Overview

overview

10

Static

static

5

6939f3c28f...18.exe

windows7-x64

10

6939f3c28f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6939f3c28f9cc1488cf239e4f111ba6f_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6939f3c28f9cc1488cf239e4f111ba6f

  • SHA1

    995490c25d5b6e150472ac6c984071bb3509f213

  • SHA256

    19bf8a6d87c230c2f5083021744cc59d8c97929387f6c7a8e837287e82a4c447

  • SHA512

    c92ba3b4358030f6042c2e5af2b44f60b98d8969e82ea8b0a47f25c9fb01e7abcaa9fb1016bc6197c53c1b2f4de300936183d903ecaad22e6154017076979c4b

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6B:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6939f3c28f9cc1488cf239e4f111ba6f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6939f3c28f9cc1488cf239e4f111ba6f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Windows\SysWOW64\wyycapamha.exe
      wyycapamha.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:412
      • C:\Windows\SysWOW64\nloxyfuz.exe
        C:\Windows\system32\nloxyfuz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3592
    • C:\Windows\SysWOW64\imulohmhpfqxfzq.exe
      imulohmhpfqxfzq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2920
    • C:\Windows\SysWOW64\nloxyfuz.exe
      nloxyfuz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2924
    • C:\Windows\SysWOW64\sntllgthatpnc.exe
      sntllgthatpnc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2664
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    31d3be9d186a7d6edf95c4d9cf58cb1d

    SHA1

    8c21423a3e16cc726035f7d280a1d2c350b6c9ba

    SHA256

    3374fa0b904f71e2f85cb17941fd9a0bf7b54fd2afce78f322aa95b074901c06

    SHA512

    adff50e3242023b8d9fa39b41589407e9a9fbf05706002bd58b6c8860a9f68437b34f85b9de5c8b3a887dba93712bc2240be7cc364249994ca66f9352411f225

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    e01e86c5c783b3715b5467ade71b62e8

    SHA1

    a2d98e510acc54af22c397f5867d8854ee3c0636

    SHA256

    4f544348062aec36b6320976d415cdc531537433e6976daa1287bac2715abf1f

    SHA512

    afe876b62704b911ecd21db6e23143329778a7bc92bc605a026091e28c237d2a8891729bcbf5fb9a8c5dba84294da056e7c434b48f2f18c4592a6526753f6007

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD8F86.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    02c51389022c4ae4a527cd8d1c2d33b1

    SHA1

    2e96aedde59d1463a888024cd5f3d07ecad3f1aa

    SHA256

    5bfa4de2da69086f2167f8a890b094e67f1670fe955fafe57874b53504609c32

    SHA512

    4cc8fd117c916dae22e7e5bbbb1d2699ce5c1b0467bbf357f508f811b4da3570761227719d00fc3296167e54d9e066502b71371f57cf9499f6e480753a8a3d37

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    0ad74f19a29339fb4f09e9e9f32fbb6d

    SHA1

    94fdb4f9c85879fd8166bc53f3dc2928e3ef7488

    SHA256

    f5d25a37005c5d5148b93e25830f11b30f26c07d80093314e2ff798afb995f89

    SHA512

    99935c7973c36ee4c537acee65644441ead0ac17ea21a2bfb9e41727404c1493b71360f1f48812193f667f39459bb8b9f57ef592073ed482e03f03a800874ed0

    Download Submit

  • C:\Windows\SysWOW64\imulohmhpfqxfzq.exe
    Filesize

    512KB

    MD5

    b51e3b124983ceb7adedecf4c7731365

    SHA1

    9151e83a9f11144d0393b89f9aafd0971ebd2dbd

    SHA256

    7ae7c8a5b50426bccfe43908a7d8027bb8814f84e9c5e7825edcd96a41e1efdb

    SHA512

    49ef752ce169f77b95e63c18a9614ccf6508429c7de8d3682e2f0bb7c304e04ee56c7cb14f6cb39d91527aeb9a704800ff613211bb097292e3661c219872105d

    Download Submit

  • C:\Windows\SysWOW64\nloxyfuz.exe
    Filesize

    512KB

    MD5

    0ccd0d671ca66045a8f8915f95e998a6

    SHA1

    58a4095794180ca23cfbf3a2d2839222f541f4a6

    SHA256

    aaad41ed7861ad3845af5e6dcf1c01c16eec147cc87ee41b967c632024b57c3d

    SHA512

    e0ba1cb2302a1b7990d64038c42ce9bedd650393004ac8eb8bfd63ec70e7ffd8cf2f3e2372c03d07e6fc301dc159f16fed4ccbf7bff403c4ec297388d690b5b7

    Download Submit

  • C:\Windows\SysWOW64\sntllgthatpnc.exe
    Filesize

    512KB

    MD5

    596ef6d8809a03d0d786fe032591ebf6

    SHA1

    7b4f015c79fc4324fd8c9fe4d22851b1632df612

    SHA256

    1d46f84cf7088e7ba4d701addc8fee885581262c3ce78931ecaaaeef262aaa98

    SHA512

    edf07c076e40f3f31a0b196e969273fa7a098e36cacf1e25583b8e337469abfe177906f75a406a55651151f5252d3b7abbb94e2265b3d040379f360b0c3bd8cb

    Download Submit

  • C:\Windows\SysWOW64\wyycapamha.exe
    Filesize

    512KB

    MD5

    2c3c5c06e7332fe993a830495c6c7655

    SHA1

    8f4d5ab852f32a2b9c8dd6bc128000d49885e310

    SHA256

    2fbe2044280ab71ac72fd3a3f80e65b27463747f7fdf22ed47ed4ddf5197afeb

    SHA512

    9317dd335c772cc506cc787e4951bb76713517178d7088f89f4ec936f710ac7376fcd6222a16eaa5585b34c2a274a4ca2c9442027d53a4db7fae669e544d4205

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    a77a7e86d0b242015c696c9fe9fcf1fe

    SHA1

    44cfd3885dd777cd48c8aeb01357191155ae3c97

    SHA256

    ad2a74dc1d167e23e5cc3f5dc91fb4aaef846919253c0dfc578c807948569694

    SHA512

    4e7775977b8073badcc0663cc8e4d978c992ca683821d66b0690e2359ed0275fa161e45054a85fbbb3cb306366da213a258e31bfb897258f0f8131fd88ad261a

    Download Submit

  • memory/4424-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4620-37-0x00007FFD6E1D0000-0x00007FFD6E1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-39-0x00007FFD6E1D0000-0x00007FFD6E1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-38-0x00007FFD6E1D0000-0x00007FFD6E1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-36-0x00007FFD6E1D0000-0x00007FFD6E1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-43-0x00007FFD6BA00000-0x00007FFD6BA10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-35-0x00007FFD6E1D0000-0x00007FFD6E1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-40-0x00007FFD6BA00000-0x00007FFD6BA10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-601-0x00007FFD6E1D0000-0x00007FFD6E1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-602-0x00007FFD6E1D0000-0x00007FFD6E1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-604-0x00007FFD6E1D0000-0x00007FFD6E1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4620-603-0x00007FFD6E1D0000-0x00007FFD6E1E0000-memory.dmp

    Filesize

    64KB

    Download