Overview

overview

10

Static

static

5

68d39512f6...18.exe

windows7-x64

10

68d39512f6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68d39512f62c68cb8679a8aab38a95bc_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    68d39512f62c68cb8679a8aab38a95bc

  • SHA1

    b9b313c1f465a4ea90fb46e55bc91ff529c91c04

  • SHA256

    a93919d83383eb8f0a1a90735797f6434880a51719ab6672f2c7e665dbe39a81

  • SHA512

    0a3566a997d170a26160bf693b63e15ac69a7955673d9b4ce0d1cce2a980ad5de54c8d619059798bc7a702912d3b33a1f62b0fc4189da929817c1123fcf4a02a

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6u:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68d39512f62c68cb8679a8aab38a95bc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\68d39512f62c68cb8679a8aab38a95bc_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3104
    • C:\Windows\SysWOW64\hqfweldnia.exe
      hqfweldnia.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\wlcmaqxi.exe
        C:\Windows\system32\wlcmaqxi.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3200
    • C:\Windows\SysWOW64\lizbkttmjxdzjmj.exe
      lizbkttmjxdzjmj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3640
    • C:\Windows\SysWOW64\wlcmaqxi.exe
      wlcmaqxi.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1428
    • C:\Windows\SysWOW64\jumykljwazcap.exe
      jumykljwazcap.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3500
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    f174a52d2d1632eba145da1d33aafac3

    SHA1

    0aec69a4b0d79bbdbf5d4c7ffc4ffa56629ab6a8

    SHA256

    346f749513adac73955851dc30b42c27220a3ee0047c08020d06d351c19bb268

    SHA512

    bbc618f37349627d71a6b9f2061ecb8c96ff89535e77a00fbaa0a418772efa9948df70469f60bfd3412a7d5bc86f0ee38c4b4709c3b0d56849c95b105c1bdcfe

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    e034eed5c2aa159d1429a83de7663687

    SHA1

    8835a3e1de4194d0f60d7ce88712442089308f99

    SHA256

    367edb344f8ed8cba0a4569cd1ea0b889878995bbd32c99db08da970379055ba

    SHA512

    8cae783340d88b0f356ed6c476d527beac2b7718f582f523b707a85bff0b0e06e8c8997f9ba2a19afa0cac714e3deedcfecdec8b1d685c58b0b8a1d01a8d3160

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD9207.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    406ade56a574b1deb9389ec154234c78

    SHA1

    04b3be34f7460888824499bed3570ecd3747e5f1

    SHA256

    d08b22840fd9676cbfc9653909ebc048a6d0b7eb37a589e7f4e22eae275e7b4c

    SHA512

    7752b3ad4942b603eb6a5feb6075ef83274348e48bf850aa159fb3a6bb0ab5810220ae6c49c4a11ad2573a14b79922fb81a6bc3f019ee95588fd32ee6de35761

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    9c53a459b592b3a569d477a7e64307fa

    SHA1

    87992e5621f7088804ef551ad459b622f5bddc13

    SHA256

    9f57cc475150f6629c885d1f5d5177f71ab016125f1c72956bc1b9f3d1ee70f0

    SHA512

    45f5962fadcaa7e6c4c7c873c530c7548e955c9cd0ba8d60630378774dba062ab46a987932e3affea00ed618539759505b77572ac715c0d042ee527d6758d02c

    Download Submit

  • C:\Windows\SysWOW64\hqfweldnia.exe
    Filesize

    512KB

    MD5

    b411498a3f14e5caea422329bcddaa5c

    SHA1

    77d508aa1bf3568c271c30240dded20260386ae0

    SHA256

    8468efd39576e607df2511501cdbba2c67c325c92e17b7b0910ac9e2482fe9b3

    SHA512

    19b40c4c6a395f1e063d2d97204cfaa081afd15ef1e9a0ac75db1aa11181fd452496cb8d29be6a3a115b870e7ad096dc05031e4e34cfdf3b521cb6bcd62ec115

    Download Submit

  • C:\Windows\SysWOW64\jumykljwazcap.exe
    Filesize

    512KB

    MD5

    8738fbd9a6e57b8078ffc53ca996c833

    SHA1

    7174116bb04aecbacda815b9da722987a22d845a

    SHA256

    8dc382fbe2f16921f3a79786a041412869e507568cdcc9da37d5a7d06a36c0f4

    SHA512

    971051bf5808dca5691c0c92ea703a2f469e3513af9e7f2e9c21e526599994e05bbe165553b297d72c246cd86b6e472705fd3f91894d5f8cefaa12a65ba2d44f

    Download Submit

  • C:\Windows\SysWOW64\lizbkttmjxdzjmj.exe
    Filesize

    512KB

    MD5

    705ae39ef6cadb6b173c1e8b032b728d

    SHA1

    9f07aa832fc64f6096ea311f2bf3f4cf903c97a0

    SHA256

    61c157d39077327543c2ab298e35f90a4e16a8cdedf58e31d46079fbc53837c4

    SHA512

    b6af7167bae6a88e23c843f1859a282af177ef4e494e983b6f6a4b3339d9484d606008fa8f478229925e1a19a02fa674f34d68cea111161a68a8ee5d7ff356a4

    Download Submit

  • C:\Windows\SysWOW64\wlcmaqxi.exe
    Filesize

    512KB

    MD5

    1e3521304792ccb207b4a951c9e2da78

    SHA1

    3b0af503ea7626d18918815b080f6f4589a0a1b9

    SHA256

    e849ac89b9587ed24b0dc641da129851142df25974dfe105058020c80bf451b1

    SHA512

    4add55c9c2d699527e5d58fe3f7f375f1945dc66e4e0097626c827957508540a1fd59ed058a59b2b638e02855d4a72ed48c151d632941cb3ce596c473290d630

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    253d23f67d924981e9a2c946fa0e6d79

    SHA1

    9b418481662da63bd640057db01ae2059d3e93d5

    SHA256

    46f42fc34582f5771f2dae8b35e77bec6430c79a7856aa2eab62706afa6245dc

    SHA512

    1c9668f35b2cb14046311cf250cb00956c616bcff6c743b64dd6ca5412e2ef9d4976f908389f7c9699e46ef0781af6f8d5a9b39d26925224f6f82026e3952984

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    01fbb0b466b275a01df2e084e82f5828

    SHA1

    968f898b04f28b8322b310188704db72c36a3b7f

    SHA256

    a197a8c6eca06605693d221f183c0530264fbbaa0181d0b7d14c392294f0fb66

    SHA512

    2436677fa4605b9f116cf3232e8f0d9b93e1b988e70fc2ce3c997e46f79b10d53f88aacf5df18d51a61d6761fd8b59743443d6814fb46579505450f92a5fbe1e

    Download Submit

  • memory/2300-41-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-43-0x00007FFA27CD0000-0x00007FFA27CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-37-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-38-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-40-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-39-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-42-0x00007FFA27CD0000-0x00007FFA27CE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-608-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-609-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-610-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-607-0x00007FFA2A430000-0x00007FFA2A440000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3104-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download