Overview

overview

10

Static

static

5

400d65415c...18.exe

windows7-x64

10

400d65415c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2024, 14:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    400d65415c8f91979d13ee4832cf4d19_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    400d65415c8f91979d13ee4832cf4d19

  • SHA1

    b88b829cfa2f6f9b5bef65a6a6d077f5f53c4425

  • SHA256

    3485a0476b45b0f71bb936abc1b8da7411e902b18e1fb05d4e58d33023942f0d

  • SHA512

    7c965ea81b15847f73ef7ec800d147f4a576199bfbe6d1c67a490e79fb17e9f04ff25a21027578521bf72c30714ec6bfb9c5dd0c56714d8b75895dd70b3fbcf5

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm53

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\400d65415c8f91979d13ee4832cf4d19_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\400d65415c8f91979d13ee4832cf4d19_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\seiojsltmw.exe
      seiojsltmw.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\SysWOW64\jjyrvpkq.exe
        C:\Windows\system32\jjyrvpkq.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2668
    • C:\Windows\SysWOW64\mopxfuknxovquwy.exe
      mopxfuknxovquwy.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2588
    • C:\Windows\SysWOW64\jjyrvpkq.exe
      jjyrvpkq.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2544
    • C:\Windows\SysWOW64\xgezhxzovscuz.exe
      xgezhxzovscuz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1040
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:328

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
            Filesize

            512KB

            MD5

            6b42a39d5bc70b66d8ec8500273c16cf

            SHA1

            5d788e621246c67cce236890e8ea5b4a51ebbf5a

            SHA256

            4bbbf3a7b5989de40b15e5706d06fd435dfee8d91a61045714bcf7c380c18372

            SHA512

            acbb41f5fc1401f55a75e072e18132634cc3551a2d1e8e46e80a88ebe39ef0eb6b5fa4c661153c5527356d178c1e7070ed89fa772c5c603eafb0c35cf9b8cfa9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            20KB

            MD5

            cf826d5de47c49b2d8fd3c98920736a7

            SHA1

            af2f50b2453480ac50cceca26acdf86b29a57f79

            SHA256

            77c4d8252054f325d67e8575503a867b29ecde0de0fb8f5c50816c63a761f955

            SHA512

            3e585114fdb40b54f98e7c241eb130d59c684fbbd930860d974bd3bda3379a3f48bc70e340359c12ca04f79850ecb29aa780f322cd6c65063fe69a3881ce7ea4

            Download Submit

          • C:\Windows\SysWOW64\mopxfuknxovquwy.exe
            Filesize

            512KB

            MD5

            ec4b55d25ccd70b66f82b513d0451ab6

            SHA1

            e951d6ee8d74e23efb311eaec77b7ca9cb650a07

            SHA256

            033209c51c01cf4ccde480d8535ff9bab3157156c7f9d8f6b297cc6e971ae2b3

            SHA512

            4d6a68582040b81645be5e44c7f9c25be5716646792f459799ee9b7fafd32f84339020206b00751b0ab90b6e6e89f95b58b8637e9db174ef2a537040b1be53d3

            Download Submit

          • C:\Windows\mydoc.rtf
            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            Download Submit

          • \Windows\SysWOW64\jjyrvpkq.exe
            Filesize

            512KB

            MD5

            b57da6f54ee1605f63d4d5a56334798a

            SHA1

            29c781ed2e07fe41c27796eb2b9358f8c0c045b8

            SHA256

            5b173a92b2c363c1c464d12601965dac222b48c53d3e59eee6c9ec504ea7bf25

            SHA512

            5d6ce98ee307cb8f1d96d9c036e124dd08c77b5d2239a80d2ec6dcde764a66ec76286adfdec5e9e44f65538198e11da104f1394ccccf8e2daa09d3bc3dc1740e

            Download Submit

          • \Windows\SysWOW64\seiojsltmw.exe
            Filesize

            512KB

            MD5

            1e9c439124d0ee98076bd5c3a4ec99df

            SHA1

            fea4661da71e47df17344a3e15a04ebe2a703d6d

            SHA256

            b964de1da1de303e0e5adaaaa6bc724d30748d5e34077cc096738929d0fa5731

            SHA512

            da666cab055b6fb0f6441321a0d551f57f86dedab659a3a107555e845942e7082eb9636c289db30ce54646571c8dca69b69dbbdf707550b6b3ab7c4645ff7dd1

            Download Submit

          • \Windows\SysWOW64\xgezhxzovscuz.exe
            Filesize

            512KB

            MD5

            3063469f02d8f52749621cabfb03bf37

            SHA1

            32df5d1398cf95cbd4ddfb90be552f8659571da3

            SHA256

            59d99aa5929a7b1251f5d46b3dd7f13507b979ab46f0fd1f66ef2b5c1ef30c7b

            SHA512

            8992e221daf6ae6d507c05d6beacbf0e91c3050745c5fedc347f7edcb8c6588471cbbe89e958638790942fadfe6371c9f29aacf1717e49571c03225d744b15de

            Download Submit

          • memory/1728-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

            Download

          • memory/2380-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2380-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download