Overview

overview

10

Static

static

5

6939f3c28f...18.exe

windows7-x64

10

6939f3c28f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6939f3c28f9cc1488cf239e4f111ba6f_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6939f3c28f9cc1488cf239e4f111ba6f

  • SHA1

    995490c25d5b6e150472ac6c984071bb3509f213

  • SHA256

    19bf8a6d87c230c2f5083021744cc59d8c97929387f6c7a8e837287e82a4c447

  • SHA512

    c92ba3b4358030f6042c2e5af2b44f60b98d8969e82ea8b0a47f25c9fb01e7abcaa9fb1016bc6197c53c1b2f4de300936183d903ecaad22e6154017076979c4b

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6B:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6939f3c28f9cc1488cf239e4f111ba6f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6939f3c28f9cc1488cf239e4f111ba6f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\SysWOW64\vqiujnatup.exe
      vqiujnatup.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\ruyvqjpr.exe
        C:\Windows\system32\ruyvqjpr.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2584
    • C:\Windows\SysWOW64\ecrwnylekkxkpru.exe
      ecrwnylekkxkpru.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2564
    • C:\Windows\SysWOW64\ruyvqjpr.exe
      ruyvqjpr.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2536
    • C:\Windows\SysWOW64\lniyomzvpbuau.exe
      lniyomzvpbuau.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2692
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2160

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      7922f98a56eb9103409bf2cb637d684c

      SHA1

      8cbc7c1576f7cb2590057b3e6bf3c71283d67ae0

      SHA256

      f660934f0883cb6fd4c3ec84a9cb6e4bd34338a7854d207da694a097d090c896

      SHA512

      97083c61bf73079d1e51d58fb1a88cded0690c0bdcd6c349847daf1682876bbcb60abf80c4f3633e46d6689605b919ed83edea7b4ca3355b9b4f897eda4af9fe

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      ec2b53cda31a7f2810403f61648ecb37

      SHA1

      f8d517384618f705537a577658d2288971483b30

      SHA256

      e05a121ca5be70279bc2447501f4effe96c26694a2da1228e7feafcc2de8341d

      SHA512

      c6ea7481ae1ea7608f41b5b8882747e905100f53e024c26157b72108c3722b40b1146a459b5bc69b76dfc0048d0c7ed9f7c174a4298008fa9b27c5393de0f6bf

      Download Submit

    • C:\Windows\SysWOW64\ecrwnylekkxkpru.exe
      Filesize

      512KB

      MD5

      c6013d78ff0d50258cf371f0879ee451

      SHA1

      6cb06d66755594179aafe313432f43c19023be04

      SHA256

      320e2eb8761e5b6d9737d5f1c0db95550abcd42596ca2779da921a8d41e4b485

      SHA512

      e066824829267c2e682806f23a3c849f2503fc7831fb4192efd5e552e073b4a14f000197b0cca6ad03e8e476322a6ea8c2860885f572a9c84d711b767dc783ff

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\lniyomzvpbuau.exe
      Filesize

      512KB

      MD5

      745735979f5099003ed09430d8e94f10

      SHA1

      d56274abb4748c09c27d104b9f5ce97033116faf

      SHA256

      4df3d0869a78543d6daf080c17e7d5321a54a95e71cf60962f02d655ab7bd5cc

      SHA512

      7d249f607dfd87ad946c222aa6a9140920d764cd4372920081882dad5fc415f9afaf67157500239ba70f46affade870cb7a78bafd29721e043443368e9ab0071

      Download Submit

    • \Windows\SysWOW64\ruyvqjpr.exe
      Filesize

      512KB

      MD5

      08528fe7b5c11a16a6ac7fed4e9785d8

      SHA1

      5217c16ecdcf19b36137471ef35e8d2ac1e9363f

      SHA256

      2376c4299f285b7656edb8622f8e8101c9474c81b8ff4b8e8dee8c8a199c66d0

      SHA512

      db02238538203728e86d1789ecdb2262a8e049691b0869028fffe145b51a15dfdea20d06a14c3c077eb5b571c612daf131af719620a59ba219c664920223731a

      Download Submit

    • \Windows\SysWOW64\vqiujnatup.exe
      Filesize

      512KB

      MD5

      fb48e73e93e93102e5e43ca18c2f4ee1

      SHA1

      e22c969689222e6b4da63190a192847cac82628d

      SHA256

      a304aab231ee917122782890083de453ed3d8487396c733ddfe8ef15109f804b

      SHA512

      14d229a70a46501c4c84566b99f77eabdcb80c7278e34d1c4dc400aed85bb19b451b1393f86a85d8b612fff8cc57e973ab02d1ae6d1147faf3d9ed71308dc134

      Download Submit

    • memory/1680-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2460-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2460-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download