Overview

overview

10

Static

static

5

37c9021b5c...18.exe

windows7-x64

10

37c9021b5c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 02:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    37c9021b5c604c13ddcb215e45522baf

  • SHA1

    2a3b8dd39e99d64af92f43627b988194eea5181e

  • SHA256

    6336e604f1684cf483355dae37979b9ae66f039c0caaf616f64c4df715b8d12f

  • SHA512

    59fe6b199a15ac0013aac62f6698e584d3b0bc7107e38571bf34e2b4bd6bc5a221a6afcf3fb59912f37fb9530037ce7afeb4e420dd9f9ebb247264bd513c5811

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\37c9021b5c604c13ddcb215e45522baf_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\SysWOW64\zqlcpdokxx.exe
      zqlcpdokxx.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\SysWOW64\bnjwdnxo.exe
        C:\Windows\system32\bnjwdnxo.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2708
    • C:\Windows\SysWOW64\ueldtdbdpetgjcy.exe
      ueldtdbdpetgjcy.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1944
    • C:\Windows\SysWOW64\bnjwdnxo.exe
      bnjwdnxo.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2100
    • C:\Windows\SysWOW64\dxorgzmdukcpn.exe
      dxorgzmdukcpn.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3024
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1664

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      e4fae66bb84a227cc7775f2cd0ad6ea3

      SHA1

      299bb95df90c14ab0c525542bcf355e8037e2e26

      SHA256

      d1b1040f8289af86d655ea5ea0b24bf27a483191a3924be43bf6aecc8443fcfb

      SHA512

      35347e892ce0779e5a4900718d892d59e0322b50d4b909944be174557ccc5df342dcafc5c86143bbe323eb080658f789bb3d7f9285fe44ee5641ecc417cde674

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      b309edaf320cfeda21c4152cbbbd152b

      SHA1

      8af8272fd5e062e1b3704fc842b782776bdf6549

      SHA256

      ad68780795d49272ec66f6fd301f72a6f0690d8b6cc0c3f987313bd892ba6d83

      SHA512

      91da2f18a3d6786ebe9c6aff06ea60dda0ec8c9932c86dda94518620ebd395176eebd4706e92db0573cb6e4bcb9482a0a4603cfb2b3d933a3697b363e736098a

      Download Submit

    • C:\Users\Admin\Documents\StepFormat.doc.exe
      Filesize

      512KB

      MD5

      c6764482abd311c050a29e78b1e6ee5a

      SHA1

      7582db7bf76542e45d6ee3bd1688e1acdfd42c28

      SHA256

      a0377e9dcf41987132605c7c217cedc85859f0ccd722ae3269dfdfe93f9501b7

      SHA512

      75cf0dad6396479361b99f4f97199ee179ecc49bfe9cf2a8ed4315a22b2f1825019d70d26936fecc83a275ac2046b739d4a0bb39db3fee4312ad12f67b2200ed

      Download Submit

    • C:\Windows\SysWOW64\dxorgzmdukcpn.exe
      Filesize

      512KB

      MD5

      627e1022828d7120392c74e2f06a95d6

      SHA1

      2bd32ae171bab400e8ddf6c85730e6478cb49bc2

      SHA256

      7008667577e7b64b117a40ddf62fe4e7d3b3c50ba6ab4e7b70a685ff7e48d619

      SHA512

      1c0a49eea973369ba0097dd51d6ad79717e1ae0cefd499f2139c1dd205afeee5b4dc9e022558c4b187e8a4d10bc2f51a556ddea5bbb1120de1b3c6287832f3a4

      Download Submit

    • C:\Windows\SysWOW64\ueldtdbdpetgjcy.exe
      Filesize

      512KB

      MD5

      a2e012193e6b753ab539a02d84044457

      SHA1

      dee32e0d09549be02dbb8e00ff53518f0420d996

      SHA256

      e193c78fbb740935b23e848b502b9edfa80bdc8f35a54a2840bafeb7c7e8c2fa

      SHA512

      a8e3f8f7b6dd7d6eb472f56a195201568838712ca542084b876d83b601a5731501ddd00b7821559b1fab85bd7c878037cd87b26ece1f00467a609e365554dc23

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\bnjwdnxo.exe
      Filesize

      512KB

      MD5

      7b894411c2fa167a1971c7b5165a4866

      SHA1

      1d9d172c1ae9460ba95adda715357fb1239a46b1

      SHA256

      d54cca17ccdb99436746b9a0c52f15e4f655490cbd6ba2a9d079b26ed7fba5a9

      SHA512

      9f8c78c912d98a572fc0af0a1bf0ff6b67903abd9fa483e58daf87bd88256e7431604954a78b99be0c438ae1153f921687ae87c7168c425eabcd9f2590053242

      Download Submit

    • \Windows\SysWOW64\zqlcpdokxx.exe
      Filesize

      512KB

      MD5

      658b583bbaccd8ba41f05ca4da74a79f

      SHA1

      277de547553e8e77f4a3907479eba4d54b07bfe8

      SHA256

      5efe70291b3327e63ab4f206c2a5edfd183da7cc1e88792b8fee8b64146b4cc1

      SHA512

      26094dbcde105ce4e84e8b01b163b809a8cec8347a7c5df5dbae5bd00425c5466393567e67744eb80ccc4a3192e22f059e873051d26b9a34ec3ca2d81140fae2

      Download Submit

    • memory/2444-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2632-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2632-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download