Overview

overview

10

Static

static

5

5f40b1378c...18.exe

windows7-x64

10

5f40b1378c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2024, 13:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5f40b1378c6008ef7a279764c05b16e4_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    5f40b1378c6008ef7a279764c05b16e4

  • SHA1

    8314c47de49b879679eecbf041cf9bb5b6b8faa6

  • SHA256

    3077ee2ec0fc022375e8487c47461e9c9e4de480ce4b82a8c40e99a06f347404

  • SHA512

    17c074cac74fd8d904b869e9582d678b756f51c49b10015663b2209fbb54146c35b41727f9a2f691f8839f37091ee6110b046884266ffe3ea0ab4ce915f94676

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5X

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f40b1378c6008ef7a279764c05b16e4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5f40b1378c6008ef7a279764c05b16e4_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Windows\SysWOW64\zjuouozksy.exe
      zjuouozksy.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4828
      • C:\Windows\SysWOW64\wwzpphoi.exe
        C:\Windows\system32\wwzpphoi.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:388
    • C:\Windows\SysWOW64\kzjjxewktqduvll.exe
      kzjjxewktqduvll.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1436
    • C:\Windows\SysWOW64\wwzpphoi.exe
      wwzpphoi.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2888
    • C:\Windows\SysWOW64\dgyhakpobrhev.exe
      dgyhakpobrhev.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4224
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4628

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
          Filesize

          512KB

          MD5

          cc1259b32e9c37eb4eb76954ee7c6031

          SHA1

          5b73c94b47c09e002f40dca6d1b79a4ffc011841

          SHA256

          d361740ab1ab86e1442b5a1a9feae83f2a298d573f6c022ab38bc3891175812f

          SHA512

          6975dd23aa0eae6d1f538d9cd0362531bb8540a43a814f9cb40ecfa45ba7a087715b48ec60a2b205f4ebd1de0eb87010ddaf1c2b85b865f068a05c36724df34c

          Download Submit

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
          Filesize

          512KB

          MD5

          5e4bdb5617988144a80d91e5e40247bd

          SHA1

          d212b8be4b74bdcac1e08d840bf65a7aae85de78

          SHA256

          eaa627bc21f99a2478f654b431d1322677c7aeb2870a835cce763e853982d308

          SHA512

          d0b8dc18bdfe31bc1dc5a1c95c1b1345ca38340a85d9406d34d02172194e9868208253d58385902ed5d065b6010a619002232eeaa43fb72842f675f6a8cefcdf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TCD7C6F.tmp\gb.xsl
          Filesize

          262KB

          MD5

          51d32ee5bc7ab811041f799652d26e04

          SHA1

          412193006aa3ef19e0a57e16acf86b830993024a

          SHA256

          6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

          SHA512

          5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
          Filesize

          239B

          MD5

          12b138a5a40ffb88d1850866bf2959cd

          SHA1

          57001ba2de61329118440de3e9f8a81074cb28a2

          SHA256

          9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

          SHA512

          9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
          Filesize

          3KB

          MD5

          274dea41722b69f757998e2965e25716

          SHA1

          9b2a7d88f3c60ca57b39c31594c9e6b5d51e238c

          SHA256

          deccebc9af203f4a9ce271a1e91e023c49d10a898db5a4932a2749b99081df9f

          SHA512

          ddbf097010e9e386a13fed05d69be43153cbbfefd086db72b59fecae4e436ef206fc32126ec717f5d6fd6a300bd605fbe1faa3d7d0e76be1456e62cdebb15f36

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
          Filesize

          3KB

          MD5

          cd0706fd35a14497db7c65c21d47203e

          SHA1

          c603a9e21ccaea75eab5f1aee7f774dc23e7fb0d

          SHA256

          26a48679aecc7a5f1913b3ccc8bfb3e3d0dba0d17e62329befaccd657e889fd1

          SHA512

          e3b1a8b9a36f571820e85d64d3c51437d69d828ab91bd1627c9dc965187ae0399fd61397934d433c11a05480cefbfbf549c05fac12eda8d4f756874ad92f302c

          Download Submit

        • C:\Windows\SysWOW64\dgyhakpobrhev.exe
          Filesize

          512KB

          MD5

          c2a3869c743bb4fe47968459a720a150

          SHA1

          099800657d243c8c64cf2c19bd69dd8d9f9f05dd

          SHA256

          6b861084ce901b558dd6570b922e6a406886d8012bfd5fb9ba41fa4d7f061f3b

          SHA512

          d415a4f460b7615b3c29b0489914172bd00c6b1b55e3779c331792aab599a9218a5de7786693b0b027d0f8481f7687f97ba00e71cd460570cd628a4c5be4fa55

          Download Submit

        • C:\Windows\SysWOW64\kzjjxewktqduvll.exe
          Filesize

          512KB

          MD5

          1b4cf5edf26ab237d43897cfec8e4e6d

          SHA1

          58de403e760b873d6343f6dc4cacf16f9416df04

          SHA256

          db7e8a2207b406f01c473ca7b150c5bd91f63461bd1ea4c27d8e9578a687e4e3

          SHA512

          f2cdc560c447ca32b3006e6d396a1632552536095e803b35e055def859ef31d2211756272ff7aa41834d3631ff9d20b73929431c482b28b54c4745f5c54e3bc7

          Download Submit

        • C:\Windows\SysWOW64\wwzpphoi.exe
          Filesize

          512KB

          MD5

          c113b7739b86e88ee7a0fb6dabd75793

          SHA1

          cbe4ef5174e08bbd6cfea5cc3db8da59e282fa01

          SHA256

          5712edd2f5c98ccebc6ccf8b5587b43ac1f5756d49627c197f31a2b9635c65b2

          SHA512

          5b6cea7929203cc755ca5c422273dac232110e7b047b2ccf633d1c9c43375fceb09c206b0ec6cf22944041f3dfe05e0c17822965af5614583e96662214563325

          Download Submit

        • C:\Windows\SysWOW64\zjuouozksy.exe
          Filesize

          512KB

          MD5

          db1917ee4941e904ab505c3a3b653ac4

          SHA1

          0904130a0e9040cedd97c1010ee5a9d5d774e1cd

          SHA256

          c9e570fd5409b854c096451b1080f59da5473e14124eca25ad63dbe73331cc46

          SHA512

          7ebff713a79291088a542ab7ef1f2c1c5e9e6eec4ef2d795390594c4b63301c296c4175e627d9b9370e2cdeb31654eb7e178433fc0f3ca322183ba49e966f871

          Download Submit

        • C:\Windows\mydoc.rtf
          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          Download Submit

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
          Filesize

          512KB

          MD5

          51fb51b9022bcc36b1f3a343ab6e6784

          SHA1

          cbc6a74e333d7c75b5a9fab6339a8f9068ea6ff1

          SHA256

          afff034dfcdf7a8093114eb7dfe4499760a76b20030a4618ede26d6e27ebd25d

          SHA512

          077b0d742425ab143d40e40ceb62cad621b1a96e8649ddae7bdc3f5cb45320a55d4cf449402ab93b59f880bf592697a4234c7aa1a7b17cdcb455d794042bf456

          Download Submit

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
          Filesize

          512KB

          MD5

          63841dc1c8e1c8b33d5d72f0fc117d9f

          SHA1

          c3334499b1fbd26047da392befa52e2b9af01b45

          SHA256

          177082380fcd28a50f5c097b4c492cadd44bc02450d0355e5c657ad472d1847d

          SHA512

          2e5f5e43ac5320f60d1ae58c5f3aca2a315c8e8e39b5b7926ab0773d66a59b3ab8e7fcfc7fc7940373ccca2ebdc7f2880b39ee826484c5189a59df5a670b2910

          Download Submit

        • memory/432-0-0x0000000000400000-0x0000000000496000-memory.dmp

          Filesize

          600KB

          Download

        • memory/4628-36-0x00007FF81BF90000-0x00007FF81BFA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4628-41-0x00007FF819B70000-0x00007FF819B80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4628-38-0x00007FF81BF90000-0x00007FF81BFA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4628-37-0x00007FF81BF90000-0x00007FF81BFA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4628-39-0x00007FF81BF90000-0x00007FF81BFA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4628-40-0x00007FF819B70000-0x00007FF819B80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4628-35-0x00007FF81BF90000-0x00007FF81BFA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4628-600-0x00007FF81BF90000-0x00007FF81BFA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4628-599-0x00007FF81BF90000-0x00007FF81BFA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4628-598-0x00007FF81BF90000-0x00007FF81BFA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4628-597-0x00007FF81BF90000-0x00007FF81BFA0000-memory.dmp

          Filesize

          64KB

          Download