Overview

overview

10

Static

static

5

4583dc20ee...18.exe

windows7-x64

10

4583dc20ee...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2024, 09:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4583dc20ee9c673bfcd517fab7d88bbf_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    4583dc20ee9c673bfcd517fab7d88bbf

  • SHA1

    cc4fdf65702ff682b9e1692ce83aa9d3e2828111

  • SHA256

    478e070b3f86342ff2fc22562142633932121d6244bb55160ae4713159580cb1

  • SHA512

    d06f549136eb15f83001f405a3005594b1544e9944c14c1c85eaf57079fe701ef03a729c29a5365321a63fd909f51b889a152ec16fd01f89c257056edd7c9d97

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6E:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4583dc20ee9c673bfcd517fab7d88bbf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4583dc20ee9c673bfcd517fab7d88bbf_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Windows\SysWOW64\gdprbmnqet.exe
      gdprbmnqet.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\SysWOW64\lsdmxeuy.exe
        C:\Windows\system32\lsdmxeuy.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4560
    • C:\Windows\SysWOW64\teuwlkgtypbfghf.exe
      teuwlkgtypbfghf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1288
    • C:\Windows\SysWOW64\lsdmxeuy.exe
      lsdmxeuy.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2720
    • C:\Windows\SysWOW64\raxsqytfplhzl.exe
      raxsqytfplhzl.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:996
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    4b207314bdd7ec8114bc5867fe964e9e

    SHA1

    7d6f16fb733ae9a4b0067580f459e411878499f4

    SHA256

    28dc6caa0eae0576e58b2711f3ae9fc51302eb0e940d5559602e22afa1076b50

    SHA512

    8663804d9a38d5a14dc932ddc11cacc012882c5e8a9020cb9fd590a51c5149df4a219dcb79ce24cadf28bbf2ff1934a7506695830719c54406bc3f6324d7fe94

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDD3DD.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    d0e985a23599c00e92858891b7fbe5f2

    SHA1

    b3e6b46b4a644986829ca86360f0505d42e08280

    SHA256

    224bdac9df25d6bb70e966203956e604addd1de10579514b5a7275a4f470d981

    SHA512

    adce27426374abf34f824c0a994cec851ce811b0d01616c6a241db182c98250e61aa40cf835c565f3610ea03678df4552364a0eba183d4f348890caa14dc6992

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    0d4bbb41bcd7637e5c50544887bfd4d9

    SHA1

    2993054b24a01191d5c6931072966d52e45703b2

    SHA256

    adfbbd673a78e476aebfa5d467fa83643802016cbb20e555d5ac6c1dbbe7206a

    SHA512

    2a50ab9b3971949d7fd38e7cb4a7483bd5b25aadf597e7e1afdf91b9527ecef55b420937921156c8b5c7873c65c5e4ace6bfd1d62442c35a73791ca4576d69df

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    1ae48c08f9173f46cd7998e5a731d187

    SHA1

    439f6cd580804528e6c7307baa7887e9a3d568fe

    SHA256

    c10dd0023743f0027e8dc36879e6953f97183f6097c3c47b734de4c2e751f736

    SHA512

    184e8718af828552d9dd9e158b619b1f5b74f05f3e0a9e8325cc6dc601d6eada7ad4ac5dabc0dcb835365f4c695c23564a07cb724bd39cd9a5248f519f43427d

    Download Submit

  • C:\Users\Admin\Documents\LimitUnregister.doc.exe
    Filesize

    512KB

    MD5

    8fd9c5a74546751e11e248b93d543101

    SHA1

    d4d9702e600f53e83ff43360e28890addb4ae80c

    SHA256

    f93089638b646d32a791287f4526f4060a5a840aef5b0e4bd2162b367053451b

    SHA512

    082d8c15a8ca6fa1c3585b14a056cb53ce946d393007ad2b16bffa46b231ee6a41c08b36e3edddbbde880c55373ce7d82ced5a9f34013abd6895912a42941108

    Download Submit

  • C:\Windows\SysWOW64\gdprbmnqet.exe
    Filesize

    512KB

    MD5

    e4eda183fa2a13b46aa883325270529e

    SHA1

    1c0f62ba3329ab40750881c3f024c6e62cb4a169

    SHA256

    30b2fe84708eea1a79a6bc9d63188cca35c15eb159e85fdb92a1f69680571618

    SHA512

    a1d371fccbd1eae4928a58ae8afca086066ae9779e24a1894d2aec9646273f2333777ccb0e5506204c7294a9d59c3560695e4669578d7e2c58a222e397317632

    Download Submit

  • C:\Windows\SysWOW64\lsdmxeuy.exe
    Filesize

    512KB

    MD5

    57211bec8187c4875de1f7582b0d9244

    SHA1

    3dad6ea98ab67d64b6e0ad5d746572a5b899bc33

    SHA256

    485c605b59a92a8e57e3054b33aeec6fa7e53f8a73bc093547985372b142458f

    SHA512

    703305bbe9d2c7f99ac4e033f612d8320f9a232753ea397de5f82f593a8237acfb5163319d15d3bfddf715daf3f550d48da32a10fccd1695deffecfaaa6ca467

    Download Submit

  • C:\Windows\SysWOW64\raxsqytfplhzl.exe
    Filesize

    512KB

    MD5

    9b0e1da79f03fb6981b47b42b8162737

    SHA1

    61b47ed3e7dc932e2d7fa65ed9026bff6ef2c712

    SHA256

    ffa5c2bcfef9f3647bee7320bc83238bfc509a3eb133225c8efac70ecaf96eed

    SHA512

    50c42e62fba5fb2f823e2149c6216195fcee7e7d68d6dcecb7846c8a64fd379c2dee372294a2017c56740829203110174b0b20438a877e73b2461484872c902c

    Download Submit

  • C:\Windows\SysWOW64\teuwlkgtypbfghf.exe
    Filesize

    512KB

    MD5

    604a5fe2ee29dc7bb6656bbeabc7bb0e

    SHA1

    698664d35d38e06a3948aafa6c44e7963784ccd4

    SHA256

    fbcc2ebb5e8b1f44bdbc8a366ffa41dfc1c94dcf6753cbc04bd2755860e5d270

    SHA512

    49e25fa7754aaaf5fc53a450741720305df7273fb0b5205ee3f59a6252fe641a5ba9e1f660badf39e068fe26f46d5cc11f94b05b17cd0d77d08dc4393a01eb8f

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    1d239499e4d1717385471023024a7248

    SHA1

    ce80c05c146aa8a85ac354d2483d85b51a1c0c36

    SHA256

    911b9e759b874203c2df6fb832c195fd7227bf5848ae676c984c99f4901b6d79

    SHA512

    81efc6a46dd3dfdf04e41a4729af4595ba85d8da7005d8f9b198f7685ca5f472314b0508e806cdd6f96a271b09f4ced051bb7234cf8dc384f16b381e23edda6a

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    de37ffd864b401d2703c3cc55324c51b

    SHA1

    9b0380a37b481bc9f49ecbf782b48a8f2356e08e

    SHA256

    c5c0c74087612de457f9c5d625d7d7f155c1465a093fb568a30817fa3b3fc087

    SHA512

    fce6b736defb0ab7e0792dced0e8e8058611e158c5ff1717d3eeb269365951a5c54233eb6db9b16039fb0f7855b1c98be620bee45e49b9d89614e6339d099fbc

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    b0255a0e6c479585fb1c9ffb1ffb7e26

    SHA1

    3e7ec1f467735649f056a3288efc01de35142600

    SHA256

    227845564136b3650819a46436a00d8c9d0e5e5286adf1d9a7c118eebe127449

    SHA512

    cc5dd842c19e9c526b4c31a48ee899bf6fb69057f5e728e90df526b27396f8b618c9cc3127e5853d85fba083895464202bc2929d0c1a8a4e951ca021e8ce3bb6

    Download Submit

  • memory/3092-41-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-43-0x00007FFB2DED0000-0x00007FFB2DEE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-40-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-38-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-39-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-42-0x00007FFB2DED0000-0x00007FFB2DEE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-37-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-601-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-602-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-600-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3092-603-0x00007FFB30030000-0x00007FFB30040000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3980-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download