Overview

overview

10

Static

static

5

699abc287d...18.exe

windows7-x64

10

699abc287d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 03:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    699abc287d13163b8bb3026aa713dcb6

  • SHA1

    899554a9cb47a686b99a5c69786eed376c726f13

  • SHA256

    b697b55106ac91d268527ca90b0a3dde60039262b864f21466255d4187f616cf

  • SHA512

    26480aef7573c4a100ef1389caa9fdf31126068eec19ef7d5273590e56bac7448c28f2ce3c22e79600f6d9fc967cd3122b7141a7679fd5725d721fda8045c282

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm50

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\699abc287d13163b8bb3026aa713dcb6_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\nyrzuoqlab.exe
      nyrzuoqlab.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\dxipkbwc.exe
        C:\Windows\system32\dxipkbwc.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2936
    • C:\Windows\SysWOW64\kvoncoiailvmlex.exe
      kvoncoiailvmlex.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2608
    • C:\Windows\SysWOW64\dxipkbwc.exe
      dxipkbwc.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2552
    • C:\Windows\SysWOW64\clyvdqkocpuvr.exe
      clyvdqkocpuvr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2768
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2396
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

8
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    39d2d3e5d530e7f183672f78ccd7be41

    SHA1

    410656645045676efccfe43602bbc053c5c879b3

    SHA256

    57297183fd2bf978d164f4bbc3aed2c24da0effb1fa84438dbe602330f3bde64

    SHA512

    2e8fd894c17f8fe4014b346095a7216b5d7a5a3fd1e7485a6c4feb98453413b1d16575ef1579ebf722b140190b987d247893dbb6120c8d704901f757226ad9bd

    Download Submit
  • C:\Windows\SysWOW64\kvoncoiailvmlex.exe
    Filesize

    512KB

    MD5

    f25eabec8f24fc332a26d60388c2733a

    SHA1

    aaab6af93d8f3e27ee4562c705a154c8dd05a3d0

    SHA256

    1cf690fd84e9168894ed4e66de03556b2e930d7556e01f7f11a394f17bc3f6a2

    SHA512

    234db546b84ea8233a66a071126ac9522cba9bd483a8a0a8ffc0590f8ae5475e6add024c7760ce5d16a50a4670646427de9eb100d3df9a528f5f8e11c8dcd5e2

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \Windows\SysWOW64\clyvdqkocpuvr.exe
    Filesize

    512KB

    MD5

    8d35ea2e4bfccadeed04e1ca7eea5aba

    SHA1

    f6e72e5065253b2b040f900b5f6f230bbd98a4bc

    SHA256

    6fa201e764f19a0f7873de87cf08f1db4f6be074d88d38e427de2b83cccbe86b

    SHA512

    47f5b29a177545911079975e211a7824c4881d43f11cd55b6abb2fcf0145e143897213f2a564a9286ff88bb4fade0ccf426f5a4f4556984166ec7c008a3496f1

    Download Submit
  • \Windows\SysWOW64\dxipkbwc.exe
    Filesize

    512KB

    MD5

    6eb683e31ad2103fb0b253226f68dbe7

    SHA1

    fe744fbfb874b6848a96626f97a14c10f9c5730b

    SHA256

    4868f2902b6c71f52a98f7f45c388d6b13fce307683a45fafa4264fb4e84eeba

    SHA512

    a1c9949f50f925c3144eb9db4624287bc250cf2912fb07be36784cdbe967baa0a20a87b3dd5759d1870594317584ae6c6170b8327c2b0443f3950cad38906247

    Download Submit
  • \Windows\SysWOW64\nyrzuoqlab.exe
    Filesize

    512KB

    MD5

    6f1d10c39afd38de3f21a469c1700ed9

    SHA1

    c98a217e479cb1ee717e0b72f1fa5ccbc870bda6

    SHA256

    8ee0673ef158960d1c3e8330b0e6e38786f7d602051b86f46a841de549ef5334

    SHA512

    21f4b1e01809c8ae5079b58692efce9364b32798bbeca5d02428b46114b83a386e4e877662c70439cef981a10bfbe2368d3029237040ac2d30c625f55e66ec8a

    Download Submit
  • memory/624-82-0x0000000002B50000-0x0000000002B60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1728-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2396-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download