Overview

overview

10

Static

static

5

2349852bc9...18.exe

windows7-x64

10

2349852bc9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 04:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2349852bc9d9eee415ab04c97bcb8b1a_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    2349852bc9d9eee415ab04c97bcb8b1a

  • SHA1

    de1bb707af8b54441cb7e55944d2542614b59506

  • SHA256

    bf1fe4e57e1416f305ef171785abc391e4d2d80d80283238d2f73199665a8386

  • SHA512

    7e817d9380215a08506732fd53737883d0e2428c4e4dc7b53a6402ad04a9f685bdfa22bb1c5ea5f2cba45868f7941d5c04726a01320bbd0fc86322df8e9f8170

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5W

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2349852bc9d9eee415ab04c97bcb8b1a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2349852bc9d9eee415ab04c97bcb8b1a_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\SysWOW64\sqrupzxdeo.exe
      sqrupzxdeo.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Windows\SysWOW64\zsdxvgqa.exe
        C:\Windows\system32\zsdxvgqa.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:928
    • C:\Windows\SysWOW64\zdnctvslrcsndhv.exe
      zdnctvslrcsndhv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2052
    • C:\Windows\SysWOW64\zsdxvgqa.exe
      zsdxvgqa.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3856
    • C:\Windows\SysWOW64\zyyyxzcccuyoc.exe
      zyyyxzcccuyoc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4476
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3932

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
          Filesize

          512KB

          MD5

          78c9d4c7bfb65b0366dd0f620812740e

          SHA1

          319261d5a194fec79a8046a9c6060fe7c56ba3c5

          SHA256

          fff828997b1ff34bf9251699364c235490f44e9ce0097e02ee0a46b5d71ec5d5

          SHA512

          fcf95c010d754d715d5de3050fc189b6acd678d29f56d38b317ac480569231542630e624ddc1c790e61116a50402af3a5d47ee2156a1bfc8564ee8cee718ab76

          Download Submit

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
          Filesize

          512KB

          MD5

          6523dde8ff31b5bd71ce007579e42468

          SHA1

          7343b8d7c98b727d5873bcffa020bc9eb52a3461

          SHA256

          e408f0d1c88715b8c5eb4b6beb476399452eb06a1080f2ba090a75a071730ded

          SHA512

          0bd686b747889b3e7dd5c7aa0d87be817e9c3ae261111cc1e8f35942855c0c6a86d1917bf4f3081472c0284b3851f5919b06fbd35769cf8cd031bac0233ee214

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TCD858C.tmp\gb.xsl
          Filesize

          262KB

          MD5

          51d32ee5bc7ab811041f799652d26e04

          SHA1

          412193006aa3ef19e0a57e16acf86b830993024a

          SHA256

          6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

          SHA512

          5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
          Filesize

          239B

          MD5

          32dadc816ae2e4d93a76b5a8422d33da

          SHA1

          2f1e9b486922389e63d3da1ede3e9b208f80f60f

          SHA256

          f69b3366542516b10e177962cfb7569eab6482cc418209d95c79e487e6476a45

          SHA512

          dc98ea3090d82157f2c85a19658ad3b1345463ef711e75ce6f1fb66c51ad09b8cae21a9a400a389ebd7b9729b7f78cda0c35396d2238e4d6ceb30b95599ad775

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
          Filesize

          3KB

          MD5

          a6a3e17ff161a3e419995075cd928b44

          SHA1

          9b527b0c73d3cb5bb9f0905b7ed58e4ec0ded8f3

          SHA256

          0c2d69bcf7fb08cc2e796f84bfda7d95c9ee7b93c3d749e496675b204089b0de

          SHA512

          fc28e7f56d047f03626229ade2a396be6c30277a54cbdc9b9515f40b13615e4d7cae15f76856d489d1d71acee8d4917816c337601d888193ec789ccb5bcbce19

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
          Filesize

          3KB

          MD5

          ca199bc6d7a6f6a0fb4016b8fdbd0d63

          SHA1

          bcc7ba4a7d1ededde5d9d5529fe705adde4e73e6

          SHA256

          050d2aa521bccfcf12f220b2a6c4db4c3673964862dfb4cd7ed7a2e92fd42464

          SHA512

          ec84c47884ef084456abb7737384a930ce2aa55a35bc1b4bd54489c813318ef908f58cb1de24d187f3d4d0822c7397f04ec30c164063641852938220f8ff69fc

          Download Submit

        • C:\Users\Admin\Documents\InitializeConnect.doc.exe
          Filesize

          512KB

          MD5

          6931e233f5654454c4ec5e6e3ec15617

          SHA1

          6b3ccb263e8ea5ae7b985b301ee5597b61d39e57

          SHA256

          0adf82e963c802bfd042bda7f08f5787e406f89da60b84337bf861e179875301

          SHA512

          73dbc423aabf9749f0bbec184b4ed80c923cabdb62108f3a4a148b1f4cffd3165cf6a70f46f3d3846544d8374d77785884ba10d0116bd81e8792ae6076bd4cfb

          Download Submit

        • C:\Windows\SysWOW64\sqrupzxdeo.exe
          Filesize

          512KB

          MD5

          f80d9197e8be1ab4f430258ba36e74f8

          SHA1

          36ba892b74f066c947485a0b2020ac058f833da2

          SHA256

          50560da4b574a2cad8d4dcb0bd52d38bb136df929542220607272f97622c9081

          SHA512

          1f7899753249a44d3de2b076655bd7339124ed22e8183244f38e64421e89d6f82a5ddd5e32f6e1b11928ce118447d006b88978026531db5ca15074a0fdc55729

          Download Submit

        • C:\Windows\SysWOW64\zdnctvslrcsndhv.exe
          Filesize

          512KB

          MD5

          34cf6cd0fa2293f8d8437096e2928f87

          SHA1

          8de32e0141b7de2ea18420c09f85a4a6c8a2ae42

          SHA256

          8599a390efbef3b70118d9fd9dc50d71500872d3981d887684b9698a56859df4

          SHA512

          a2ad54fb89311b7a1fd2d11447aff0c3cb217b521be5dcec414bb592ee1bedad2e418f7bcb3231f2c66693d8124a876031e710930ef83e694dd58fd86db1a299

          Download Submit

        • C:\Windows\SysWOW64\zsdxvgqa.exe
          Filesize

          512KB

          MD5

          bb70ffd94d46b66da8cecb3ba08c627c

          SHA1

          18e58cb5e8fd68ae8addb9fad379127a64b735ca

          SHA256

          c027a4c6aeb3d415de4ec29adedbf43766e8db2a095f8036840251905d0773ca

          SHA512

          61ce6dd8a38ad6592975c52d04f02cc73aac34e8f404754dcb03bfe2e6fda44b78c4eef764cfcbaa05413d94c06ec48fa01d4e926ba281cb045b33d7b779eebe

          Download Submit

        • C:\Windows\SysWOW64\zyyyxzcccuyoc.exe
          Filesize

          512KB

          MD5

          8fa137f9151d5749b9324feeb1503a22

          SHA1

          48f41e88ab61abbf4377ab4f0e63aaff43dc80d6

          SHA256

          bd3dafe66fcb7b29f17a4e7f7f88d4a653674f4e0c6027a89de7173787241585

          SHA512

          9b02852c96f4744d1076d6b186efe0c79668407325782ee19e6ad539e6fd3e47818a2d1846afeb1897132e276b8c40b5ccedcf900352a7468467637dabc6bbfb

          Download Submit

        • C:\Windows\mydoc.rtf
          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          Download Submit

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
          Filesize

          512KB

          MD5

          366e725253b6dc7e82b2e5936b6d8848

          SHA1

          d969760425116ae6dd8693aa953e71e38d4c231b

          SHA256

          31f0c5fafd664e9e32b6eac2a4abca874da5c22ebb701b6a059a5599e2105c2a

          SHA512

          a7d19ade1d436279c81b394e5dbf504d7b35e50a5391e6fee3e616193dbeff2e0371f19d10f4288f095bb20c79145e30b2d284ac6971e5b8cf7c866bc11010ea

          Download Submit

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
          Filesize

          512KB

          MD5

          1d55e34ae9a2c7b9d3d4e03e8c10461c

          SHA1

          62f53fc26994167b8014a9f76ba9a7807939aa32

          SHA256

          789abc6aeebbefd835791a81da410fa25f332bb22e8e9a84404ac2648589cd50

          SHA512

          cd96be47bac46a63af0027341617c538c88e120fc1154e9f08eea685e193dc31ee7b9706ec72174b26d05c027e3499b7c216d19bb576d5152515fdec9a097440

          Download Submit

        • memory/3932-39-0x00007FFF64D50000-0x00007FFF64D60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3932-36-0x00007FFF64D50000-0x00007FFF64D60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3932-38-0x00007FFF64D50000-0x00007FFF64D60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3932-37-0x00007FFF64D50000-0x00007FFF64D60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3932-40-0x00007FFF628B0000-0x00007FFF628C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3932-35-0x00007FFF64D50000-0x00007FFF64D60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3932-41-0x00007FFF628B0000-0x00007FFF628C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3932-606-0x00007FFF64D50000-0x00007FFF64D60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3932-604-0x00007FFF64D50000-0x00007FFF64D60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3932-603-0x00007FFF64D50000-0x00007FFF64D60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3932-605-0x00007FFF64D50000-0x00007FFF64D60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4416-0-0x0000000000400000-0x0000000000496000-memory.dmp

          Filesize

          600KB

          Download