Overview

overview

10

Static

static

5

0566b2c00f...18.exe

windows7-x64

10

0566b2c00f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    0566b2c00f7a1cfd66f62adddd6014a6

  • SHA1

    3add8370f307668dce587c7ae61a5f62a4db4995

  • SHA256

    1602a478584522bb56ee3d310e16e1df9449347a682fb4c37520e9ae5579c02e

  • SHA512

    9fed5b6548bcc1572e28f97294f7fdc35c4f8b98792be4e732272ecf35bfe3d3a4bf3083e31877c8135bebfbf9bb45c677767734a4e9b5a3d1d30f7be4a3c12c

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj62:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5J

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0566b2c00f7a1cfd66f62adddd6014a6_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Windows\SysWOW64\gfuqxcklnj.exe
      gfuqxcklnj.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Windows\SysWOW64\ejsyacrt.exe
        C:\Windows\system32\ejsyacrt.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:364
    • C:\Windows\SysWOW64\pmvcbhofwjnqxdv.exe
      pmvcbhofwjnqxdv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2900
    • C:\Windows\SysWOW64\ejsyacrt.exe
      ejsyacrt.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1856
    • C:\Windows\SysWOW64\hrescuevlrkhn.exe
      hrescuevlrkhn.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3796
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    adec5fd78ab7665b296794f504b3db2c

    SHA1

    55aa60ce3f9fa1c763a38e45997458082afc0300

    SHA256

    f0c574fc58cb553032ed18cf7cc740a28077a8064dd7d4bb73e67bbaa733d7e7

    SHA512

    5b1dca347422923f1d879e76024740f474c9b14dc117c42086d46c415d9bc8d50c8d9172427dacd67e1c936ef861b6f94cae321868102a9156f46fef5d4ed6b8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    247B

    MD5

    1b529425a37b1334b8b33ebd890269a4

    SHA1

    84768e6475b45e3431d5dd62968dde9b92bcb799

    SHA256

    774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440

    SHA512

    8d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    4ab1cca57b20d43c085cca209bfcb6e4

    SHA1

    72cac146b61d15f13edbf4db116135fc57b1b763

    SHA256

    26ef78fe86dc3bcdfa7ecab5968869aa1724d0fcae8c9b4c7e4b70f2766c7fbb

    SHA512

    beda4c70fc7fc6daa2d9e302569e8c0ccbc228edb59d11ad5484440f5ab07ccce26570bf219bb4595c0b5e464156fda55c739ee5110f5e985df11cf0660feb0d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    a1ceaaf1d7852bd2d9b3d8262c6a0a2e

    SHA1

    65db2629a39ec3dd7a06e347a7714b2b94fb1078

    SHA256

    30444c9ee7d2d77046683b9898f00e70b216eaa5dc39181f9039ee40c2e27690

    SHA512

    7476d10ecaf809b85dd15bda17c9e1b9cdbb270ac60c874af8f3ab5bff8a57ec460eda66ec8a609770a95a649e73d3e4caedf5d53513fc2f0ec838e433ffe75f

    Download Submit
  • C:\Users\Admin\Documents\StopGrant.doc.exe
    Filesize

    512KB

    MD5

    38219792e080a92f9c4a2500d0cfa96e

    SHA1

    d2eb3a5b65f025a3cad9872dacacc42e4a8ed6df

    SHA256

    f7497eacbf654b358bd81361aaa3ab29b0cc432a86eaea2ae123abfdc656e300

    SHA512

    ac5e1c98114604142f69a97f7dab290b394ea82a6f64b033839c9482ce56b037ae22b7601f58af02d234702df76d62978c01f07bac995ce8ba2d2187441011d6

    Download Submit
  • C:\Users\Admin\Downloads\SelectAssert.doc.exe
    Filesize

    512KB

    MD5

    b9da1248da930fe67636376851113a66

    SHA1

    8c6bdcdfe0a279b8c25724ef8fad6309f2848e3f

    SHA256

    69de2ca1f8486c815d3596de87e8838291218bf1d1984101acd2974b92b0dbc4

    SHA512

    49de245601f6064fa026fd679108437f7f3a18c9e55da341421f394737627ef12e2dfb836ef24910c9b593481d5b78bbfd65b986ade7476827fe6e8709d553e3

    Download Submit
  • C:\Windows\SysWOW64\ejsyacrt.exe
    Filesize

    512KB

    MD5

    2ab2ace54e8c77c62e18e9402b2918c4

    SHA1

    12ecc8156e395244b79c83d17d9b17da6ecf0140

    SHA256

    1e4e5be4a1fe572b880cdd844b961661c4123c6816e8629a7933527d5d5fab5a

    SHA512

    c2baa70677dde4b6b1045ca7560a0c02d6e8b9c34a506b972ff83bae554ba55ade5b1f7d05a12828a5ec99523677c44a8e2babb3ccadaabdc0531dfc22b267f7

    Download Submit
  • C:\Windows\SysWOW64\gfuqxcklnj.exe
    Filesize

    512KB

    MD5

    1621bc3bdcbbb70bcb6dc6e9d53f7a0e

    SHA1

    812ee0dbc2d698ebd05fc040be248d669375a07e

    SHA256

    1684013c637b0bdaade299970f10bf9981c98def7e3d582dd3a67850a08b171b

    SHA512

    472a9e48afedd2ae1afafc1ce25e58f093a744203b1d6157f1f973e7a75c9b7957b5a2164183329b5082fc04857820425581e443d8aa8c805defbe66f1b68ebd

    Download Submit
  • C:\Windows\SysWOW64\hrescuevlrkhn.exe
    Filesize

    512KB

    MD5

    af990e3da8d78abd066971fa4a28774b

    SHA1

    d2132c172b16ff04d869c9a8b251ac0fea4d3db9

    SHA256

    0332b16cba63fce559185eba0a5da07068807b4f4da889b5660dfaba1764ae96

    SHA512

    c043bcd91dcf4f026f7b8a45b0abc50652c201cf58c68891afc1ee89d1d18d0e368a6e7a3a624452886b17f7f6cc5961357f1af9709ab7a632689481ff78564d

    Download Submit
  • C:\Windows\SysWOW64\pmvcbhofwjnqxdv.exe
    Filesize

    512KB

    MD5

    fab7752f61d1db185ce6cefc2f008778

    SHA1

    4fa8f542b8ab68004232e9f88264d2e6d2be4ab1

    SHA256

    f4d6ed09dab51bb5cafb28dbbc6b34820901d9a184d69db49e7112810459dfc2

    SHA512

    1e78b79fe90b81123fcf7801c00328644168d1204c682044a4fe03b2452d1ef287947ce8fed36662989254e8ce8de62ce603dbbe471cc411c33082fb1dcd2881

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    d21883502e8f685bdd8580f217373efb

    SHA1

    0cbd59daf090c87017b95bca34a828c6cf53dd15

    SHA256

    29e5638f2ccc46195207cb6224a7e0a6a5614cd1bd6beeaeaf3f2a314756ec45

    SHA512

    e50e9a952c051398e85ffdea269d7080b5656d0bb508406ca9c8c6ba44ce81e6556046a2aadbae35de841356e8fda366d87c44affbccd93c8484e8eed32454a6

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    babacf38ace6fd66ce7405e65bc82bd5

    SHA1

    118f6a8bbfff6f9e154551e162e8fd80e8e42c5c

    SHA256

    55506da9ffbfa872c9ff860f87e7664d5ba774ed734dbc50e1ba472a835e26b9

    SHA512

    061795183aa372fb5292b9684e561657819ada2882b4c4e690e23417264f3e312ed3e2d7659da2a7bb1d1fa7aa5e76338a8638d654418544b43031d10e418246

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    db5ad16133aca03e78a9499bafa36f46

    SHA1

    ccfbb0f72ad7d842127def50558eaf78aab61b8a

    SHA256

    4ac69fbb9fadfdb2c146923d111f8d82953935aeddb71c523184a26ea0dc70c1

    SHA512

    71ac73a91cff011ae41cf360e9fc945a557a997fb151f6dc29f4d98cb765fd39e1befd82fae85ba7d2055373335452330a32c1429bc1ce606f2733ad71fc7acf

    Download Submit
  • memory/1220-40-0x00007FFB8EC20000-0x00007FFB8EC30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1220-39-0x00007FFB91470000-0x00007FFB91480000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1220-36-0x00007FFB91470000-0x00007FFB91480000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1220-38-0x00007FFB91470000-0x00007FFB91480000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1220-37-0x00007FFB91470000-0x00007FFB91480000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1220-35-0x00007FFB91470000-0x00007FFB91480000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1220-41-0x00007FFB8EC20000-0x00007FFB8EC30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1220-131-0x00007FFB91470000-0x00007FFB91480000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1220-132-0x00007FFB91470000-0x00007FFB91480000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1220-130-0x00007FFB91470000-0x00007FFB91480000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1220-129-0x00007FFB91470000-0x00007FFB91480000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4928-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download