Overview

overview

10

Static

static

5

69e0b698b5...18.exe

windows7-x64

10

69e0b698b5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69e0b698b55ec6f5a0fbce20d487a8d4_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    69e0b698b55ec6f5a0fbce20d487a8d4

  • SHA1

    dfc5cc42fe6b29a619ffb96926f09e39786572e2

  • SHA256

    9ce290a5cff2493a8e029645c1e4e7b15fd9bf333891db0b1c743aef8e977fda

  • SHA512

    aaef2305d53d4b809fca612cbc02e386f4772d97cd94771e8c8dfd71e15e5e1095c1339f75b6d624aaef48fb245fa3ea5f2b482e0372875c930c8a914c518bde

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm53

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69e0b698b55ec6f5a0fbce20d487a8d4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\69e0b698b55ec6f5a0fbce20d487a8d4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\SysWOW64\gstuqrgbxe.exe
      gstuqrgbxe.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\vuzaivda.exe
        C:\Windows\system32\vuzaivda.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1940
    • C:\Windows\SysWOW64\htrpuxmgrgltyud.exe
      htrpuxmgrgltyud.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2872
    • C:\Windows\SysWOW64\vuzaivda.exe
      vuzaivda.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2864
    • C:\Windows\SysWOW64\yrbdhxcxqjucu.exe
      yrbdhxcxqjucu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2092
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2756

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Modify Registry

    7
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      b3201dc0c6a33f75f2013fc419d69482

      SHA1

      1a5030b35c3c7f110d589a025a40014aac4fa739

      SHA256

      86bda8eb934797517025868fbc72cadad68013ce01e50635406b2de7003962de

      SHA512

      c5db7d4d4de91a9ba172532ee5d2d34f20098980ee69ee4b0a4554965a787087d911e284040af14cfeaf81eae41f56baa8cf18049a631af93938356ab9a61e7d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      ff6d135e3824951c954a1239467dac42

      SHA1

      795f8d2d7a5a60a64a0d156f758b26d8ffcc3434

      SHA256

      b9daa0b69c146b7c25a7d491c06f1b88b54beb78e83873bfe8e66d25e1a3d540

      SHA512

      0b66483218654fa06d46b934d2fdfa37a2b3ac2599b553c6bf6143fbbf51e389e3dcadfd7f34236d60bc7c26454b9e86b1f93d54af2bb25deecc364cd82272d5

      Download Submit
    • C:\Users\Admin\Documents\SearchWrite.doc.exe
      Filesize

      512KB

      MD5

      ba2ba9b8b68fecfe3594abf43e8f9907

      SHA1

      f20afefaf48b0b7dfca61257fd00f28b875a5e63

      SHA256

      482ffcd03e6da3ab5dd2f12f543d8b0405725c1585a7267b6fae526f3737584a

      SHA512

      2a60b2ff63d6dbbd1c2adad8d20a2b384310dd9cc463447e17a5391cce8d77c93f667f4f86bf97f55ee41b9f1c970ba3c17939555493ca91cffe9265b851cc29

      Download Submit
    • C:\Windows\SysWOW64\htrpuxmgrgltyud.exe
      Filesize

      512KB

      MD5

      156e1916f8d6d6621bab09bd7b8284d1

      SHA1

      55b48b465609b91952ffd8358e6bb7fea78eae8c

      SHA256

      fd1283c385cebc8f59bcd382e77cf645cd88794538e5eab2a6bd381a77e66361

      SHA512

      93c8595913f2dbaaa2435e53422765e0338cc34ea23fc170e9d61f326545251dc5e4ec25bef92e92402c8662c0a810ff41cb3056064193dbf8df84cf020c0058

      Download Submit
    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit
    • \Windows\SysWOW64\gstuqrgbxe.exe
      Filesize

      512KB

      MD5

      b17a56790a6256077915b1802acfdaa8

      SHA1

      a8786e56278fddbf84886b932093283b17a62dd1

      SHA256

      61f61df394c430e9be6e7e2994fed1c5a3324382b1ace7f73de67374b59f4dd4

      SHA512

      30e59b4bba30e21e71975f934b5527b50f8da1c584dc57e822cbec51784660678585204c63a5c40683f2dadc857e404842267c1fe0c6dbbcce800bf641f11006

      Download Submit
    • \Windows\SysWOW64\vuzaivda.exe
      Filesize

      512KB

      MD5

      3f8785ac33d5d98c852ed9e49ea64984

      SHA1

      b60c5fc3db00f43a44d530f03bcddcf605069c98

      SHA256

      1b05d4fa58cee255bd8882f36e1399fe3e7cf40ded1de6613229c7bd2f05e176

      SHA512

      cebd8bc78c2b2b58c88dc7bba9db2e194b988687004a8b4a7eac93d9a38e70ea593b06a41d8ecb5a903fef560e4bd006eefcdda6e1d1e1d9a4edaa0bddacb4a7

      Download Submit
    • \Windows\SysWOW64\yrbdhxcxqjucu.exe
      Filesize

      512KB

      MD5

      5770841ba923a08ec2044ebf61c3f002

      SHA1

      f60b815eded3d8f64c1fdacd0fc82d6721418f14

      SHA256

      3626c7acd2dbc9fa916b6d996e2371e37c2ff0579ec617f5db74f056d1f2ecb8

      SHA512

      f6a81419da4489768e8565c38fba6f371ba4b610b1f23c7fad65d78cc9866be3ba847317200cd33654f83cb4f11bc8ce638a1ad20e295736c8b1179ca98e162b

      Download Submit
    • memory/2352-0-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2456-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2456-100-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download