Overview

overview

10

Static

static

5

05595892d9...18.exe

windows7-x64

10

05595892d9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05595892d9082a955f91a96b3d8af238_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    05595892d9082a955f91a96b3d8af238

  • SHA1

    5c94cde0436017a4e3673aa48388ac6fa074cc59

  • SHA256

    b2850b3a1c5aced9f4963a07efeafda059b244497a62703b18cd5141a912f90d

  • SHA512

    7c04eb7b8fb05a4173ff9189f761e82a8d6a7eab43fefbe420d375e87e2cc11c94726ddd96caead2f183a3d3454cc1b09356bf57fcff30c44553bf589d0f9dd4

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5n

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05595892d9082a955f91a96b3d8af238_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\05595892d9082a955f91a96b3d8af238_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\SysWOW64\jtflabtmkw.exe
      jtflabtmkw.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\ttfqixtg.exe
        C:\Windows\system32\ttfqixtg.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2692
    • C:\Windows\SysWOW64\fjhbceaxhfwtsrm.exe
      fjhbceaxhfwtsrm.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2792
    • C:\Windows\SysWOW64\ttfqixtg.exe
      ttfqixtg.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2404
    • C:\Windows\SysWOW64\fihjytxnlphfa.exe
      fihjytxnlphfa.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2532
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:316

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      c30f89efe0bfafc7e03595ea4fb1bcc0

      SHA1

      569eb255907b5daa96fdc7cd0d9e2b17b7b37afc

      SHA256

      b037f7496a5f62db567057a40663ebf69607a61d9f975eb5f1c8f660f7af2d52

      SHA512

      865f7bf1c832ac3f0cce31e5eb5c85c91e0e1f09d3e055078ff7a8a3f0ce2f4370bd60862e727ec3334ae852a2fc9c42d9baaa8324f1612423d2790cdfc5ea15

      Download Submit
    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      e0c97744289dda398df42ed2d375e9f0

      SHA1

      2386140878d5c82c46f7ead4c71784e2e7d15c3c

      SHA256

      2a388efdd90764f4a82031a22b6de6b6ff94ce183429a9e98106aa23ce945de9

      SHA512

      4d266378445a5c82c6d9aca3593443dff22ebfb167a0102d309c7d38b75c7d05ed1d5e4ee68316d2a4d3dcfe46df9850e72620b48394d267ecb7d0c176b3cd0c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      c64a125404c4e715c61dcdf8e3938d56

      SHA1

      2d0174f90b9295e1dbab2885b989d1b2f17402b5

      SHA256

      341117622189353f1c092b38f438c56557ef2bdfbff99762f56280a63d363023

      SHA512

      9c889860dee0662c00ec3f0aefca1617bdcaa369e21e8057dcdae3465223c364c82c14ac5612ff347273fc5c7bcbfd2b050e3af2db81456a38eec753fcc3b842

      Download Submit
    • C:\Windows\SysWOW64\fjhbceaxhfwtsrm.exe
      Filesize

      512KB

      MD5

      8693336f453b81f3faac5ad418fd4a10

      SHA1

      b07d3265d692b68f039570f93f786070d79e74b3

      SHA256

      5196af5844b52347f938b3bcf4be1d38ac84c14d2704d7495d2db053834ff18d

      SHA512

      a32d642810b84fef186ae52328eb8035f6bd9b223c0986c4a473000fff2e79e356bfff8d2b6f8b99a8d947c9ff7464eed738f4f1ef1418f9b25aa77b31c3d149

      Download Submit
    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit
    • \Windows\SysWOW64\fihjytxnlphfa.exe
      Filesize

      512KB

      MD5

      c4b4201b3e2a77122109cab2cd6fca79

      SHA1

      1aad7bef4efd1e3b0c3b7539b814685a77a2aa24

      SHA256

      7260d37d425b075af7a347366c4f07f081c27d0e6a843c181f7fefdba24517e9

      SHA512

      310afdbbdfd1b36477ff939189d1d8d20d0f5fa6b282bc3217212b9a1903d46feb778f520b3ce8345d04455cee84f43acbf4960c8898b044d3296168ef748327

      Download Submit
    • \Windows\SysWOW64\jtflabtmkw.exe
      Filesize

      512KB

      MD5

      809a28a0efef5bf711c90d70faa56839

      SHA1

      f6cc8948840386cc46d60c62ec7c0ca097255941

      SHA256

      202a633a9703927a0509b1cb0e85177857bba1a869c4678c7e30baee70d8f7cb

      SHA512

      e8b17f44509a1e978a2281d321cf2bdc26586fbe666665182acf96f03412ac7b8315336df82aabb434fbb7ff0f93b0b0255de51a6bc4430dd77a3ea39516acac

      Download Submit
    • \Windows\SysWOW64\ttfqixtg.exe
      Filesize

      512KB

      MD5

      d13191a85c129ef0930144ffbe3f3194

      SHA1

      9b39c1f03ab4ac756215a97e26b254455f541971

      SHA256

      a67c2128b9e76ace605301ac213e83c12f31a488e2f3b112e910f4e72784e0a3

      SHA512

      8da885eed232c947256a2928e3bb8b8f156973a0ba6b0dc67ac93a90b2b5ee0872446c85fce9488164cc8fc9933913801dff9870623880b143895e38fe6ed18b

      Download Submit
    • memory/1848-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1848-100-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2444-0-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download