Overview

overview

10

Static

static

5

05f0258937...18.exe

windows7-x64

10

05f0258937...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    05f0258937d4d1a23c98d5dc52515bf1

  • SHA1

    e39d7c6eb6e89f6b2505eeaf26afb4c5697fc22f

  • SHA256

    bfe4c94cc551e3c6daaccee31f3803ea069e40c0e96fcaf944ed8b91b3d08503

  • SHA512

    618907fda7d7a1fb72193a7b6f36b142593a4fe44292b220f9d19afc1f3ab57595549b6ff1c19eb82ed7815039322cba39184db5b935c664df12bdea541a1487

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\05f0258937d4d1a23c98d5dc52515bf1_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4624
    • C:\Windows\SysWOW64\ligbocdkoc.exe
      ligbocdkoc.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\SysWOW64\vespwjuy.exe
        C:\Windows\system32\vespwjuy.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3984
    • C:\Windows\SysWOW64\kfwnafzcwkgybeq.exe
      kfwnafzcwkgybeq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3144
    • C:\Windows\SysWOW64\vespwjuy.exe
      vespwjuy.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:780
    • C:\Windows\SysWOW64\onubnxeyiznfp.exe
      onubnxeyiznfp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4736
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    d3c6f2620418922d43d37ef09de90385

    SHA1

    d08adce0c2938dc21bfbb7e11967fca9c9dea23d

    SHA256

    f6be871eb6d996a90832bd8d1f9fce2a921c140b8000758045a18a75c3ba049a

    SHA512

    6396b73598eba847362ed64117575db0fe9cae42ce238055ec178560a67fda6046bfefdd183917d2c669a1296a88b36d11ae0d37654361f79a4572bf3aa17be3

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    14484f7e7dd6cfab60b5076bb4b0615a

    SHA1

    5cee943eeb54aef779094bfea7a470b6c2987806

    SHA256

    11ac1b7045199450cac1d9f4387c94b08b0b82ef78fde9e3929f9cdf93fe37c3

    SHA512

    adb83df1dfc7b8a57e011feec1e9a96e88794ba03500e86eb2fbbb623cc863c617e80bf23cf02356d92820a4ac22441de285bb3708794f4e6a32b3c44f9f300b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    b17bae5dab7e66d9f45e525073e33759

    SHA1

    be161c4f081031f9eec2d9c73bb0346b10c773b6

    SHA256

    72e9b9cf603e7f93189ef425098cc6fc61f57faf09d1b6e73ad748dd7c372c5b

    SHA512

    407c522d49673f28d2c7ddb45cc3b94800137b36d5b815c891f7016306e6f067e14a365ca7fdb99a1e6a47523e2e2c1d6befeef17b71510515c799cef933958c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    bf602d10c2ea3ea9eb34cf0dbc787e0f

    SHA1

    83cae600df297312743671618b66b2c59eab5cc7

    SHA256

    62989830bad4057cb720594ca4c2da5c3876f4e26785ebfb2955711b00ac6cc6

    SHA512

    e024dadbc24ffde090974b8d0f3b26b2ef0871fcbd7ba6f894e2a26798c45fca8805c830db2f972d7b33e784e067a71be8a5d7cb54281e45ee543b72108dfb31

    Download Submit
  • C:\Users\Admin\Documents\UnprotectLimit.doc.exe
    Filesize

    512KB

    MD5

    f2f3dd6ffdd728c33b0db46713d6e577

    SHA1

    f025a5f67579c7b198f22d27d1f27c09efc85878

    SHA256

    a6d5ff626b61e49007ab2718f5054276c7c3daeac8196dccdd5cf27c01694606

    SHA512

    615202a9fb60d6126675400327fa3fa115e2902052cccfc0355911bdf31127cb11a08a9375b9470ec6fbf2e3444423e7ee259c734fa0cc2fcf32d563240f417a

    Download Submit
  • C:\Windows\SysWOW64\kfwnafzcwkgybeq.exe
    Filesize

    512KB

    MD5

    02368a30c1c7d1ada4b71f5872ac8491

    SHA1

    d28b6570787715fa261597789000e6051b79dbcd

    SHA256

    dda7b4bef73be1882036e601a193bb92215ed22bd3a0977ebf7f4c616ac4963d

    SHA512

    981b2466e169afbc5f8d45af1fdb824115d28b9ec5a7df53167556b75980c6f411ea40299398d82012b06148342ab0adeb3d59970f5a1e6483ab5920e3719c54

    Download Submit
  • C:\Windows\SysWOW64\ligbocdkoc.exe
    Filesize

    512KB

    MD5

    943566a199cce258347a6d23b0048745

    SHA1

    bc22c2bb576e3c664a6872d5ed130649f372e7e6

    SHA256

    9346d59c8c515eccd119422230137bd3c9c3af772b91781e7a59c7ca873d89c3

    SHA512

    107eb50036a0773c6c4e0c02014f0160481b94997adb2070429931e503e1239b66b274006220a1c856ef62bebb45c10fbe48cf779c9356361074c0b01381522a

    Download Submit
  • C:\Windows\SysWOW64\onubnxeyiznfp.exe
    Filesize

    512KB

    MD5

    480d0039ec7c01004c18cfc856eed301

    SHA1

    cd26f789cd451fc8a3cae08f6501cebe8a760035

    SHA256

    fbfb1773318cc37017d25926167af9d8f2fcec6bd0734ac4ddad8194cf4d3a35

    SHA512

    6e6bf87094c6c9108bdb2b8443487a323b4617b66ed4f14869a571ede3638b2d4e8743b2245957c877c260fd90239e94f0aafd662b5d368b61fccbc3d063043a

    Download Submit
  • C:\Windows\SysWOW64\vespwjuy.exe
    Filesize

    512KB

    MD5

    9f795a54bc07931cae66cebb6c976e6b

    SHA1

    2d9095f106f18612ddab3b92a7d5dd17c33ad3a0

    SHA256

    afb3b83773063ffaf807cd1ed4f279825b3ea548fbaa8e28567db304e01bc7ce

    SHA512

    ca4894c261ed5dd4fe20ae21beec89618a1e64526c9ca7bd069f32919eacc1d543bd4a3795e7d1ca6ae3a0e5d6d727591b0c6448c905efbc4504147de5a25c48

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    2d3611536707bad06df07b6f1886459e

    SHA1

    9e42332e87741c04bfdad3b1d96d12887af6ab42

    SHA256

    68e26edadc48e236b296e8e1dcb9890b39afb01609423425d201a51f4f80e1d9

    SHA512

    b528d49364ad8b23fbdd330fecd62b63d434fb93f6c98ebecb71bf4c0bc7a3656650507ff91517cbde593a8046265fb11800b4c93c7697133e0b8f4cf6014c60

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    1f02e6924ba865a446c4e644e2248334

    SHA1

    d4b5bf568c032f079e0dcac7827706e57423f07e

    SHA256

    2f9929750a8fc6f60353028963ea1171976283a650b93d5775dab16cf81e8b5e

    SHA512

    b1df94c348b04acf4479075f9989ceb46e1b7eabaf9ef08a3a6c39938e945d1d04d68bf87cba3991bab7f08f0a54678a5916a15aae08a63903cfc3775d5ed324

    Download Submit
  • memory/4624-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/4988-39-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4988-38-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4988-37-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4988-35-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4988-36-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4988-41-0x00007FFD5E810000-0x00007FFD5E820000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4988-40-0x00007FFD5E810000-0x00007FFD5E820000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4988-111-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4988-112-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4988-114-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4988-113-0x00007FFD60C30000-0x00007FFD60C40000-memory.dmp
    Filesize

    64KB

    Download