Overview

overview

10

Static

static

5

6598101b43...18.exe

windows7-x64

10

6598101b43...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6598101b433c5557be6c2226a1df29af_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6598101b433c5557be6c2226a1df29af

  • SHA1

    f359e8a5dff641ac74aab026947dc7f48e3cabdc

  • SHA256

    02ac4db0e6c3150abdd27d71e7a5cd4ba3b2e75eeceb0bd9f6410616e1a44861

  • SHA512

    83d6601059110c199fadd51b6cc44009fa1534fe35c2e5cdc7be88464ea0465fcd8c5faf24b3d7c9a5145d38bc140a585fc586ea70cb243a12ec63404b5ae337

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5c

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6598101b433c5557be6c2226a1df29af_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6598101b433c5557be6c2226a1df29af_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\Windows\SysWOW64\qlsyxiotzi.exe
      qlsyxiotzi.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Windows\SysWOW64\pyttwhti.exe
        C:\Windows\system32\pyttwhti.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1368
    • C:\Windows\SysWOW64\bermdrspzozownp.exe
      bermdrspzozownp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4028
    • C:\Windows\SysWOW64\pyttwhti.exe
      pyttwhti.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2404
    • C:\Windows\SysWOW64\shhlxcptvhuek.exe
      shhlxcptvhuek.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4668
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    f0bc3fa136692dd3c961ee5ff3a04657

    SHA1

    9229bb2af380fe0dc3521a0c5b4c26a54330dc4c

    SHA256

    4c8ce8c8fff1fb345b7c7395ef61405bce6857b288a92df6d788d9594cc63307

    SHA512

    d5035e4b5c0a711f6210d47458c281e1d83308b80cfca20803d17ac78995245a38053d4bba4e8616bbaadaae8682dd635a382589ca89408ddfd653b60784173e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCD9B12.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    955cfba83c355f3f6ad29e889ef145f4

    SHA1

    e0af6190ffa9db812ff91cd876ebe4e124cd0d7e

    SHA256

    e7c59d033ba6a5ea308e7d7251d7a73b4446637dfe25e212a74b02f0f97879f0

    SHA512

    52e3b919ff075b11fab36855bf9bcb5f3756c4602267ad61c8d46de20c8cf458b54bf638afe1c1b4b7503d6cc18ab32acd200d455144a2bef45fddd4b7d5a5fa

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    d1b11c3c24ca7e5fbd68b056bd958133

    SHA1

    b6e84e158144e39ff41b95a3e540c41e59d70f33

    SHA256

    0fcf938258754eaf80686efee8ac5ec7b9bf52d55e4ce9cdfbccb5483dd0e21c

    SHA512

    c31f1fd8bb0c18ccb734c12469d6fe6255cf306156b3f6b11fc5e6ae1ec29925664c59cd8511358d5a592a723c98cdc795fec1a1a8ad7048e7ac2fe10c7d0d19

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    d01ba50346befed5fdadc61318394636

    SHA1

    ced11aa62230eceea1031edb5968487d2b5a8898

    SHA256

    4c5e953808ae4b2132ef208a6fb870e454a651f9734cfd3985753769e3a6bd08

    SHA512

    9a13b48a8e278e21a3576eba90cc3a5944c550db63301c688dc9c1c96c83ce867b3a5c44834728cbc4c8b38bfae61fa292ab948d4a0b94d1b46fc536fe32cc6f

    Download Submit
  • C:\Windows\SysWOW64\bermdrspzozownp.exe
    Filesize

    512KB

    MD5

    a0f322c518910b8f707106656f5d8bdf

    SHA1

    825548d3cc981b643eb03ad56832d38aeab20b21

    SHA256

    5edddd3e18e62aa61a98f8a2813d4442c12cd090e8e7e9a994a9c41b8be7c52e

    SHA512

    626a2d1b4679c8aa9379bb31835bc995c15975da149e9caa1b9ac5693f630ec95dd5b4a7e2a40840064289673060dcbf38f34a4a21d254eaa43c745ce11688ba

    Download Submit
  • C:\Windows\SysWOW64\pyttwhti.exe
    Filesize

    512KB

    MD5

    ab7997e49ffcd4bc6c583a54b83f0ca3

    SHA1

    bded20601c36cf082fd9203b07b27e0a086a0f3e

    SHA256

    d2c98c287bd14a7495e0306f23f1c3d0b17778edbc0011e0e56bac292faeaf96

    SHA512

    af9edd1742242f9e0bbd1b07fe2b10f5a15d9028e54931ac89d14b35c00795c81cb5bcc02a31aa294eeef1ed7ae320ec426e8e6c64c8aafe26f079216e59a03a

    Download Submit
  • C:\Windows\SysWOW64\qlsyxiotzi.exe
    Filesize

    512KB

    MD5

    1e8647a2943d136fc761395d6ecd6ba2

    SHA1

    952048a03a6ab3c90f11d6db2765f5ad65214e49

    SHA256

    0d67b91277fcadd8a4306f617a74272e755d47f619c87c94a8b8879acdac197a

    SHA512

    9d75ed7e47767a16cd0c40de8ada019c6e3ec8c83eb25282a6e5e5ec1e8c03ad3f787a23ee6432e758a2cd3538a3b4ea0396139f41b1e4e79b9cd708d12198a6

    Download Submit
  • C:\Windows\SysWOW64\shhlxcptvhuek.exe
    Filesize

    512KB

    MD5

    5d1b439e57ad36d29bac3786636dd887

    SHA1

    8b4a8532b2d662dd17d32ee3a0573e3291a719e8

    SHA256

    1b0701599b6ce6d56daa2de8801ec3f50c2d19fc38619e3d3e5a18e4dfc44b9c

    SHA512

    0eaa23adba6d1397fbfdf11135ad97ff77f042351630e374cec93c218fc8f6a1cb7e2a040be3b01ccbe0de80523e112bd2a1927a7df00d3f45bf6f0fdfa0baf2

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    8f511adf98a59430f26ae655dd790ad6

    SHA1

    4ee2c0f5facb88c1f6494e3a18e8460d6ba85848

    SHA256

    3a2d8cb263bf7e178cc8a2ff0949b6c252821d0e174e20b1c2e3d79dc30234da

    SHA512

    35cbc4bc5f6ae36137add9554daeb48792c232d99081c09bd89d0af673893288bd27243f193130272081b484d0812e68f4af5e9b5a03504379d8dccfae7abb2a

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    c2cbd2fa1454ebea70817e0b292b5a58

    SHA1

    edef55ce4c4555f654f96734a311e27573c0a4bd

    SHA256

    8110a58ce09ef1066e7ad3a81a665b9568ce3fb81df7c4b30593e371642cdea7

    SHA512

    dd2c9901f853a062a0dcfb3151f25bafcbbd40c3c94a1cbc4c9687dcd15df4b0099c90f23b306284c5138f904189a979c7a9d1c87ce87d22f0f79f1b1e4162bd

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    6f53f2f8c5b98de7ccc0bebbb5fb66f6

    SHA1

    c96126697b9af60b6157b6eac96f353a8d290e89

    SHA256

    7d10bc0d9bc6ff7679fbd8b5e85fa280e6fb60ec74fae45684bdff3ec80307f0

    SHA512

    131bbac5a6645f3fbd586c15fbcc8817de4ba2c1282e1ade741b975f7a396deff31c10df5ea9c780bd05c511de4d368df91ca5e7149f96e81a81fda24ffac9c7

    Download Submit
  • memory/3320-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/3612-38-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3612-41-0x00007FFB30E60000-0x00007FFB30E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3612-36-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3612-37-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3612-39-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3612-35-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3612-40-0x00007FFB30E60000-0x00007FFB30E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3612-597-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3612-598-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3612-599-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3612-596-0x00007FFB33550000-0x00007FFB33560000-memory.dmp
    Filesize

    64KB

    Download