Overview

overview

10

Static

static

5

639af61a7f...18.exe

windows7-x64

10

639af61a7f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    639af61a7f9db6d40beb8382cb29e66f_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    639af61a7f9db6d40beb8382cb29e66f

  • SHA1

    f609ab5d657d62f669874f3e06edbda0f14da3c0

  • SHA256

    6b75040a0eae59bc200012e10a4e45d0026b5fe5ea9fa57dd7ca12cfad6d8793

  • SHA512

    1de173bdd18a4603ff2468c942af37095f106247fecfec02991cbb0bad9b68745c0c48b63d941df6396a6c6c72e0a3a0ab3df5dcff9e9c0b56228a9a6842f785

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6E:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\639af61a7f9db6d40beb8382cb29e66f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\639af61a7f9db6d40beb8382cb29e66f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\wptcuvlgnw.exe
      wptcuvlgnw.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\qjiwusnn.exe
        C:\Windows\system32\qjiwusnn.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2544
    • C:\Windows\SysWOW64\voxmggacqncubdh.exe
      voxmggacqncubdh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:548
    • C:\Windows\SysWOW64\qjiwusnn.exe
      qjiwusnn.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1596
    • C:\Windows\SysWOW64\rhzyucdsqcodg.exe
      rhzyucdsqcodg.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2388
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:5060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    54ed06fa8a41b9aedb012b77b1fe20d9

    SHA1

    99cc67a641d2df12f186984fee5d21702826b973

    SHA256

    e3a3d890b7fe05f69db73a6f2fc5ffdc5b0cc8c8aabe4e01b6cb8401625ce444

    SHA512

    6f894e66bac488e535412bc5182e1c96074e7b9c2e7ff5a490946eee13c2abe374bbfd86e26d764fa19479c471723838300c7e431a8b924d607b7adb4134ef69

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    6cbedb7649ca434dee0846537aa0042c

    SHA1

    68f27a72b3d092407c6500b05bb0c4804a775ded

    SHA256

    97ba5ea8698a40857ce9f35e4063bb7999cfbaca06f315a221dab467e3c56df4

    SHA512

    64444e061c86e93d175f18ad5b3b07c135bee20c58f61bfe39d8e66e935170b4e88d565b3db445644f719e450890e9fb8922daee3577a37e93f095f8f2bf1d57

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    127581367da569140b90abee32bd9b5c

    SHA1

    b877733766ddccdd57b327cf7db969bb8bbb432b

    SHA256

    96372e9acfa83405e61e1667fb06b9a2a5c7f7b1be075b7aab04a7248b30abd2

    SHA512

    5ebbb2074dd01cc5f7d89ba3515f4444faf7410be2dfbee4b945faf1412d17d6e710cfdf55accf7644640ea778a12000b712c0048d6d0a16a0852a76f432ac2c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    3aeef6db58dac8575eab1d20a7fb05b2

    SHA1

    b399f22f9d582fd7e955f6b35b43cc95e7cf2a3a

    SHA256

    c78ba511435c68f6b9c364222a9e6535df647ca726c13566e550d275467fc784

    SHA512

    1249474ef69a79cddfd0d1de53e646554ddd8487fc945092d40e054c30c9a03e2e14971cb5e91ea730c7070b27c1c63f796cb167a0064f4fa718ad227ee81c0d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SubmitReceive.doc.exe
    Filesize

    512KB

    MD5

    f240a7bf6559fc612e5bbd782e6a97ba

    SHA1

    2c00b729720a6b82f8c91f79741d0798004b50d3

    SHA256

    b91818469d28b50c40544ab769c4ce48874c8d1dba911c219487fef0145fa83d

    SHA512

    66be05e93f2d42a1083b7921e8391692eb2b84f735e70cb14b011c0498f7988228d80858ec6f60776bf19b06a83e4fbaa1f2c454b875ce962f17f8a313df5231

    Download Submit

  • C:\Users\Admin\Desktop\UninstallConvertTo.doc.exe
    Filesize

    512KB

    MD5

    4f1d1f3c9ed6e3d0bb93947c76358a1d

    SHA1

    bf2928b92ffe4851efee097ee7f8c61af77c005c

    SHA256

    a8f51d0587c4122f867449d6bec08bb53f05e1c359cc0d90ab9f8a3acef992ef

    SHA512

    a22ee30b5db83436ee8a68d2de9268cd9539b12b3a057a51468a295b521772d019b6cfafd27edf1b7ce80e1d9b4ff75cd34b0e5928f7b9b714847d3a54f0af76

    Download Submit

  • C:\Users\Admin\Downloads\FormatPing.doc.exe
    Filesize

    512KB

    MD5

    3329e4e43fe6b7c8cd029faf4ce3fdd4

    SHA1

    c826742995775aab7b47ef44b40a30d216b62554

    SHA256

    5c1f4009fde927d4c261467e48198e0d077222569dd38cbf1c2c940ef0308975

    SHA512

    c29a0b1219b82f5d17ad6337ec141889fc5a59c2a158255c9443f514aba76cc0b8c762d67dd29ba8d2c2477b055af463115dcca71602b8b5ff7cdb4541417c16

    Download Submit

  • C:\Users\Admin\Music\ShowStop.doc.exe
    Filesize

    512KB

    MD5

    0ad4b493e3cdba719dde19454325d128

    SHA1

    7c6d2872a9f7a3c1b42f128e84506102f879a907

    SHA256

    6caa20d24ae9d11c68349cd40af96df1aca9b4e89e9b574aa14d80a052d926b7

    SHA512

    4fb6a7f4ffc107a09819e2a5ca957473f8ba26be39d50c337b89afa96e3d2ec812b9835052de4f16b423f088afce920cf3fa6e5eda237c697cc4fbb176cbee25

    Download Submit

  • C:\Users\Admin\Music\WriteJoin.doc.exe
    Filesize

    512KB

    MD5

    fc8507bbaba805830424932bbed0d48d

    SHA1

    5bd633512fcbda7c2f5973a34dca0ee4e2ad3403

    SHA256

    d43b97ec4589d9893ad3741c6d68b13ec02f86cfdaf85049a3ef637fb2c41567

    SHA512

    7f715d13dc3ffe88f401e32327dd07daa09e4f97df908f40638579e17a6e2fa14247ae1189c2c50ae03aad410ba18cfa3623b039a1def2bc3414ec5abbabbf91

    Download Submit

  • C:\Windows\SysWOW64\qjiwusnn.exe
    Filesize

    512KB

    MD5

    2bdd8407e0ca46d963362160af4dc95c

    SHA1

    51fe7a8ea300545e067eb78826517b233505db2b

    SHA256

    e854a2926b7b3c7dca606ceef97ce5aa6a2760afad18bcbcd86aa097a5658dcd

    SHA512

    a7416fa7e2e1fe4e64db27d31cac46a71c2d3ce4a8ab235b0fc72554c2a0b29e6ea9a05f231c46313f2983bbc5aa6bd8fa2521e09b5dee2d6110e9dff514306f

    Download Submit

  • C:\Windows\SysWOW64\rhzyucdsqcodg.exe
    Filesize

    512KB

    MD5

    d61fd94b523a7af7a708d832218063db

    SHA1

    828bf3eaf902aff0e75f0bc0beb5662368f852d0

    SHA256

    b3efc3b7394fd34fe8ce38104215bfacfc135360eba398f1f88cff26f190f151

    SHA512

    7f1b8f47f6f3a0252135257fd533fda0fa9fc637f69ffd55e453d6427a842b5d44569ab7e4e69bf2431fdd54eeca80328cbc234dec62ca4915e8da12dd6a6288

    Download Submit

  • C:\Windows\SysWOW64\voxmggacqncubdh.exe
    Filesize

    512KB

    MD5

    1b5c63a72b2ced9bc0086548b2afeed9

    SHA1

    f69117bbe364a5a20059eb246a4a271773ff9f71

    SHA256

    3c89c02e8a60e9fa3f7bf8b42fbdd7565915a54cbf76ac3059333db31dc7ac23

    SHA512

    a41a61a82189556b2054bc6a57b3bbc32b62b587d3bd7af0535897e7bddf8568fbc553247f83c94e2fe67b6c77e2228107438b39004c715505cfaf61463b9370

    Download Submit

  • C:\Windows\SysWOW64\wptcuvlgnw.exe
    Filesize

    512KB

    MD5

    1b474517f4d91161e98dd4db50ac6382

    SHA1

    e62eea2c894f631625481583f56722b4687a5e47

    SHA256

    d1bc4709670ee8b76dc5c58c32a206e2c6ad79611d7647aad3073c2d61f943e4

    SHA512

    78888dd69bcd385921d431d47ef20c62b262409c2c66af1ef763404b81f158b9cbaf0b6f117e96a4e4a9842168cdb746c3ccd1ca1f85be453d2dd4c1654cf95e

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Users\Admin\Music\ConvertToJoin.doc.exe
    Filesize

    512KB

    MD5

    f07bfa13456a1fa6a7f48853eb3c814b

    SHA1

    ebc1019968a7cbf8d45a15c95fd68728cacc2975

    SHA256

    b09d2a6a9d7db7dba9bc9fafc725991d4f070900635976a86e7535614bc80092

    SHA512

    82fa48d8f98ec7c801f0e738d24c5d33cdb40f343825d968ebabc0fa2be81d08ae54df24f17eb62fc485a41e7ac47b7a4c7cb9cfd53d44b491659a736d84ae34

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    308f0e7efd028330e0e537a5fb20751c

    SHA1

    2b2248ff2ab3fda7af46ef03afa8f983efb09e31

    SHA256

    127927505ca28be01ce8d9145b4b46a7edc741d49083cf2605eda303d802dd87

    SHA512

    a848ce0cd44308ac344ef767ae84bb47afb93be7947b50d5f50addd96a15b04cfb66ed0e5331dc3f805111434ee10306334873ce1fb88150c7d0b8185d720f0a

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    94dc6fc030a1b4ce27661db40ead176e

    SHA1

    80d42be9ef1cf328bc0ac04b9e028bfa883a7e7a

    SHA256

    f62dd7a67cd0578a981a771d8737f5020efdae3b5f92ba1c058fd857a98df662

    SHA512

    e9cfba77841f065f71bc67e42522bac8ee419a653dc304713515ee1ea8d8322557097de3571bed2bd7df3899791d73d03c7af49a725320d3a2443e031274bb62

    Download Submit

  • memory/2016-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/5060-35-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-41-0x00007FFA21920000-0x00007FFA21930000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-37-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-36-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-38-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-39-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-40-0x00007FFA21920000-0x00007FFA21930000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-632-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-633-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-635-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5060-634-0x00007FFA23AB0000-0x00007FFA23AC0000-memory.dmp

    Filesize

    64KB

    Download