Overview

overview

10

Static

static

5

054304c4ed...18.exe

windows7-x64

10

054304c4ed...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    054304c4eda80acb8fdffb9361446403_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    054304c4eda80acb8fdffb9361446403

  • SHA1

    42aaea03bfec9d291d0c2e0e2ebc848cf751994b

  • SHA256

    97391f9f962ee36529fb67ec1890eb6180d472335284d5ba2dadd2d05cc33924

  • SHA512

    e5e83f28635ef713130b38a6d960db6cbb4cd3272d8346c83a68ef10bf147da4536292e6c87343de8e0994a36ba77e67f45c111ae451d1e5217efecbb8549a21

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5u

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\054304c4eda80acb8fdffb9361446403_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\054304c4eda80acb8fdffb9361446403_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\SysWOW64\zsooeoxpfq.exe
      zsooeoxpfq.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Windows\SysWOW64\kdtgvxmh.exe
        C:\Windows\system32\kdtgvxmh.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2368
    • C:\Windows\SysWOW64\onzflvfpgcdfrmg.exe
      onzflvfpgcdfrmg.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c tbxxstvstumew.exe
        3⤵
          PID:2524
      • C:\Windows\SysWOW64\kdtgvxmh.exe
        kdtgvxmh.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2512
      • C:\Windows\SysWOW64\tbxxstvstumew.exe
        tbxxstvstumew.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2400
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:2764

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Defense Evasion

      Hide Artifacts

      2
      T1564

      Hidden Files and Directories

      2
      T1564.001

      Modify Registry

      7
      T1112

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
        Filesize

        512KB

        MD5

        14e3574a43bb0e6930231fff4afc6b2d

        SHA1

        b2849e1c84c5acc03eba1948b9413b9c1d42bf0a

        SHA256

        ba1616556826816911b6ab377480f57e0ce4b62206604851aa7e2da6550819ae

        SHA512

        cd3d8b0fdac76171c3437a2618487e0b6a3b4d572dd48508391d3998d31566129eef18eee5fea99b88ee510ad24372d0606d0e460e17fa3359922ac650b665dd

        Download Submit
      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
        Filesize

        512KB

        MD5

        152f01be7c4522ac56b78e66c5e0aa64

        SHA1

        696922ef7b6fe63f9788de44b6db74a68748e0ed

        SHA256

        b54285f413dbcf7f357389a01289adfbb5be8e416e6753d7a1913064d5a740b7

        SHA512

        d8d660a7a12c91077e37c41104e825526ddff7297a238433df4e1aa1c27f14d91c0ad86599fb867d86da6578d852e3f5ba77b7dcf4488404cc82d5f1ae7e14fc

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        33d297d19ea28d9078b74c72c0f318bf

        SHA1

        a24b2c91a1d76e75790c45105f8d7796371980ee

        SHA256

        58303b28ef66b18a0341534e5610887adfd3492125c226c6234709b105efc45e

        SHA512

        af968897cb87e1bf940940a2240f356eff587a0d11e33c22cf0f771e2d5c352f729008a0e2fa9373d65d7313e109705a6e2135853c550ce58de684afc5afe06e

        Download Submit
      • C:\Windows\SysWOW64\onzflvfpgcdfrmg.exe
        Filesize

        512KB

        MD5

        83f9ae6aba831e3c7a14f5f61f356f35

        SHA1

        2a7e2b744afb7a56acbe91a0c0d59f598e6657dd

        SHA256

        87b0957c5434bfe5a8ada7adf30154b0ff5753b24ff2cf669bea15a8d0618669

        SHA512

        342aae865e42d3544863f2ad197c193488a5f581180adee42748d9a0a27c3e99c7e1338f1a09c98fa63454d42e8fd78d7478b7dc86d2d2b617a46b2549af31fa

        Download Submit
      • C:\Windows\SysWOW64\tbxxstvstumew.exe
        Filesize

        512KB

        MD5

        646a4e98f9c824e7ce3470886a6888b3

        SHA1

        99b53f3bb24aaa4a8e515236395e2f07214a0f55

        SHA256

        fd0a605c96db6f347897755d0083df9e9259d18cf45bbea2dcb440ddfc6ce2b8

        SHA512

        5cd3bcd840ce43dcbf09de581fa3599803851895faf21e36db083ff196188f3fd1cfbd297b4124db8e06d0e0abc9ba95a1b3a828f89956321160a572cc316755

        Download Submit
      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit
      • \Windows\SysWOW64\kdtgvxmh.exe
        Filesize

        512KB

        MD5

        28a238b28a6a72af32e8104e4b8ae901

        SHA1

        78c7c4799f1d34c37e7876e96b7a0440f7337ce9

        SHA256

        6576b441dbfca733e6b535515c7573cedafe85e4e38289c77f914c1dddbcb529

        SHA512

        19b5ee115f67fc3ca3fbc2b8c4ad605a46dfc9322b0399eda62fb884447a9d201baec457b3422ff5345d662f445bcbcfc7cc13fcffc8f678aee5813690a92c54

        Download Submit
      • \Windows\SysWOW64\zsooeoxpfq.exe
        Filesize

        512KB

        MD5

        95cb904b8380241073fdab200896a34b

        SHA1

        bac11822dced4c1aeaf4d0ecb910e8cb7fe44ec9

        SHA256

        5434ea2725e13465ad3da8018538577b5a372591d67e3e051b6e67b2e061fddf

        SHA512

        20a78a561f3dede4b0430f6ea0d9de165d56b776346a93a84a5d95447be431c3d8fac1311da7154939a391b6e065d5050d558eb40a9771a073b32aa2a0a1276d

        Download Submit
      • memory/1696-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1696-93-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2888-0-0x0000000000400000-0x0000000000496000-memory.dmp
        Filesize

        600KB

        Download