Overview

overview

10

Static

static

5

05f0258937...18.exe

windows7-x64

10

05f0258937...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    05f0258937d4d1a23c98d5dc52515bf1

  • SHA1

    e39d7c6eb6e89f6b2505eeaf26afb4c5697fc22f

  • SHA256

    bfe4c94cc551e3c6daaccee31f3803ea069e40c0e96fcaf944ed8b91b3d08503

  • SHA512

    618907fda7d7a1fb72193a7b6f36b142593a4fe44292b220f9d19afc1f3ab57595549b6ff1c19eb82ed7815039322cba39184db5b935c664df12bdea541a1487

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\SysWOW64\ligbocdkoc.exe
      ligbocdkoc.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\SysWOW64\vespwjuy.exe
        C:\Windows\system32\vespwjuy.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2556
    • C:\Windows\SysWOW64\kfwnafzcwkgybeq.exe
      kfwnafzcwkgybeq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2748
    • C:\Windows\SysWOW64\vespwjuy.exe
      vespwjuy.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2488
    • C:\Windows\SysWOW64\onubnxeyiznfp.exe
      onubnxeyiznfp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2632
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:272

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      97db290bc0a1a666b7bef51414ade4c0

      SHA1

      9d9e687be2c2f1e8721635e0d1b7e57d4f07ac5a

      SHA256

      4b55e2cbc2c1c040527b3e8eb50b6ae3090deb5260bf6b9b4abc815b785160df

      SHA512

      6a2fa3a4690861f6fc7e0fa5a7a606f49d954ab34a9b3fe1275d8c137c961d5097da9a519267c32ce966f84aba7b82d9b7819f2ff928d1ca3c0e8f5d6af01357

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      7cd3293b5e1bde7b6c4515ff2bd0a020

      SHA1

      70d620c89aac1334352e88de353e41e52806bdd0

      SHA256

      3726b1290443a1420b0d9076c2ff23d92039f1673d673f037535eac549b40adc

      SHA512

      a579eb1aaa0a9b755acfe469651745cb938bde456c0aba0446c2182d287e59b7d36a5fc7c797cba7aec0d69dfcdc616ac619ed1010aa81fedc786b39fa64d6d0

      Download Submit

    • C:\Users\Admin\Music\MountWatch.doc.exe
      Filesize

      512KB

      MD5

      e2e8a1aed2c64f21f2e4d338b9ad3262

      SHA1

      3cdbb40be9cf80776e33b27d931d72e498f1de81

      SHA256

      b42d6a74c13a0fa7233c5ba396c147b3195aca41f919564cfabcde528612f3b7

      SHA512

      ecff4127a55f22aee7947f89029672a68333527505c3d19bd862ddaf3bda5eff6beb44bd059a30b97830e95bcefcbb508a43c3c8ffd5a55eaaadb290db120e02

      Download Submit

    • C:\Windows\SysWOW64\kfwnafzcwkgybeq.exe
      Filesize

      512KB

      MD5

      e84311e0c5a506b8a92349ce29b4abfc

      SHA1

      c5778a309d8434be56a61efa09d8605c09b8c6af

      SHA256

      b67095f8409b7f8d74ceacdb04069acb5e57b3897c3299d08f7f6a0c94332e77

      SHA512

      84b960a8095581fd49058a1a09b9dff8d87aa558527434d9634cad2f2ae2fe1b3983a846b9872fd4d4b77726daf169690fec159614f7582a4d75808c01781f5c

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\ligbocdkoc.exe
      Filesize

      512KB

      MD5

      52cef060412d178e90469527d9273f7e

      SHA1

      3632686407b35c0eb8255a5d4c588aa50bd81e90

      SHA256

      d256a6b0e99d97222f8cfb071c8fce66e1c1c6c13d2bded6e5a5158ff1ddc47c

      SHA512

      08128ee1dd4cfa3ff5dd5279533294865be6534a8f81ad019faa6739b9ba29d6df699d54b9818930c04b5e274bb71043e2fe4f040488b325cdd306e3a755562e

      Download Submit

    • \Windows\SysWOW64\onubnxeyiznfp.exe
      Filesize

      512KB

      MD5

      4124da9952a6a95785ea9447343d78fc

      SHA1

      7f387a463e04fa11305a5b7ca22c9860aea33613

      SHA256

      01712bd0cf1385c18d5cba51f7f43518d4a34e620643c4d0822ee0a8698bcacc

      SHA512

      a06fdba35b2deeb6ac9520ff8e2e9dfcd56c568585635734ab647fd8f890bf9bc4a037834272cdcb449a804161e5c78be7308b5f9f9d17b31d9fe667ce06a83e

      Download Submit

    • \Windows\SysWOW64\vespwjuy.exe
      Filesize

      512KB

      MD5

      0bc2589fd21f5338ed6cf109b84f93e9

      SHA1

      eef060a20a36e9ab25797fadf0ef762c590aca5b

      SHA256

      f3c80de4d085ce0e0742c2a5319ba493b4f47ef68203c36f63252610bb8f730c

      SHA512

      49e2b2ffad290251c574124de212b666a23fedfde7c26a2621030da5aa2408c9dbc36e89a4d832980cb4873a89c175d46b1f6f8ee6ee5e29e117e487ae61390f

      Download Submit

    • memory/2432-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2432-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2440-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download