Overview

overview

10

Static

static

5

654e52bb3e...18.exe

windows7-x64

10

654e52bb3e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 00:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    654e52bb3e8605de39394bf674d62302_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    654e52bb3e8605de39394bf674d62302

  • SHA1

    d478c725e67fd33a2c7bfa8846e43c4d23ff55d9

  • SHA256

    ed546775cf9017ffb5ac90474e86e0b73e86f12a6676827577f785af51528771

  • SHA512

    8cff78f1eb224938f25ea25a47ac4d276d674a801f2b340b77688d93a5a1fcaad6b5b08aabcc6ee97864e7aef7b88af73541f23505b6f3a84abcaad86bb4a79b

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5I

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\654e52bb3e8605de39394bf674d62302_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\654e52bb3e8605de39394bf674d62302_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Windows\SysWOW64\teikrhrvxn.exe
      teikrhrvxn.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\SysWOW64\wrqabism.exe
        C:\Windows\system32\wrqabism.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3928
    • C:\Windows\SysWOW64\cueydisimtpjokg.exe
      cueydisimtpjokg.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2772
    • C:\Windows\SysWOW64\wrqabism.exe
      wrqabism.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3192
    • C:\Windows\SysWOW64\nqwployzpaomb.exe
      nqwployzpaomb.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:612
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    89491beb128e7c0e12e79d9eef5dec0f

    SHA1

    9f7a1b88336dfa398c126b1d5e23c341543fae9d

    SHA256

    171e3990f74b7829186dca33dd1ced814f40d03046190275cb276a80ef54caff

    SHA512

    d515a55b52771462300d76cc27267d59ff11ffff84eb4b3f0e3e177381098a37e022e37d206bf9c2c410925ddab624f9d4d17330cd3be2fce261cbd80b0d349f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD884F.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    bd8f8ea418b5e6417120222062bd479b

    SHA1

    369bc1c128ebc73daf70bbfddd3134d2eddb3b3c

    SHA256

    f1c3f4d68b83a18fa367210eb79e1d9137a4a1daa739737c7e21a01558339dc1

    SHA512

    933f2acc807955778c8ea2bd846ac0027d5291743ae2423bcca7883376e77d5e8ec3ac06506ab02c12737065db8435801fc71686b4116b64330cd7614d45972b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    cfbe792b79338263a07cd3f935ac6fdd

    SHA1

    6a2bd842dfcae03713bf41c964e4150ec3bb2ec6

    SHA256

    d03cb6bd1954fcf26dba470ec3f6947f87c622dae5fce7b4c44de0b7acdf4abe

    SHA512

    be55cf75239fe3c1cfb30dadea74bb88028d867075f75ee62d00f26c360b721ddf01171d585def83352dea5b414b4c7366e4fc0a6b555f4dd26562d0ab292d8d

    Download Submit

  • C:\Users\Admin\Documents\StartDisable.doc.exe
    Filesize

    512KB

    MD5

    18105c53af695edb6ac1f21d9daf365d

    SHA1

    70bddc945e4bbaacd9257c60b8cc4e562c2cf993

    SHA256

    38f36d0a1f16872f7a44c5f5e42874f646da0eb7dce9b11b3e822643424a906e

    SHA512

    7cefc3e94e5b6f1ef14bca2934adb0884057b8056c932023a76a9dc3df6c8e322a5f289f9a0875693d9459183c2a4713474a30f46ce73e5a6800dbac51131e21

    Download Submit

  • C:\Windows\SysWOW64\cueydisimtpjokg.exe
    Filesize

    512KB

    MD5

    39023e39d9daff534ce5911d235e37e7

    SHA1

    4f3eb701df893cf822c810611ce548bdfa002c7d

    SHA256

    872774a65cd57b47abcb441c7794fdbfd80720ad024344ba6cba29d635bdf0c4

    SHA512

    c28464349d52a9256514f754e8b7b9366d0edc2331c2964afa59cf1af9218cdf9973152c4b40f1e53298075217b514f4f18b17568ce66de6223c7b3679f2b568

    Download Submit

  • C:\Windows\SysWOW64\nqwployzpaomb.exe
    Filesize

    512KB

    MD5

    0e27b866220a72c3a71d564d5665383e

    SHA1

    dd2c146197cb73fc3e5c1afc57d1702a872168b8

    SHA256

    309d2855079282c8fdf0cda1363699b97bb5155f7ec900ab509577e2b82212ec

    SHA512

    90d310f302beacccb422eab873a0780474ca9dc8cb8b3e29bba7ba317c5134264c40215a9c2f8bc88ae340c285fa5736dfb60f7b76f4fe29325c2d3d327f7407

    Download Submit

  • C:\Windows\SysWOW64\teikrhrvxn.exe
    Filesize

    512KB

    MD5

    2d88506ab074c041c616d32fd57edbe0

    SHA1

    8610ba5bc9e228b040ebc260b790ab42dffeefda

    SHA256

    00842432771372a3459b967453c5ff3ae9f22e53fc1f875ced580725311cf7e7

    SHA512

    61d25dd1f2edba32894bd0d8e4b2afab5ee2cc66ea4bccbdfd905d7d8553521d0096c9a74420b19d71aa63f5cff3bd29a798cffe15145b95dcbd69dc84ef7788

    Download Submit

  • C:\Windows\SysWOW64\wrqabism.exe
    Filesize

    512KB

    MD5

    9da9ad0690f11cd071b4dc1d10884e9b

    SHA1

    00519198d9b112f16e0a16dcb3098cb760e3af3d

    SHA256

    0d91a54d1a5e0b256a789cc6042bd204aa9bf754104be3edddad58ee9d85b733

    SHA512

    acb065224f3a80ead40c78ac34610b62faaaea6bb6610c260f4bc4c6a3fac183e238c591489f7ff30241443b90742f76431fa910b37ea7d9e643c992dd1c78e0

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    72dfade428fdbf6210dc673f5bcfad58

    SHA1

    a8cd7f118a7d171d78844d6ad9ec8429a2f5f36b

    SHA256

    d8dd270e8adff6667f77295317d657d3367eac8598e4b3b0b3ddd23001329e5e

    SHA512

    0d2d10ed829e6a56c7664c9633c6a1bff8d483d3e9d91094bafa25a1150e6419411c3022af1864ded7870e132e78b234e80c25a83033a6ef6f2cf3bc58648adb

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    e498306d31837807ed884d243202e399

    SHA1

    2535076746ab5b7145c40bf0f2eeea477c38e3bc

    SHA256

    69d9524f4ce3f6b7102d31b899514829864bea3274d82ff8718749e46846d18f

    SHA512

    793896186c86a47b1fc76cf74addd28024b150722d83ea3e82463a457336edef73231974f2eabb2a9a5fe2fd2d3657d8803f4769ac3de89a3622df86aca5a6ac

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    f31405787ebd709bf289bce54be7b33b

    SHA1

    1c3c9425b5828b5408fbf2c1c2a0d1320f0277a4

    SHA256

    0a1423d074d398d40b686ce36bc5bf238ad8c02d19ea359ca0ac2e7ed472953d

    SHA512

    28b98532650d0b33be2f555b6b8679ab0b1f882ea1edabce4319aadf4df49bb787193e52658f6e68ab175338336097a798c02e2d0d354181f06315852a91d2b5

    Download Submit

  • memory/536-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1576-39-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1576-38-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1576-35-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1576-37-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1576-43-0x00007FFE336D0000-0x00007FFE336E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1576-40-0x00007FFE336D0000-0x00007FFE336E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1576-36-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1576-605-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1576-606-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1576-607-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1576-604-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download