Overview

overview

10

Static

static

5

2349852bc9...18.exe

windows7-x64

10

2349852bc9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 04:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2349852bc9d9eee415ab04c97bcb8b1a_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    2349852bc9d9eee415ab04c97bcb8b1a

  • SHA1

    de1bb707af8b54441cb7e55944d2542614b59506

  • SHA256

    bf1fe4e57e1416f305ef171785abc391e4d2d80d80283238d2f73199665a8386

  • SHA512

    7e817d9380215a08506732fd53737883d0e2428c4e4dc7b53a6402ad04a9f685bdfa22bb1c5ea5f2cba45868f7941d5c04726a01320bbd0fc86322df8e9f8170

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5W

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2349852bc9d9eee415ab04c97bcb8b1a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2349852bc9d9eee415ab04c97bcb8b1a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\SysWOW64\sqrupzxdeo.exe
      sqrupzxdeo.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\zsdxvgqa.exe
        C:\Windows\system32\zsdxvgqa.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2852
    • C:\Windows\SysWOW64\zdnctvslrcsndhv.exe
      zdnctvslrcsndhv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2600
    • C:\Windows\SysWOW64\zsdxvgqa.exe
      zsdxvgqa.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2712
    • C:\Windows\SysWOW64\zyyyxzcccuyoc.exe
      zyyyxzcccuyoc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2860
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1932

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
            Filesize

            512KB

            MD5

            432c1a6c438c4e96b592fd06b5b2fdc9

            SHA1

            5e71c02797f11c4929ce9b8028d875ac9dbdfa3d

            SHA256

            581d29a2c619897122f743fd4254292d5bfade7d35ce92252db0146077f946c3

            SHA512

            0b5fc30f88aed6244792360296bb1e04d2d8e874ea7602230642746c4071b679845a1f4411ff8e6c3c7e17027c459998b1533526b4450653ddd8530fa8eb4ffc

            Download Submit

          • C:\Program Files\DismountSuspend.doc.exe
            Filesize

            512KB

            MD5

            6c8221b7e670a1fa851c26a316cb6d7d

            SHA1

            25feda0c00125b1a00bd2bb436c9a1b078ebdd07

            SHA256

            975e0969872807a575028543f86259acdd37c88df1e04f12f41d54d57c36004c

            SHA512

            c166839fcc82897e6c2f0623491ec4cb694b93b3263dc61ae44ebf483cfe2f5147791b2d525f69f32119f57defb62e6d22b0e362d44b780bc90ec650036674d2

            Download Submit

          • C:\Program Files\StopShow.doc.exe
            Filesize

            512KB

            MD5

            d3a5e2ca580e93baa53242157362367d

            SHA1

            7f3f70f57a6481bca463627efe59ad1d4bda62bd

            SHA256

            dad67e81a36cfddfbfedcd66e2a3c07da421cfb4bf605fe0144e34633af7c69b

            SHA512

            85b9fb5f3b48f688669241263b1864f9002a285563e4f5d883b7ec47e96843b114e1b2aeaab1d558c2cd677ac4d75ed80dff69cc166ac943236b21ffb4b026e9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            20KB

            MD5

            5a6c498230e19048c4967af22e866443

            SHA1

            d40f27ecf22f86a41f17e7a549eb47cd3a7fa837

            SHA256

            de5e0ad3a4de0c7dee69c254dbaa3f980f432396ddccfd5649885bd8e8df1a7e

            SHA512

            78abec271ec33870024d7793e4f5aa282a4322d098b591b220c8da8c1fc535e8fbc12b2ea8d2df6e54aa851c34b9b46671ff6d5f6ce1c1bcb84475fc27766830

            Download Submit

          • C:\Windows\SysWOW64\zdnctvslrcsndhv.exe
            Filesize

            512KB

            MD5

            18df9be64329575850fbcde02220a1fd

            SHA1

            b2816c29a259df20feff230318638804bf75be84

            SHA256

            46184d94324f4b2d9de35880067db862ed6a1365c71bccb43d5ce0f29be7be11

            SHA512

            93ffe1e3212ffbd5ca7ccf6ee5865b8153df51942f83495dfcd2e4b46ed9f130a47189f6ce66e874700fb9727159a414c2dffc6212c49e4a2703012216026f3d

            Download Submit

          • C:\Windows\mydoc.rtf
            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            Download Submit

          • \Windows\SysWOW64\sqrupzxdeo.exe
            Filesize

            512KB

            MD5

            3b116d532de2f1eb9e052e8d3b6ecfb2

            SHA1

            e589779d096dc8b6216af43aad9faf9c58f4cfa7

            SHA256

            75a9ae0ebd3877386b59e3df3b759efec76bf68e8fad3edae31423ec72989cea

            SHA512

            09c5fc204546a8d23fb1cc3e81ae0bf40d6abd031e4f2c66cb7c8ea611435b8bd98474e4ebbccc4c60ea815cc3f79292d8a68631f46a3927c4155ecdbb4596d0

            Download Submit

          • \Windows\SysWOW64\zsdxvgqa.exe
            Filesize

            512KB

            MD5

            a20179d6812cde984bd161a10c290341

            SHA1

            0062cb2ad5139655fd9c21bf097bf872f5d42622

            SHA256

            bf238e128717e77802df8cd4ab28f2ae941e845faaa17445d67cf6cb23907fc1

            SHA512

            3f78c920bdc86c05d93236c88b8bb291f9d95476663a498926c10d7bdbd259113abc2e6c4d62e48eb31d9fc28feec7b0dfd9135ce8e4d9fc7752a5da880a4a27

            Download Submit

          • \Windows\SysWOW64\zyyyxzcccuyoc.exe
            Filesize

            512KB

            MD5

            aab13a6266bad4caeb5dbfef3493fd5d

            SHA1

            40873068216fad5787f35b62bddf4e25f395c8b1

            SHA256

            4d390c87ef24ab647c343976f8923e4f953cfebc9ef9da592834c4a7f7aa702e

            SHA512

            87a8e3273b7d7afe513422629788068304acf307fe79f46eedff05fd85798ee27fcbdf31b1bfc3513e3918f8e869e3379868e1d81a94bcf351ca153d8f61cda0

            Download Submit

          • memory/2428-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

            Download

          • memory/2968-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2968-106-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download