Overview

overview

10

Static

static

5

055735e29b...18.exe

windows7-x64

10

055735e29b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    055735e29b5b10f70534747b4728f0e0

  • SHA1

    9f532602425f9055a1ce843a141b1a8576c00a6d

  • SHA256

    e5ce80ae6335e3de4780105efc6f0f92085fd34ebf91d33995128fb5890ac605

  • SHA512

    764cca2c2c9cf312a4d30e0661d0091e46ed3e357561eb10c48cb81d079e1740ab6e863f0440734d1d7e2db19a2ba683a941bf22b2c46b203c7cab567dc09135

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6A:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5T

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\055735e29b5b10f70534747b4728f0e0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\nulloawdjh.exe
      nulloawdjh.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\llisgqza.exe
        C:\Windows\system32\llisgqza.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2552
    • C:\Windows\SysWOW64\ibzdqisomfwkyqc.exe
      ibzdqisomfwkyqc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2624
    • C:\Windows\SysWOW64\llisgqza.exe
      llisgqza.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2540
    • C:\Windows\SysWOW64\tlsbfmmznivkl.exe
      tlsbfmmznivkl.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2712
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2444
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

8
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    4d0d085a4439f9b24fecd1f43e8df3c3

    SHA1

    0b1b2b37e3b0d02671686f2a42b7dc5823dc47e1

    SHA256

    966fb6d8b2f8b7d0f298c1716a6815fd153187dbc9b188632f1320c03926b4e6

    SHA512

    8e41e384b07dd5a25dd7eac3a0cd2294f7acbf6193411117991f4b210535a0c32dcb0cfd266a15a9387d1d073811495d563feab2af73bf0d7f6bdea0dae5c05a

    Download Submit
  • C:\Windows\SysWOW64\ibzdqisomfwkyqc.exe
    Filesize

    512KB

    MD5

    27d7645031b25e85a992f8d2bb5c33f2

    SHA1

    66c8c903cefc4128cb0bb36cfb609e9d39ab8902

    SHA256

    1e8fb59c5d752f98f1bb04c40f60e026a12f8f4e9f1832b3aa61b967a89f11ff

    SHA512

    882eab9e125a7c7b1eca28a65236a59f43eeffb2790461113cd94ad4d38e66987928beb0be3f6c136b3db2197520d444335ca025d4bd7de12112c3e42cdadd59

    Download Submit
  • C:\Windows\SysWOW64\tlsbfmmznivkl.exe
    Filesize

    512KB

    MD5

    255afee29dff5d33d263370c2ee9c111

    SHA1

    451fb8f50929c8c74979ef74e653710e959c7989

    SHA256

    c1bb3cb8de62a51dd288e02cbc4c9ad7bf32f7581ef9465044729ec34ff914cf

    SHA512

    a25482cf7c8099dcca5b9a745922519ede3494b2791b8120eac5c5aa508ab12078ae57e2a400382bd5aed8b5e8317a9205b4515ebcd2a94ac26838f2189fa1d3

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \Windows\SysWOW64\llisgqza.exe
    Filesize

    512KB

    MD5

    54da357be2237a5677d84d4b7a156e7a

    SHA1

    9afd3162ba85f3c2289b1ff97cfd7c7b9b13e337

    SHA256

    0d4c8c8416e6fb7ab4a64ec78608d08eb8bc573b9e0ed16e450d2a98b4e028ea

    SHA512

    6b8537dc26c57b2658accda2d40ba20d01860e79ded0369b6c203895f80844c9e9102f3affe3fcafd6746e292f05930aac2750c0dce63b078e96ebc5445bc1d5

    Download Submit
  • \Windows\SysWOW64\nulloawdjh.exe
    Filesize

    512KB

    MD5

    f4d3b31e2bc65e4fd84d7f40895fefae

    SHA1

    0a6eb3ad97c9c984849321f622b057ff8e53f021

    SHA256

    932d109708ae6f15b975f99e45fbe98772efa070ce17870a4a5c77eb18838ea2

    SHA512

    abe6bf5441b2cc0689210897c53d8404a50212cf2622fb3b365b9333371bbbb964f778b7f8bb101088445f7b601fe182a31e61be4e6e29db8cd3b8026f6affb2

    Download Submit
  • memory/2188-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2444-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2464-78-0x0000000002B50000-0x0000000002B60000-memory.dmp
    Filesize

    64KB

    Download