Overview

overview

10

Static

static

5

6598101b43...18.exe

windows7-x64

10

6598101b43...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6598101b433c5557be6c2226a1df29af_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6598101b433c5557be6c2226a1df29af

  • SHA1

    f359e8a5dff641ac74aab026947dc7f48e3cabdc

  • SHA256

    02ac4db0e6c3150abdd27d71e7a5cd4ba3b2e75eeceb0bd9f6410616e1a44861

  • SHA512

    83d6601059110c199fadd51b6cc44009fa1534fe35c2e5cdc7be88464ea0465fcd8c5faf24b3d7c9a5145d38bc140a585fc586ea70cb243a12ec63404b5ae337

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5c

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6598101b433c5557be6c2226a1df29af_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6598101b433c5557be6c2226a1df29af_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Windows\SysWOW64\nultrckuan.exe
      nultrckuan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\SysWOW64\nzebnleq.exe
        C:\Windows\system32\nzebnleq.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2596
    • C:\Windows\SysWOW64\hmxogzrrwpfkqmr.exe
      hmxogzrrwpfkqmr.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2684
    • C:\Windows\SysWOW64\nzebnleq.exe
      nzebnleq.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2588
    • C:\Windows\SysWOW64\azzqbyrmuwayq.exe
      azzqbyrmuwayq.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2620
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1832

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      7aeefee7850bf8fe978e4fa80778be2c

      SHA1

      d14e819b64e955d5a724cdeabbfd4766436c206e

      SHA256

      27a18b4f5bfb2a61cf67ef86dcece0af986846ca86f9e65ab1c2f944e32fee71

      SHA512

      70515377d62de8a4f50bb29948c216fde7fa4b1630a9537dd11936a939ebf388e341450dfc68272b09e0e42762866007e11dd18c6cd4bcf4ad942247e7cd7a60

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      68fefc29ea4c3c7bc2eb48dbacc7aca8

      SHA1

      e243138fb3b489d82bbf329352c39bbdaed7ad86

      SHA256

      b57f4d14caa831a7ba3abaa8c52444dd58ca0560a3f433ce9f4ab857235d4ef7

      SHA512

      9a2ee1ac979dcc156ad1ba94d6dc999a6772bbafb43ab4f091c626a67401ea2affdf6238385c4eb6c933a102d723bf155a061e1ce6cf47fd9b6ee007056a9bc0

      Download Submit

    • C:\Windows\SysWOW64\hmxogzrrwpfkqmr.exe
      Filesize

      512KB

      MD5

      cd24d30250d23dbd447d45e2de80449a

      SHA1

      8c8033020b873863fcfd24d90af7eab6c9273a93

      SHA256

      75fd8dab77e4625f844c5657bc8f0147905f747bcbd9a2189fc51605aa061674

      SHA512

      195d6821ee6c5ff9c4fa3a1bae8aab1350cb37dd6016a1491a26f8266d296dcc2fb69bf7adf81d292cc4e018c6c3e54ef99c14560eccf5d7b00911d8ad86ddc2

      Download Submit

    • C:\Windows\SysWOW64\nzebnleq.exe
      Filesize

      512KB

      MD5

      150a6c5183c65152fe7da7e40b4f26ca

      SHA1

      de5468a9282c6d8859827e4fdfcc8424b8eb8573

      SHA256

      6f02a8b5b8fe15423fc46610f0d07e072682f9d2d20e77346a3d4e544e04fa11

      SHA512

      3a433365203069d206ff16c43542e0f106d2cee5460f51f3313f5b00ec883bcc4e2d6b52e885d6c0f5aeff3a76a7eceb9dcdfe07dfa26dd8e2a240a3b559e06c

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\azzqbyrmuwayq.exe
      Filesize

      512KB

      MD5

      82c45f10bed0493502016977a469b189

      SHA1

      d267890a7d7dd47cf7b2407cc9f8bef6c1048eb8

      SHA256

      654807152fd99336f551dd882b17b666435e5231eb26eec667b5743177857011

      SHA512

      aab6061387690ded31b93d9c5867d4ec872f09834f55993f4df42c93e83e83bee85b2b7428f68e1a5c9c730c43f21c8cdbc1d3a6df1c30a89dc49b04275a0ad2

      Download Submit

    • \Windows\SysWOW64\nultrckuan.exe
      Filesize

      512KB

      MD5

      9fa70ae4d6f0a1342dacceaebb815448

      SHA1

      2ac28b7126de0d46e95d4ac487278828be52dcdb

      SHA256

      c2797c5e575dbe9fedf3d6e7a8d179460e29f1148e08d69695595ac2f835cb13

      SHA512

      439846d0c8013171e52ce3134634e5cc817de71d156b3e3673afdafaafcdcbf5865a49f3eee0565c2d6d1e5b412c2d03f33b44eae4170de941f5f9f762ad963d

      Download Submit

    • memory/2472-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2472-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2880-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download