Overview

overview

10

Static

static

5

65a06a91c5...18.exe

windows7-x64

10

65a06a91c5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65a06a91c5ea1fce51b4f22d048c1e94_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    65a06a91c5ea1fce51b4f22d048c1e94

  • SHA1

    90b0a4957caf7cde77901924c6fe5b2e8f9a5d7f

  • SHA256

    5346e262afdaa279f5ee31df5e755da5a1e8db025e53c612f9616c66e0aeba38

  • SHA512

    cddab1a52b9c316b1b1d2a435701bfa2e3128126c3d3851992c7700dd4c3f012b6b3f68707cd5a3e4057e46555e2866d2824e4f6bd2efec88524570ada595512

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6a:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5D

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65a06a91c5ea1fce51b4f22d048c1e94_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\65a06a91c5ea1fce51b4f22d048c1e94_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Windows\SysWOW64\sihabkicnn.exe
      sihabkicnn.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\SysWOW64\equcxwrv.exe
        C:\Windows\system32\equcxwrv.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:732
    • C:\Windows\SysWOW64\owzwytoebqyxybe.exe
      owzwytoebqyxybe.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3192
    • C:\Windows\SysWOW64\equcxwrv.exe
      equcxwrv.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4656
    • C:\Windows\SysWOW64\kiyjgultcgjsu.exe
      kiyjgultcgjsu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3340
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    95eb3da75a221bbcc398f360fa37e8f3

    SHA1

    7ac401c5a72dfd419b7645daec008c1cce37025b

    SHA256

    e502a22f29d31911aacbc1e01d5566e1caf6ae67d054557fb117f85c7f815aa2

    SHA512

    60e63db5e8f608e3bbfbfd7c54b987f0f9593d75abdb0276585783c894445763f440a9ed223ecc0f80e5d35eba32118cd5e6630b5eb021d6a088e50cc88fdaa5

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    0f9165edfbc2cb96f80245d637c9680d

    SHA1

    7a613fdbbe02667571c0887e66678386f085fdb0

    SHA256

    63953c2d3b3e388fe9d0f99459d20e6dc191a370a493fdaf9fef8360fba52a15

    SHA512

    09f7bae5b6e04995db8e2913027848ea469927ed773cfa3965a6baa883167c3e923cad11b9d57d058d6a10485741495f510ab90a880c710874f70cefd30290c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD8655.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    966962edcfbe5afd334286658dca8208

    SHA1

    57b403c811fcc80e255806ff9b2b7912443d08c0

    SHA256

    203464e8752a955e347262a18182caae2e554982a1fa908cfd67b85c30c55a29

    SHA512

    1cf9501de428462f23989a511ddda9add14d5807a2602892b5e8a716dee754bac4e082f8faeb954e68f673a2d442c7d4b2d227faec4c2e2041ea9b42f5020cbc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    f2d9fe158535d255916c79852acbf04a

    SHA1

    b9a34788fe00af1f6607cd6c52baeaf3cfd6f5c7

    SHA256

    9e5b9b120786a20873c829dd20601082a642bb2341212d3b7f36354b928f43a4

    SHA512

    308a22dda25713f2ca72077aec78d0f1d86806dd89940ff9dd6198fd53059da78781d69b9f18d37b7c1984e1543d4578b664f1c20bfb3aba12bddd9e6929d382

    Download Submit

  • C:\Users\Admin\Documents\StartDisable.doc.exe
    Filesize

    512KB

    MD5

    c5178bceab77583ca24085c11ea315ba

    SHA1

    01bee58d9ac6ee793d638b545ffaa1544cc17e47

    SHA256

    e9c27b81a920b385de1a6324a0e6f55c11e4886d57f395151de41be2dc991229

    SHA512

    ca6cbdfbd56f0f11bb05a316c9998a7705364eef5712e48291c8a6153ca562fa20b70b6f606dc449cc31fa50dba647d38a9d3701adc02957fd5e7d7dfa13c25e

    Download Submit

  • C:\Windows\SysWOW64\equcxwrv.exe
    Filesize

    512KB

    MD5

    7076fe45d64b472641b29904930e089c

    SHA1

    774a4ad04df47035913d0bcb209c3d5e7cafedd2

    SHA256

    ec9129b26f24a6e20f98b861e97fa2c8209a9d603e8178a8b4f617a51650c8e4

    SHA512

    12b7f1c21654fb5b5ca8a432d5937df8be48b9dd258f86e68cdb03865dda62826cfb510716781547bfbf0f79839990d11ab3bd3eedc2419ab86e04083d1db24a

    Download Submit

  • C:\Windows\SysWOW64\kiyjgultcgjsu.exe
    Filesize

    512KB

    MD5

    82bc9d7aa3f67fd0908f797de99c368a

    SHA1

    4c1491898d106335585441f02961cc22d3fc259f

    SHA256

    53346b23f37d692311ca346326d0042278b5f1d01f1af331d21afc603421e1d3

    SHA512

    099abdf02b73163f778d77403e74a814a74f0013e7522fb261a9f95e25072200046c621afa694ba06e318dbf7822df9ff8c4448cf5277cef48ed30a11ce5372f

    Download Submit

  • C:\Windows\SysWOW64\owzwytoebqyxybe.exe
    Filesize

    512KB

    MD5

    32e5d66d777612e7a8574b867b5c27cf

    SHA1

    a8fec4ccd9720783a2b3792053ee9244bbf80b5b

    SHA256

    4c1bf4cf4e26723a62f0c528a56cd3ea9040e651559501482a4218ddeb57de09

    SHA512

    3c93c637aacf1fac6f3bf0dbd3968d92498b91edd9ba5d511867b9a64aa012389090d9dcb8d171b41f1cbbb75eb7a8c5bfe2ea232fde8ea2c7a0d0793e38f691

    Download Submit

  • C:\Windows\SysWOW64\sihabkicnn.exe
    Filesize

    512KB

    MD5

    44df96f52c883b7a4416945673be3bd9

    SHA1

    38f1c7c0b12e54e12c36547f9014b2ec093415f1

    SHA256

    b41be75f2bc9709f475a6bc470fb132a269999ff422ffc38b62098851aa97f08

    SHA512

    1712bc7528c3d1dcb4da71833910745e8a8a2ddeee84bf83164e17cf760f280881203c40ce87cffb38055975320a7827544e2d29ecb89f7fce335eb5a5adddde

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    0d2a72d38b24a3dedd267570e92d5898

    SHA1

    55a0905abe010196410830be0681e4c31e935b02

    SHA256

    b5ff0a78ce4c964991ade2383d3f574801a4d95c3972fe4ed9feb23686dcdf39

    SHA512

    3c4b18b7530c3a31fa054d63c94a9ae25b1f0cb9730173069c6c267d63fa61fda42becd5d4a1f5a4d5767e5337e232d5b706506d935900d38e2be855b41a52fb

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    fd50fb1d3a9f30d61673803a759aee8a

    SHA1

    1dd69f6596448d3d7ae6225d88dc5eb144247a48

    SHA256

    e49ea1dd0c75e3a818bb8db657d16e005c790f98d0dea1b1e4f4d70705db7594

    SHA512

    64deca80920e7fd2b46ae7224d09f827cda4c25da50639829320beb8ab7eab2bd650840d33ccc895f76fb243c0a7cfbb02332ba5637caee9b5986ab4e737c0ac

    Download Submit

  • memory/2476-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3144-39-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3144-37-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3144-38-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3144-35-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3144-40-0x00007FFE336D0000-0x00007FFE336E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3144-36-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3144-43-0x00007FFE336D0000-0x00007FFE336E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3144-606-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3144-605-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3144-604-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3144-603-0x00007FFE35CB0000-0x00007FFE35CC0000-memory.dmp

    Filesize

    64KB

    Download