Overview

overview

10

Static

static

5

3e7da65e44...18.exe

windows7-x64

10

3e7da65e44...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2024, 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e7da65e4464100fe04628d920e52f38_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    3e7da65e4464100fe04628d920e52f38

  • SHA1

    d29b7aabb30f052964e86c0e54687613e5729ecb

  • SHA256

    546e8920984bcb58f73d4d7c6a8a5cc1b201807da16ee7396a50c0ab13b622ba

  • SHA512

    11631b9e8dc4b271e70fd662e7738da94a939bdcb0a3c470c57eb7c7a6910fa508c7bf3248f48c0c3703098937a1b5f85b1e1c9d9dd2ac9e8437e6cccaecfcc9

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6U:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e7da65e4464100fe04628d920e52f38_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3e7da65e4464100fe04628d920e52f38_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\ehslnoypho.exe
      ehslnoypho.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\SysWOW64\qzjhoeku.exe
        C:\Windows\system32\qzjhoeku.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2472
    • C:\Windows\SysWOW64\zxtaytfnuernewb.exe
      zxtaytfnuernewb.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2652
    • C:\Windows\SysWOW64\qzjhoeku.exe
      qzjhoeku.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2600
    • C:\Windows\SysWOW64\ygikfkrysrdfh.exe
      ygikfkrysrdfh.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2580
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      388f00a9e461998ef7a7f5d7b6a795ad

      SHA1

      7d575c43f5f308a9a7c8cc7b6c63dab1aeae3fe0

      SHA256

      fb6c870b0a9d1b8356f64ef97208b6fc3b2c42413269da1b4117a1307d00ba13

      SHA512

      06cc2841f1af06a348957962080e633dfdf4d007b391e68030070dae9fd84b3f3bc5eb7e40db68588aee915622234c1a33501c43907a7be0bfce76f3f669212c

      Download Submit

    • C:\Windows\SysWOW64\zxtaytfnuernewb.exe
      Filesize

      512KB

      MD5

      c39cf95183fb0c685af157c8900a7183

      SHA1

      818729bde93690fbd8984b890e98e0ce52e8344b

      SHA256

      5c7ff332f565e3add79b5236f5df241b9d18d713e1cd74ca1809b08dbb88069f

      SHA512

      cc5f2071e5e0ff0e70e27deae6ab99d71bc6c98f00be43629a2046147efcc9f4c368c292a8c4a651be1adc3e242a3a04e10cc914439d02838d0a0c2de7c08a1e

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\ehslnoypho.exe
      Filesize

      512KB

      MD5

      f7ef33b86f7ae2fd607f429f2d3decba

      SHA1

      17d14ee3647ab13c52db2deade18f9b1dbab94e2

      SHA256

      608b3954966d5dd6c6b4b2b4d3d2a57020052324cc1ce757ccc5accbc6428eee

      SHA512

      854e4f2a364e9cffa70e058e5cf6a15a43ee10cb931ae7a48b2080462b2960d0016ff300258c0bbe07a9c1c1e1aa6735e455fb385396462663d585fa3b2ae983

      Download Submit

    • \Windows\SysWOW64\qzjhoeku.exe
      Filesize

      512KB

      MD5

      4e84134b0c73810d8fd946040d99ce61

      SHA1

      0f4af226f0ed65f9ea09f678b8d13ef06cc5bea1

      SHA256

      45384639e144c78c756180e86e05540bc931adb6d0333970949b030ffdad4fc5

      SHA512

      7e3682fe50117d44fa0c2d0eebea55f1b8142f4925252f322bcc3f0f85a3c2ce6ec5882315b9145b345360c1ba55b669abc0de130cdaa6f09040fcb637632250

      Download Submit

    • \Windows\SysWOW64\ygikfkrysrdfh.exe
      Filesize

      512KB

      MD5

      a8ac70099fd3848019f5fcf30cc3eb7a

      SHA1

      074aa14cd09722219c4b8088da2c15ec60864204

      SHA256

      769757449cf3e2ac14fdc03ec1303d1a57b99099fe1ed64623b48c7f88e3c75d

      SHA512

      bbfcfb88850cf6057eac3d380c761c93bcd346e86417f6c4944ac70f8472d8c44eabc0b8c158ebb0d2be84e4f98d2180869ebcad3f95a304cfa8c32323ce451c

      Download Submit

    • memory/2620-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2620-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2872-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download