72bf1f32c24bd0e90eb9e004ae3529c04ca1b7f9a0ad98956c8951fb628f809c219ba4fd3d413acf0

    Download Submit

  • C:\Program Files\UnpublishRevoke.doc.exe
    Filesize

    512KB

    MD5

    c952b826741df86464962a827bb686f6

    SHA1

    318ba237d5d70b29a558ca761f5112980881245e

    SHA256

    f5b58078cfe4b61f9c061a0a57428b567ae5af98c56cabe673f15135cb577733

    SHA512

    df0610f3211d6a51b21f850b13b697a9127528b833e0e5beb8ad118029956b1a865b38cbc169ad180bbbf858a359116f14d522a242e5cf068ae8f057ab9b0723

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ExpandUse.doc.exe
    Filesize

    512KB

    MD5

    a2fbb13f6c7d44dd25b00bbc49e7fd04

    SHA1

    4fccc10aa3b1eb1995376f7754c4bdf687a51cf3

    SHA256

    90c8d5a7c53d0e3a3e3cee7a9c6fba5c8fd4a8b64dce4076070e4225b1f16a82

    SHA512

    0df73cac4df0702cdc59f1fc53ea0376ed6be283033e409ecc2230eb9753cc11896d915eeb3f9346dfa410fd732b686f7e46b468ce139df7d3a4331fcc4ddb23

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    140dc4f6ad97291304cfb63e460789b6

    SHA1

    074b6da2b0f8205bc248bbc00d7e9c291c9b2ced

    SHA256

    c4a7d511f5ba0816d29db8ca5217377404e5eb505ea6e8b7c0f44cb614b8610a

    SHA512

    5db7c213d0c174beca39a97e5c5ac5446b85c498ac8393bfaab19148f2afd27ab7bd6a75b04256cad6ec82b0f96b6779480f2301c0524ab929bad61aaf8d66f2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    000e23fbeac766a2ba93d0b5953d0e9f

    SHA1

    36863c641d4c875078515c0ea662c7bfa4c82ea7

    SHA256

    ab4008491ecc0aab86dba129e2ce448e6f78ed67d79b35b1c06c462431bbe623

    SHA512

    638cf028820e216c0fa50ed34e1ceb1ab5541be4f9ac803b55645d5290a22716ebb4a38865a19d6da4636617037cbc9aa252eb80aed1c69d4ec18660bf0e8c2d

    Download Submit

  • C:\Windows\SysWOW64\bpxcpnggfg.exe
    Filesize

    512KB

    MD5

    964af535058f0318eaeb1a482b70270f

    SHA1

    5bcf1afc09296ab94353ee2ca0bb48be774b3c8b

    SHA256

    deecf56d4e5a6f140cfcf6589ee0b7a5431df146e1f1b20227edd987c8b1d20f

    SHA512

    e2d37bef3a8b2ff8fd297db9969633250886aa2359c5d21063977704b5004ef01ee1ade67d3043af543a71ad369451c5e4c2a0351310f2c3860591ebce447e74

    Download Submit

  • C:\Windows\SysWOW64\garmgdaa.exe
    Filesize

    512KB

    MD5

    c80d8d5305d3421e68c15240519c63f0

    SHA1

    342eda0c5121d44cae3e0bba43065b46c6817f3b

    SHA256

    ba77b16ff29cbace5a1eeca89d077a2fc3d8adfd1007735307f03f2e4aab776b

    SHA512

    37cf61cafbcb23c6dcbc93af7194e6fe924fcfae8771c07dc0f6da01e42c99207fc41e8d08b776c700f87c3ef5c0822c3f57ffc76989e1a62623d32da1f636c3

    Download Submit

  • C:\Windows\SysWOW64\grwegcenqsygmdh.exe
    Filesize

    512KB

    MD5

    41c3697de8caa89cfc22eb00ec9a119b

    SHA1

    4299105507afe1120dc85a52ba282f9e1a848042

    SHA256

    dab683f20028267fa49ff649b025b7b6c1596f9b9ac97a5dac3f4458bc06a16a

    SHA512

    e3f2ee3304c9550ec480ba1551aa7d33f25cb1ceed17edc683c69b327d0b025242138514debd314ad688bdb42924490614dbb51add8430df7c73e9fce78e4c94

    Download Submit

  • C:\Windows\SysWOW64\znbvbuaodbyrv.exe
    Filesize

    512KB

    MD5

    7cb74b1022629e4e643e2e68f8f7b33b

    SHA1

    0d712439c7a11e2bd288236658f9c13cd902e0fe

    SHA256

    f5f5bf5558fd7e22fe687762bf2a15155f05d4717bbb9e47fdb7c1ef61456f10

    SHA512

    2add471b57bad282aec8f84d169193b633fd8f6d30562e32c63dbff1eb3f062fba76d73479fdf2a4fddf5fd13db92ba2d16dbc58d5f772f68e68b436ea873d14

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    432ae1849515056282f0187f62b446e4

    SHA1

    5041b89cac717fa7ff8293897a97fed059ccf120

    SHA256

    b648abe51b87c6cb7fc5a1113351f07cfde026b3b2e3466ca001c72063358a86

    SHA512

    749f86afc466e5410d8ab40c0bf61e44a6dec71a094216cc91bca8841179beb2ef3d0a4d2e495060b53233204bc28c9fbdba60f3cbfc43ddbd749e0a8ffe7dd7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    05e6b23d4ed1820ff58f7d107e31d3e7

    SHA1

    b87af02030e497b5f42bed0817c43da3a32aaba1

    SHA256

    c42e93f7bea47f086989b0b7cdbb4f9e4bc6b1afde966b8630ce814604eda862

    SHA512

    8c4020080dd3772827de9256f695ab7e0a3259e6542cb185277304a1c248479d502adf424abbfd63ccf068cf382a1ef2bf78886861b949b70f55387af093e15d

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    3c4c4d98457251cd4df22ab4aaed3b5d

    SHA1

    a1d4331ae9041d77c09cb4d575750634accc0f93

    SHA256

    559d0ec5bab3eb4f5a39dba13814039507d082de7dc1106bf940342cc95fb513

    SHA512

    c94fdee31bea5a35074f6667e8a5ac313eb77ef3b78730594c3fbeb06a8239858daa9c603fc81c4521458518a14f6c6d20038948e26088372f2162cae8a9ff2e

    Download Submit

  • memory/3732-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4620-39-0x00007FF9CCCF0000-0x00007FF9CCD00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-38-0x00007FF9CCCF0000-0x00007FF9CCD00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-36-0x00007FF9CCCF0000-0x00007FF9CCD00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-37-0x00007FF9CCCF0000-0x00007FF9CCD00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-35-0x00007FF9CCCF0000-0x00007FF9CCD00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-43-0x00007FF9CAC90000-0x00007FF9CACA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-40-0x00007FF9CAC90000-0x00007FF9CACA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-123-0x00007FF9CCCF0000-0x00007FF9CCD00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-124-0x00007FF9CCCF0000-0x00007FF9CCD00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-122-0x00007FF9CCCF0000-0x00007FF9CCD00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-125-0x00007FF9CCCF0000-0x00007FF9CCD00000-memory.dmp

    Filesize

    64KB

    Download