Overview

overview

10

Static

static

5

4aabb8cf3e...18.exe

windows7-x64

10

4aabb8cf3e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    4aabb8cf3e1c596f9948b6da31989213

  • SHA1

    5e9c5d7ecef0692af7789b4aab6a0af89c5322f9

  • SHA256

    7214770870e8f3a372e48a8c3d89d35c685e65d9be4f0bc8a7adb7ff010ad246

  • SHA512

    3b097e31fb59c4e52cb338b19e6c3acb7796c8745c74a8f55cd899fbfb0d544bbfecab7ccd90183a84e588f83474f027b6fee785c47a4318aa309e6712d4e05d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4aabb8cf3e1c596f9948b6da31989213_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\SysWOW64\fnjkeppndv.exe
      fnjkeppndv.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SysWOW64\oubxbzit.exe
        C:\Windows\system32\oubxbzit.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3820
    • C:\Windows\SysWOW64\stqsybwaydndult.exe
      stqsybwaydndult.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1940
    • C:\Windows\SysWOW64\oubxbzit.exe
      oubxbzit.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1452
    • C:\Windows\SysWOW64\ggqmodztrijgl.exe
      ggqmodztrijgl.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2932
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    5a016d53e612627e29ce39b5213c813e

    SHA1

    0d9e1297449d511ad1a07de33aaa07049c130cff

    SHA256

    54ea3e0c598933dee4ecef9ea178c20075c4738fdb695c46ee8a7695f92f2896

    SHA512

    51632a43f53b97f35ee513565345a6a0f7b3d79daf547c730414549e6378f0b786854b7a72ef5c31271f8849d61107454cb104f1946113cb9b7664e64940362d

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    d59306ce4d844315bedfeb2b09c90908

    SHA1

    733dda4a58ff140fc81e6047519f4e1c07ba9b62

    SHA256

    25ba22fbf3aee3243659dca6c569fae9afbe104ab80ff11a228b58668b975048

    SHA512

    a29584dfe4ea53736a0c592e8b729d8d2245fb589821597a623395165364ff54c201948e623c408767275ec2481e1ef8a7f1873d81de3b17f3803176313a57c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDA32A.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    247B

    MD5

    1b529425a37b1334b8b33ebd890269a4

    SHA1

    84768e6475b45e3431d5dd62968dde9b92bcb799

    SHA256

    774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440

    SHA512

    8d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    a449100031228590fd0f009863ce34b3

    SHA1

    890785a7a4ca869f1817d01d9ac03dfa2d5b10c7

    SHA256

    d3f230d6697094d16bb8be12cf45a46ae91a7f4ff5095dc016b7d52ea11cd89b

    SHA512

    bfc4594fac9a0dd89ead98522aea72ba0d86f870f4e98a690b1bcb388b5f920fd1368e3a2c2245d6a77c9763abae8b28da66a9b08d7d5b083a6f803e08f77b8d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    d36d87a9764c2b569825bc14e2bdebc6

    SHA1

    4ad09f6e3c743192d90f6feafd0a27fe4e060104

    SHA256

    5928e3382d3839e203186880111ce742ecb20ff1b7054233c561fa9fa1c017f0

    SHA512

    b47a0f3b3e7b1b0cdae30ed62b4fb95e2fc3985ff0b0e754bc4c403ae7b6c667d220d07e2b675fde5db01028487999adff5562a0f58f5b1e19a97eb92de0f3e1

    Download Submit

  • C:\Users\Admin\Documents\UnblockFormat.doc.exe
    Filesize

    512KB

    MD5

    c9745756e21f4f6bfd2541578c34046e

    SHA1

    484e9fb0f066e1746a3b876060b4ab49d512b03c

    SHA256

    683357a89f1bcad49eabed9e234466da95d2d0405914d5482d7209ac3e6ea6b2

    SHA512

    02a613501a918f1209a0af0811b8b1f8a6921aad825df50f9e1648c828b9c721bc2a0f22765ce9b0e017f699b618fc9695e4154346753a203bdde081e22d434c

    Download Submit

  • C:\Windows\SysWOW64\fnjkeppndv.exe
    Filesize

    512KB

    MD5

    e52746384ae3e8e1a4c593d6b676cfd9

    SHA1

    53c1ae74d3f50a2179f12a7394448d73cf70d1ac

    SHA256

    b496040c53a2fb98c22eae1cdb10328705fe21fd706b64ed9cc0aab41842b75b

    SHA512

    8bcd049a244e18a3f3e4d150b692dc5cf5c0897428e78b84c2cbda44b31c0de356f65258f86a9e48ac641cf5272ee99e4c3d18d8bcaebcbb79d4c60ed128d763

    Download Submit

  • C:\Windows\SysWOW64\ggqmodztrijgl.exe
    Filesize

    512KB

    MD5

    229f01c8d0d3cc02f54f52ca68a22715

    SHA1

    04c615221bd7824fbaafb2f1494c83effcab65b6

    SHA256

    4febc16d8c75d8a1be5a9d3e84f4e5a82f5d75269db7c5825ffae17495519425

    SHA512

    80674d7181d888a9e4acece07199617831bdd39c477eacead63ef5f90ec93b6007f46c6a8fa1ef5949c8286961dcf07355560512755463d292d152ae641e4129

    Download Submit

  • C:\Windows\SysWOW64\oubxbzit.exe
    Filesize

    512KB

    MD5

    024614dc7b3c068c3e6cf3257bca032e

    SHA1

    dd003c20f41c2cf6cc4ce9c13ef10d68c12fb7f2

    SHA256

    83a5aa19e693fecb11972d77afd117f185e435240c059223c603e412691cadeb

    SHA512

    1a15cd94062e0d6a42c1243599cf7777e20def4ae436f87b55d58658c337ad87a3b51ae614a3fe3b239bba92ead15fb0e4f679533debfa09a2ba9c58d2ef7b40

    Download Submit

  • C:\Windows\SysWOW64\stqsybwaydndult.exe
    Filesize

    512KB

    MD5

    17053c10a4ae2bb0f3eb2fd03032c36a

    SHA1

    641611bbb6aca39a761a9899e2e5f3df803fe2a6

    SHA256

    5a443ab7b8c60429fd0110f753b17bdc6bff8944dbaaacdf718cd04d8b04ff15

    SHA512

    168d707ebd1abe108b1a1ac3265397c763b78373989b199af7ecb4ab9c515c79fefb6bfa7dcd1baf2fd77101bf3bf6aee0e8fbaa54ae4e4f8414aea5a3ba4164

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    9ce5a40afc65d8a81283dc851e2d3b61

    SHA1

    3d691c60bbc8ec33f2210ee4ac99df1ab70f12eb

    SHA256

    17f04049e8b82d153fc1371bddd04a48557a04d56b11703f4eaac695d139e438

    SHA512

    1daa9aec629ce74d414df521230ed53fd07bd83170eb6fa8d7e17fc343684d3195f3039fbacca60bd76345071b485915bc2beee3a364c38122a48d2132907265

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    87cd61a29526ff8cd46f971ca463aff7

    SHA1

    c0e43b4ea3b409bb6566b47e05a42370cbc43036

    SHA256

    8bbed24bcb1c0fabe893a873f38afbf7a250b82ddaafc7e198c9052e7960c6b2

    SHA512

    7158b38fe4f033d5faaf7b565ace07434d25914b25a4cb4cad3eda0166b254cdbf8e4464c4483cae3f8ca5907b493bba3a465692a89c0ac68b1d3a260f69ab08

    Download Submit

  • memory/624-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1500-39-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1500-38-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1500-36-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1500-37-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1500-35-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1500-40-0x00007FFECA160000-0x00007FFECA170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1500-41-0x00007FFECA160000-0x00007FFECA170000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1500-606-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1500-609-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1500-608-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1500-607-0x00007FFECC1F0000-0x00007FFECC200000-memory.dmp

    Filesize

    64KB

    Download