Overview

overview

10

Static

static

5

61946460ec...18.exe

windows7-x64

10

61946460ec...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2024, 01:17

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    61946460ec904339300b33a8de9119c8_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    61946460ec904339300b33a8de9119c8

  • SHA1

    94876e0ba48f519f4c9d0b4ba2510e98f82f34d8

  • SHA256

    4df0565f6ab8c9290a568a0bd3a4dbe0b0cfe5b21c2ef442ee6aefee43f384b9

  • SHA512

    e87df94730df77f7d38addae21ce137dbf412ec714b2fbf970ac39ec700633b47e6078d8bdc6871e498935be77f75b0a4ee9f96bb8488c23df252fea3bb72078

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm53

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61946460ec904339300b33a8de9119c8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\61946460ec904339300b33a8de9119c8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\SysWOW64\mnznlnpkug.exe
      mnznlnpkug.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\qxezgoiq.exe
        C:\Windows\system32\qxezgoiq.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2576
    • C:\Windows\SysWOW64\txsiojxctedskmv.exe
      txsiojxctedskmv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2552
    • C:\Windows\SysWOW64\qxezgoiq.exe
      qxezgoiq.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2544
    • C:\Windows\SysWOW64\avphwtqtzmdxk.exe
      avphwtqtzmdxk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2572
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:952

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
            Filesize

            512KB

            MD5

            33f3d0b75e83ab9f458b067f536871df

            SHA1

            222972196ced41b20c2a2c5dad70978e2c046581

            SHA256

            0950bc0acb572caabae7db86b208b78ef4f16c8963c3add7815ff460a37ee116

            SHA512

            760df8de76b28ea2ae72dbea6c56f01adbb48fef5065f37da41efd036e1a4997bdb6ffa45190199e16bc4915ea1bd1dbe24f1e57156f6a410f01c31874869123

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            20KB

            MD5

            0a38f477862904491d048af1b3ee7bda

            SHA1

            d11af3ba6993ee9fef8dc31e5132f9367bdb03d8

            SHA256

            f109ca777624d883efe41a4dcb7dc42921127d7af82c73abe78af0bbc21cc0a4

            SHA512

            5b5bb8eadc1f8af627664060d57a7790c20cdefce7c1caf09884356f740f83924b7346f20d93c3382cd10b74d29461d03fecff1b72c7a2d8fd1b4e0d3343c206

            Download Submit

          • C:\Windows\SysWOW64\txsiojxctedskmv.exe
            Filesize

            512KB

            MD5

            6ce0f60e2bc415f149b942760dc4c1ad

            SHA1

            5de934060bfd5f9918d83614bdbb8ae7d0a74dd3

            SHA256

            f2fe9a91bebe44484a30780e9c845e889eadd710e960d546f3f57d4d61418036

            SHA512

            0029d4f24a43a35590d7df2861f724d9187132ec1e5be93d8859b16bab5f95c0acd44c064c1ee5c0afe9f5fadbec92b24e1d9d5101ced2b0431a577d4f83ca5e

            Download Submit

          • C:\Windows\mydoc.rtf
            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            Download Submit

          • \Windows\SysWOW64\avphwtqtzmdxk.exe
            Filesize

            512KB

            MD5

            45f2253d26adbcb9ff05882a3f29f265

            SHA1

            b6a4ee69537c0cba36602ed81742a69e7674a790

            SHA256

            9c6eb3f73483914b0000aab7c7115109678b25a0a3a20ac84fae97b1c012edb2

            SHA512

            c7d4b973bb61e671d9c1de7e0c3722266162e12ece461cfb99fa2bc176696d20b483952bc205cbf0cd982b246ae1799da74f0484354fbeb17f4b2ab03f4ea9c1

            Download Submit

          • \Windows\SysWOW64\mnznlnpkug.exe
            Filesize

            512KB

            MD5

            bf30d4efb87b67be3341c8aeb9f1c862

            SHA1

            5ec889012007b946dbab29ad5dcf503022a941ab

            SHA256

            d03c9a9d5d3126b09c0c726760030bf3a5f406e2308f68b9bebcb1afea7dad39

            SHA512

            9300018ed3cc27bcf757c0c6df2e18a5663f117c5c829e95f05c2702730c6e7cbe7e770bd2b260b5d484477725a1b85f42ba6b901cd1f63b130b6a7222f8cc72

            Download Submit

          • \Windows\SysWOW64\qxezgoiq.exe
            Filesize

            512KB

            MD5

            44a91e41952b52341b522ce85f6cbb6d

            SHA1

            17ae1b33a7d2f4026498950ae926b28ab618109c

            SHA256

            b522945747341ae0734fef31404d0caac882f84e2250fa6780d5cd06a3d6cb44

            SHA512

            a9d2df875b02a36e79508e0d427985264bb63c1c7ee30fee0bdda3c9a701b6898dbcc1edcb3072d5ec300697f46116b861dcf4dad93d694320311e85b494ff18

            Download Submit

          • memory/2128-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2128-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2660-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

            Download