Overview

overview

10

Static

static

5

49b906b736...18.exe

windows7-x64

10

49b906b736...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/05/2024, 06:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49b906b73640866936f17c7b6b9dd88b_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    49b906b73640866936f17c7b6b9dd88b

  • SHA1

    d37069d851ab913e06a657065d494a6324db9337

  • SHA256

    4c2b1ea41b077f68cd3e23c183e1054a65c7c3039eb3c535e50d339b6bace341

  • SHA512

    32752875b11178ebd7118635c3ee4f2a43732fc6d7e63416f3b8d0323222ef5f9bce83760c0b0e3d14b3d08774b5677b363bca32c90e97de3318f8f00c39d0d4

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6F:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49b906b73640866936f17c7b6b9dd88b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\49b906b73640866936f17c7b6b9dd88b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\oldvozrhfy.exe
      oldvozrhfy.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1844
      • C:\Windows\SysWOW64\fdskgpoz.exe
        C:\Windows\system32\fdskgpoz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2464
    • C:\Windows\SysWOW64\xuarwehvfabpiec.exe
      xuarwehvfabpiec.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1508
    • C:\Windows\SysWOW64\fdskgpoz.exe
      fdskgpoz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3116
    • C:\Windows\SysWOW64\ufqkymchoxuwx.exe
      ufqkymchoxuwx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3112
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    651b18b03a97ebe2b168323eb4fa6841

    SHA1

    abd714210e12fc23cb17f791a33065beab55673e

    SHA256

    3f187abdd44f46a035bb0134b417bae07e4e06f7dd222ca28323f052a5c560d1

    SHA512

    e1dbfbf296eb0b4f8eb405f996ba6d237046fd5b56ce46bbde91561cfc538f67c3889ae049a83c99aa0a67b790422fded19db703d9a497b0cc180be4b20bfeed

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    3d3d67ddd952e65e2ebb15b0f72dbdb5

    SHA1

    4f1bc904350b5693fc4fffabae4fbe6b69e6c578

    SHA256

    a20eef82facc1fa32cac7e68b1349847347312654d6f9315ed7e4393eddeda51

    SHA512

    190b9c895f28780eddbf2ad8c85b58a010a5d4b917505f99022d8fde688398695c3cda51cfac1c7f224089696c360bc3011dcd94f2163408edd632cae1efdc7e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD84EC.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    9c0c0f59f14a3331bb5587e38552a942

    SHA1

    28933573a3d4754da496b06e51e24c6e634f955a

    SHA256

    e08ec61807e88cc7f45df5266aaf7a2f79ad045c2fa673921b58a24e3b45c815

    SHA512

    e2c27136cac777dea1503e48990900a224688b8a9191c9e56f42e2ca1a686edab952aaf26c1c2fd93cf7bac9b6d07dcad8737fa2bb2d8a039891a7629e3eba1a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    5e92fc3b8af01d0864b68f422a932df1

    SHA1

    8c7006b7bffcb4929da0d527adfe08822dfc7096

    SHA256

    fc9a7ad01632eacb9eeb67d1ef83de6b01776d037b9231c2d5201f0cd9f6865a

    SHA512

    c9bf08c964ca6c390571b0cd50c56c2ce3dc4a24cb43c9bd96927847a5f6ffd6bfb9d1404d0d274529561922e55bf77e1a78c583ae06d6855949416a1ddd2423

    Download Submit

  • C:\Users\Admin\Documents\MountOut.doc.exe
    Filesize

    512KB

    MD5

    ceae264286d5b9708b66cc105d480cb9

    SHA1

    a630f9b4afb766dc59a83a0bb0582014a897cea5

    SHA256

    d58feb989cb7468122dcb259d954c769e820b932f82a186db18150df65174255

    SHA512

    b37603b0df19952fcf4adb07d1ebce641d20c359740dffff6a261d1a7d6f0e884b6ec27aee4c1a4fbda584a5d7ac72a0c18f3113711bba2bce6b031a584c85a6

    Download Submit

  • C:\Windows\SysWOW64\fdskgpoz.exe
    Filesize

    512KB

    MD5

    e8b9cd5d10eefb1d7c0515668da82cac

    SHA1

    5868e620056daea6f0857f630c789744d342eab6

    SHA256

    655fa8b6e22dc5ca4f7f610e94fa360d69cc685ec9843d45c161ad8c0fb48b58

    SHA512

    0056d420234040884c73abed9630227afd41d02604e8c1ba8d542c57eba6b16f9430c5e234363ad0cb304f1e77b48dc0d462c57885cc5fbae686ab8c369db351

    Download Submit

  • C:\Windows\SysWOW64\oldvozrhfy.exe
    Filesize

    512KB

    MD5

    82c2ac6dbe0a15d8845742620d68602e

    SHA1

    8aeb2ed29cbf7469fd90abfd49a9ee9a6e404ee8

    SHA256

    c7f29410678a54b470e1a16aca20f86efaca2625e8bc1d271ef8a1519884ff2c

    SHA512

    30a70f883ae84cabc8229b6ade6e994d9d063995679205489df3f41cc44dc1b25828a5b068e6759427a31e6e42d0aa66c65a9eac62313cb0538cdeed18b90a3d

    Download Submit

  • C:\Windows\SysWOW64\ufqkymchoxuwx.exe
    Filesize

    512KB

    MD5

    a81e9875cb1375e8e44a7e0a9cb2ba60

    SHA1

    46bf88d889035360e17cf84f4746d41176d45a0d

    SHA256

    ad490f1418ecc6726e6fbb2493468465515ce2a5cda62566a09ded1e6cf435d0

    SHA512

    21649c9f8b4d8abdf925b6cf70c727da9fed9b524f1ed6b65122deab3eb184b2b2f1936c0d2b85885c45e0a8ae4e6932e8ad6708bcbd88ce64e12d5767ab5b19

    Download Submit

  • C:\Windows\SysWOW64\xuarwehvfabpiec.exe
    Filesize

    512KB

    MD5

    768d14d144c1b913e8cff9c2797909f9

    SHA1

    a9399caac9b3627caad8bf6b4c90af1b058a1b59

    SHA256

    98830d27da3958842af01703736ac82d8c3e8340663c245d51f796c55b7142d5

    SHA512

    53113e400df5ba7ae5bb2ba988bb948e004c0887940379931420cc8093d11610684875c73e2e135f2d3b07b145d4a46f8efba088644cc764b06f46b614ab9611

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    3cf2f4c79641305513476a0546633a33

    SHA1

    f4aa1a54502e74750c2a1127f3ab22024ee27513

    SHA256

    0c8a15ef26876c3ed79fddaaeda906f2b86337d33bc1aebc53e29739a16032d3

    SHA512

    8a89e56e0d41b6e2b95cd159610fc5597b9108badb71a462ad234be2833d1552a79e5da800ff82e72a193741250681f12a8b07107ac1bbc5a9e81f415ca04c10

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    3fe7304f69e087be43477e89daa0f492

    SHA1

    9cf21813b8169fafb53d8f9acc5047bbcd107564

    SHA256

    7119b3a1f8c0e4fa7dffbf5944b83604e5e2b113595a16cde9fbbbd71783a32d

    SHA512

    1341a5b88be01de9853f1f0995bc13ac60b22b2291eaf7eda3f84fd995c31dae2063d38209031c0cc81961864a856231590daccbafea689d048fb6d732c80291

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    337d941cfe67e6377ce45d75c66bcc86

    SHA1

    21cb078ce09e597cd5ec5b36e2ad7fa19763df38

    SHA256

    df4b3febb0bea7983f585ae4eed6a31be0c5687a4ed4f204764bdaa175f12c5a

    SHA512

    0419704805c07d3c8fdde778a1ab93d63d0bd7e46696e0a57a2da9dea3ea8c2e67087bd6553c747d00c3855be90999597ade0c389609d3a66f7c06f8b88a6451

    Download Submit

  • memory/2848-39-0x00007FFA120D0000-0x00007FFA120E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2848-38-0x00007FFA120D0000-0x00007FFA120E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2848-37-0x00007FFA120D0000-0x00007FFA120E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2848-36-0x00007FFA120D0000-0x00007FFA120E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2848-40-0x00007FFA0FD80000-0x00007FFA0FD90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2848-43-0x00007FFA0FD80000-0x00007FFA0FD90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2848-35-0x00007FFA120D0000-0x00007FFA120E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2848-605-0x00007FFA120D0000-0x00007FFA120E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2848-606-0x00007FFA120D0000-0x00007FFA120E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2848-607-0x00007FFA120D0000-0x00007FFA120E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2848-604-0x00007FFA120D0000-0x00007FFA120E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download