Overview

overview

10

Static

static

5

2b75698498...18.exe

windows7-x64

10

2b75698498...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b75698498e0bcc8f32fdb6eaf73ea05_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    2b75698498e0bcc8f32fdb6eaf73ea05

  • SHA1

    5b7f94d6c0c4eb7d23d7fbf37a38ff851db99b5f

  • SHA256

    26de62e2920f8a33fcc0ebcd66d02c53d26cef042417a93e96a1744bbb3b377c

  • SHA512

    048b279218de26521f33af4d08286cfdf3d2dd523a2aa278d3178f08668e8f2f800567d26c2f2d7a130039174812534681c466d63bd6b04d8a60bce02021e23d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b75698498e0bcc8f32fdb6eaf73ea05_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2b75698498e0bcc8f32fdb6eaf73ea05_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Windows\SysWOW64\vnlppoeixp.exe
      vnlppoeixp.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Windows\SysWOW64\opxkgigw.exe
        C:\Windows\system32\opxkgigw.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4560
    • C:\Windows\SysWOW64\dfwjvkrfjdcyeum.exe
      dfwjvkrfjdcyeum.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2360
    • C:\Windows\SysWOW64\opxkgigw.exe
      opxkgigw.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1420
    • C:\Windows\SysWOW64\uzwpkctalvodd.exe
      uzwpkctalvodd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4500
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    44d0325d75460b499ba44f9ded845fce

    SHA1

    441be089d29173d8ff9daa1f98fbf3f84d2c76da

    SHA256

    a896a19163e9917908edc1f3da56680edfa670d135dffa959a1c3c29e94f2cd2

    SHA512

    5f187dda8132864158022acd1e71ba480b0a5c03b3808adcf1691be064cd1976e3e2f492d3f51f508f548e44193088a614eb208d988dcd8496c010fd691a6da8

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    90c2e846ab54f4f65abe2ba38fe88cd9

    SHA1

    f02d4fdc2f875925f3dc7a51b41746bd310fd68f

    SHA256

    9f729176368efe778a55c0c66999194219ec09ea4b30cbacd83df5f29f252cf7

    SHA512

    2575f6fa81e0c5bf91e8df9f85ed7aae869bc1c27aec13084f6c0d81bc20e0e22b50bec393b1b4c959bed24069180a923f883319a2e0cf89872fa888cde170bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD8B1A.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    2de42526bd42042de3f4ea760bd3627a

    SHA1

    5bbba3bd088da14d7283ffc3645be565b3364c8b

    SHA256

    13c1cac5bca4710fa7c8419c19d22cd5576491e9d3fecc21f9115c0df765903e

    SHA512

    f9ad58102d49297feede8574bad57d462d15c76c7b4ddabdbdaa56ea911a02cd8f312ca75312b299554f4dd808eba1d6a3634a9180fa0c3fbfaff85de1ca698b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RFe5769f5.TMP
    Filesize

    3KB

    MD5

    dccd9a780e7be6943d3c8e052001ef4b

    SHA1

    e740203e509aec8d3eb96d37a59269d3acab38fe

    SHA256

    9ab4dabce57cfc2a268d3ca30fe3b8729ef8c4426137d63401c76557605c02ea

    SHA512

    452066f5b8fb3c8ae52e4a39daac498305e6d6b10eb69ae7d112dbce1447c71c8714907f7d8b35bceff0a74d0eb11bad132bddc01a8907fb8466be12c81af8cd

    Download Submit

  • C:\Windows\SysWOW64\dfwjvkrfjdcyeum.exe
    Filesize

    512KB

    MD5

    ea080caa76ef4d637f9e736aaff7f435

    SHA1

    e2b7408a7747c329237e85968c5f3aaa02ed34fd

    SHA256

    f9e12884833bcb1a5ff1a34859f294c99e82f129842ca7b0f94dca9c9e8168d8

    SHA512

    fb474a9396e526f4b5ba77892225bccbbdf16a346bb04fb16cfe0cbf84d68173e410abf6b320dbac271347f2cda738d48a8ab6d1a4741d3aadbf953cd6493694

    Download Submit

  • C:\Windows\SysWOW64\opxkgigw.exe
    Filesize

    512KB

    MD5

    14128387028004a4c92367e4a76c3971

    SHA1

    ac332afdcf256395fa3e8fc575d1353da9349af6

    SHA256

    1247d70ae6ce9f9be47e61ea4404e645a3637c4fe7c53832189d746730c2ebaa

    SHA512

    c25fc145a29e5deb0d6411dc235697a7b30384d99f4f437aa614aa87c2b777f2113e02f7985f9c0ada5d9d57f6ac190ed9746ac47a94fec052f1b4fc63dbae0e

    Download Submit

  • C:\Windows\SysWOW64\uzwpkctalvodd.exe
    Filesize

    512KB

    MD5

    6512366778ed5e9a79f4f8dbe0a9fb35

    SHA1

    a9280b0ab82273376ed132ad6fedd6db66bdc59d

    SHA256

    688786495be78220bb711aa05692e3a414d209f7ddcd8ceef6bbaf9817f6d73d

    SHA512

    ac465b661440129321f9ac56f3e129557a7fc21e5434968057cf7b1c2c9d0bbaf5968e3266898e436b9bbfddac3ecdb9f28fbb9cb2743ca186ebca0f48bfefe8

    Download Submit

  • C:\Windows\SysWOW64\vnlppoeixp.exe
    Filesize

    512KB

    MD5

    cebc9b273b33f0870b64ad240a713c71

    SHA1

    91200b1169342232b69b626c0625eabf7bec3629

    SHA256

    9fd9ea831d26bc1a9c8fe5ac9c76125953282d2939e0caaac719a2ed5ac0e531

    SHA512

    016d8d4cf1e6c90fed55857e966b7def60d711877445663dfbf79bbca59c06f0859a8da59e9d3c709a9ab05c76ab0762944390cf3e92f82a826a7c1eaa20b2ea

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    6d67b182707c6c28fa5dc14157afa94a

    SHA1

    2d641eeff8c54fcdf1612fac26d75c67ca14fd3f

    SHA256

    87b91b3503d4a16a6faa353e11a0f7885faafd74f3ccedc348f51a94f0c9e859

    SHA512

    bd646732b833b35d872f00d3d9918c7fb5d288fd1e1e28693588d914301eb20a43ae4120e7724e319a110443849296d0d747333bc8e4d32d0fee121c6a3a8c34

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    74cc6ed339df67cc096000e4aed38fa5

    SHA1

    4b07808c10a83d8804577376b564df854bc0caec

    SHA256

    c0e2f19cec0825f2e41417d979878192dc405a4e2810c3592e7deededa2e0e82

    SHA512

    eecf3499838141637fa2f13028ddf3f0b52a97b86d3ccff0d56c4b29a6c02c4291a6a8d0b8752df68e87abdb18681e49e61e6d20dc335fbfbaf85a2d87adf568

    Download Submit

  • memory/2780-598-0x00007FF8A39B0000-0x00007FF8A39C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-39-0x00007FF8A39B0000-0x00007FF8A39C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-36-0x00007FF8A39B0000-0x00007FF8A39C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-38-0x00007FF8A39B0000-0x00007FF8A39C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-37-0x00007FF8A39B0000-0x00007FF8A39C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-40-0x00007FF8A1420000-0x00007FF8A1430000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-35-0x00007FF8A39B0000-0x00007FF8A39C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-42-0x00007FF8A1420000-0x00007FF8A1430000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-601-0x00007FF8A39B0000-0x00007FF8A39C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-600-0x00007FF8A39B0000-0x00007FF8A39C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-599-0x00007FF8A39B0000-0x00007FF8A39C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4616-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download