Overview

overview

10

Static

static

5

6a042aa526...18.exe

windows7-x64

10

6a042aa526...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 06:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6a042aa5266e3263592ebf6fcdfc51b0

  • SHA1

    c62dcaa0d589027701bb26c675923496c34aef40

  • SHA256

    146c72ff0fff7af77b6ae5f865500138bc513095b9279bc79607403772f6aafd

  • SHA512

    60471e27abe0713e9c2727345b30138b2a4bdc02743f2a675323a3d5ce35491768bfa07cf2e355aa29f160d07ae259597d1f1933396a7d55ba301fbc9f554770

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6p:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6a042aa5266e3263592ebf6fcdfc51b0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Windows\SysWOW64\ncildwcmpp.exe
      ncildwcmpp.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\SysWOW64\dtykovlz.exe
        C:\Windows\system32\dtykovlz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2864
    • C:\Windows\SysWOW64\iqethasbmrtapqp.exe
      iqethasbmrtapqp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1964
    • C:\Windows\SysWOW64\dtykovlz.exe
      dtykovlz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3468
    • C:\Windows\SysWOW64\ulugvwdfgqsff.exe
      ulugvwdfgqsff.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5008
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    ff90827a26a0e69c13697f5d1a0ad041

    SHA1

    02ff8d74a04c40094d0e56e9fedd3b8a26203a7d

    SHA256

    b990c0fa07e8622cf58045be559e5c3874853d7f135259afc295b1733198a28a

    SHA512

    bb09251b2664f2cc29ea558e203bc7695ae9e186afbfc99cbb8122be253649c5bf26c49318ea156c324bc9968b2756c04c935b492b9f4d2d5ef43dc7797d9a0b

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    63ac0e44151931b1aed2601a9c747b4a

    SHA1

    ce703b901d7f46ff4d4b22e49e92aa7e16acef58

    SHA256

    f57a5f29ee74f6aa05283bce42b3208cca6c41fafa03f995e38fc275b8698940

    SHA512

    96a356ab6918bfbf96ab79b478ecabbdf4eaf5c565ae9994e34e518ce8288a4a4f84d397dd69badb3262f355da7b2312c5738bb46934207f43f675c68bfbb220

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCD88EC.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    506d7890424e69489a5be1afef5580c5

    SHA1

    cba816211e3120c37d2714d61354265337eae683

    SHA256

    d66db9598aaad84b8312523932d2c802eab42979172e4e1c84262688fed362e1

    SHA512

    68f6ca745d8e50478c4ff4d2072e021187b40e94c3be42f17142f22b79d5150cdd6992cfe12a6119b3ad4ce7d43ea193a303fcffeed35ec7b765bb8f9348515c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    799165fda008e74f295789842d959918

    SHA1

    cd8cd9d2d10ccdc92726511dd30c61dda116d24e

    SHA256

    520998c74c9488a41d6168c1bef93b8d8ff25613c143a6310d40e50a7ae452e1

    SHA512

    5622ddf77c82f1b72bcfa9b498ec8701e0ef96d1cbdf2a7baec0bf53a84ecb68e816ea93f3d5942f03b44cb15d1d50ea096cef29053dad7582f8b809aaee1a23

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    95f1b499231b577dad605c6b119fe85c

    SHA1

    7f7e3e20025b5328f12a85b1b4eb804361675c82

    SHA256

    c6f3845755d546ea9c17030ecc2b3fc650707494f5a55badc37142e56da3b98d

    SHA512

    aee674d7e86229a9b5b06710c6d48141695ecb2ca687744aaf3e8ffb2784ee8712396aad72f4f218a1292ba3b0b7598e3cb87da8b83637174d5811c5f9715300

    Download Submit
  • C:\Users\Admin\Documents\CopyRead.doc.exe
    Filesize

    512KB

    MD5

    8191b500553ed9b40940cc02a9f8c60f

    SHA1

    1f678ce8526cf94accf31615d8ef857b44e9cc82

    SHA256

    f25526ce87046a57e8a499864429ed3ebad3f6fe8ab25d995d93166d6df6fd45

    SHA512

    fb2e33370ff18637ed6155780a9583d6aad8e8dab2ecefbb530c34be60103b27a35f65629b9d6acf4e23abf2d264b9c610e6de8723a8207fb84e405c6fc42b8b

    Download Submit
  • C:\Windows\SysWOW64\dtykovlz.exe
    Filesize

    512KB

    MD5

    ad81effec2b0659837d83d9074cd5c60

    SHA1

    fc703c4b16640ba3f847224230b7ba4f01211d96

    SHA256

    0f8b7626f7bf640224920417b4a102116de3505361217287767a85edcb0f88a7

    SHA512

    a7f3065137bf991b35264df92196593f89a7058fc0d0ef9a1d3f21b5e522eb017179cb204244e9ee5ae8bf41aa6924153901daaba095cb3290448bfebed92a48

    Download Submit
  • C:\Windows\SysWOW64\iqethasbmrtapqp.exe
    Filesize

    512KB

    MD5

    3e0d18cd6b15b6b03483529111dbcb18

    SHA1

    bec6a6c0cde0711101a84f4023757984b86ab140

    SHA256

    652dd43dd1ca09eaa3ae149f81fdc8b9d50da28a82f96ed182bc8ece0821c759

    SHA512

    2e177c5a192e700ef490f2933f428698435b8f71c224811204a3c7051e7b961372a1ae52c3d27527080a0e53de76eb90886d16fc8df73c652c4212e74539d184

    Download Submit
  • C:\Windows\SysWOW64\ncildwcmpp.exe
    Filesize

    512KB

    MD5

    73313ec682ef2057d297b5ade1bce5eb

    SHA1

    1612be935eedf97bcdad0a14a0ab94f674dabb64

    SHA256

    616c2cea467cdad8a4b89e6e7b0ccef78c87abf3887a9b323dbe2c2ff639e54d

    SHA512

    1e14d8fa2a12d5462ce08fa4240aeb4f79ef933d5f034c35324e058ff362fc27344c5afad981302cda2fb7ac683bffd4f045e95a461bad460d0f105699fc6ad5

    Download Submit
  • C:\Windows\SysWOW64\ulugvwdfgqsff.exe
    Filesize

    512KB

    MD5

    ba706a8b03e554bef8f8a6d6431f1093

    SHA1

    6e0445a396a8f78b15e2c6ea547d7fbff59edc1c

    SHA256

    c59c62389a33f6d8ec003aeda2e8fcf858138c0798a93b8f0929302a4046c7a5

    SHA512

    5794f44473b208ea16b51961717a060b070a0203b52a150b6282fec9a10c5f9d06248684d996be5b87ba71b3d0b052e2a202c392024d564a76ab3178f881b3c8

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    f85b9c4f1c62658d5e794df3f53ad2fd

    SHA1

    11618be8b212ae7c12d701d61bb9d63d278280ef

    SHA256

    b2956937ecd295945cb3a0c40ea392aa8fddb5b101ddb2b9c7e69d58b26e9187

    SHA512

    69f21f31adcfeb495d3117ee4ff99dc906fd6c50540e894cd51a939a2b174a15a7ef08dcf23bd620d0d8273c6c7f75ba474f3a8a8a777a086c47af710a570a8e

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    9fd0fe521b6e6495c26e86e9101a6450

    SHA1

    676a553fcf99e7153594e3f40e158f5e197cbfbd

    SHA256

    4ecd7f03e7c652a522126bc9176c6c68dd6160803294219bdda6bf83770c3d91

    SHA512

    4dd919420ccdbcc8a9ebe82db2a93b42a9280fd227d0ab66da369660b080fc79f1a02c67b498ab7c9b113e144851edb089d00695923492bff33ecc66c4723886

    Download Submit
  • memory/3668-36-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3668-39-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3668-38-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3668-37-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3668-42-0x00007FF8708E0000-0x00007FF8708F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3668-35-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3668-43-0x00007FF8708E0000-0x00007FF8708F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3668-606-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3668-605-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3668-604-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3668-603-0x00007FF872DB0000-0x00007FF872DC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4564-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download