Overview

overview

10

Static

static

5

63ed84c168...18.exe

windows7-x64

10

63ed84c168...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    63ed84c1682a771e720f854e921a11c7

  • SHA1

    e04bb2e2eb9f740ab1b03f1a0e8544babcdcaca1

  • SHA256

    42ad0ede449b2c85265a9b8f2fb43fb705002149dc11bf2f4b96ae3f9ddb445b

  • SHA512

    85b13efa01460a1293944860af5d94a13048fccdcfaae532a6c8388f385dac317327120510719e3c6da54d8fdd5a62189e811d8614ace4d633e10fa512a6163f

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6d:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\63ed84c1682a771e720f854e921a11c7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\SysWOW64\phmzldeerk.exe
      phmzldeerk.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\jlhvqxqo.exe
        C:\Windows\system32\jlhvqxqo.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2644
    • C:\Windows\SysWOW64\rbofrmfgtyyaoyf.exe
      rbofrmfgtyyaoyf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2136
    • C:\Windows\SysWOW64\jlhvqxqo.exe
      jlhvqxqo.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2724
    • C:\Windows\SysWOW64\kzungvrwyhyst.exe
      kzungvrwyhyst.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2680
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1772
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1844

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      0b96f9c76d0206c38c7f8ec3bb5cf28f

      SHA1

      24d06798332e45b9d50af72e76f8577aaf1f86e2

      SHA256

      fde67964be158624ff997d01b3751b37f9d8062564c326dcea1fb57d4f3ee717

      SHA512

      b2799b6bae588eb325b359a82e598b6dadf0e4047b46c786cb900754033d592793ecbc81a4e984a3894ba0ec4c7859d82e91ac4c5cf76caf3a3a5cb6fa881918

      Download Submit

    • C:\Windows\SysWOW64\rbofrmfgtyyaoyf.exe
      Filesize

      512KB

      MD5

      1988836d859e1605aea12b1c71d65853

      SHA1

      3b29d93e8be049d967f6b167ec8dd4d325b89d96

      SHA256

      39504cf302008f992e2aba97a1e0c552a180cd7ddc45cab73c8d9dc684be58bc

      SHA512

      0fccdfc0185aaff718ab0b83dafdfe424084643732e414e1fe799a3f13f0957e990136536ad1696cb74930fa118fc579110fed6b471c134577acdab071646d9d

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\jlhvqxqo.exe
      Filesize

      512KB

      MD5

      a4fab1755b8cb348e2f5be68be64d641

      SHA1

      a309a937f9a6d01bfd39a157e1bd034d0967c64e

      SHA256

      28466272352e638d32c8afff927aa3c4f30c62ba1d6f9ee905148d72de9d25fa

      SHA512

      19633c07fbfe070032419f31d54a12a10ce66d7ee3934d56b3eb830e2d55c251da8f1890800e47561fb279e6140b7ea17cb60bba3bd8c7459c20b94827110b83

      Download Submit

    • \Windows\SysWOW64\kzungvrwyhyst.exe
      Filesize

      512KB

      MD5

      58192aa8ea8f901872710669947beca0

      SHA1

      e70265826c5ab614fa9e37c9bd6f494ae5e71780

      SHA256

      ff74b68363e70207448f44b5c8937bf9748cebd3e197e7b196a19e9a98088374

      SHA512

      fec33a594e1552fa984e7b8b3da57d381b4f7a383c09f08f6b434f33ff64c5effa086e640f6eb9e8df11bddcd8518bd203afff04f6687cff80a0a71cf03a00f4

      Download Submit

    • \Windows\SysWOW64\phmzldeerk.exe
      Filesize

      512KB

      MD5

      846c7a8b4e6d752c7952f8675f99724f

      SHA1

      1c673fc063bf98a51f4d030970b8d62b7f8717ae

      SHA256

      f5f392dfe9b9465a0572740557c78e6e1c233af6e68b6507102352b6762e845f

      SHA512

      b688e1bf4ba5267b5df6d69198692fae35a51835e91d24d3118ef796e0a101dec7b8f2180eaa0001e03434a98a9b5177ab60d539fda4bdf4225f4dfe768efa88

      Download Submit

    • memory/1680-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1844-83-0x0000000003D80000-0x0000000003D90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2700-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download