Overview

overview

10

Static

static

5

6aab9e1be7...18.exe

windows7-x64

10

6aab9e1be7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6aab9e1be79ece4cced89081b90fbb71_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6aab9e1be79ece4cced89081b90fbb71

  • SHA1

    dbee0bc35342d71b1d14757df9eb923836ace11f

  • SHA256

    a184e897d7dc3f64bd27307f2fb1a46ab5aa5267857aa301df5e0a48f0b645b0

  • SHA512

    a3d9a7431b099721831897b5b6c9d3cccf6d435220df518f2496821791c57beaf1f83c3668eb327d4a0f1ff21f21a65410f927b5185b450f33a131aebf386237

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aab9e1be79ece4cced89081b90fbb71_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6aab9e1be79ece4cced89081b90fbb71_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Windows\SysWOW64\jjtmbkmfeo.exe
      jjtmbkmfeo.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\SysWOW64\imqwfoxy.exe
        C:\Windows\system32\imqwfoxy.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1996
    • C:\Windows\SysWOW64\umyxnzmpcbdsmwr.exe
      umyxnzmpcbdsmwr.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:244
    • C:\Windows\SysWOW64\imqwfoxy.exe
      imqwfoxy.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3092
    • C:\Windows\SysWOW64\vcxohijhtkiac.exe
      vcxohijhtkiac.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3392
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    e9cc68025f96e80c7626cd85060f99ab

    SHA1

    450bf0c59bffaefe6be591394e2727f85e64188b

    SHA256

    7d8b3af834ce0e1abad0d6ebb03ff7ea3b71dd3ba5a0dca426fae98af7fb2d90

    SHA512

    f04ac9c35acda1d1e3e1219c68bf4d7fc25652f871b35a4f73776e0e5cd8955c1d73147c277ea702e57bf44be2950016976c039802be954dcc5f2880227b096b

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    34aa887a03602f7b23f4dfe0d688f640

    SHA1

    a0b3242dd877adbf6407d1227475033845dcfdf8

    SHA256

    17041ea66c7b1ec3c4d5a7a86ecde06584519a58234fb9760a7694284d2e10ba

    SHA512

    145a80b396b60ed3b47017d65b14b9e34592abb2c11d6582b7afd1b2b8c0a3ee8df41c204c88445bc8c94279ae023a52ccf03bd8ef21320755f9587c5cc2a437

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD8C6D.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    247B

    MD5

    1b529425a37b1334b8b33ebd890269a4

    SHA1

    84768e6475b45e3431d5dd62968dde9b92bcb799

    SHA256

    774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440

    SHA512

    8d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    0b077185c32031410e2b53573c6e91d1

    SHA1

    f284f1c451965554ce2d901dc4f91125af2c81a7

    SHA256

    7a01d825d18b45f3eb1591b5b9adc5b9f24bae12cc90ef8c5a9126dfe8e31043

    SHA512

    55632a60818bb92d2ce5e6094cc2106218fb077e76c4d4d7ecade5c7987916b399b30d5f208c708356f91158fed147b98b992b8b858f896635a3752f2bbf5f9f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    6de48c21de6d129e28dc512301b7d5a9

    SHA1

    a1503b15dec1ec0086e6293f5eb18fa5d218b7a0

    SHA256

    3cd8e349f46042f3a15f23e0e455dc17bacfae34e4b88d944f06a89b2e787be9

    SHA512

    6b440393c062a8cd3733e9b076c9c6fa6b929cf2bbc7eff6f0aa69c8f68198f1836dfebfaeda8e413fbd95229017379a0a496e472dbd3c433e850cd67436863d

    Download Submit

  • C:\Windows\SysWOW64\imqwfoxy.exe
    Filesize

    512KB

    MD5

    6c609e8b6fd5363f10c29515a6db0bd9

    SHA1

    9f65fbc2e6cceaf2267d6704eee799a81957b9b2

    SHA256

    2fca06c4fcd163a1bc5799c4ee8c2caeee570e55e3f33e700639973a1f8bd057

    SHA512

    9dcaabc08e7c624ee3b427141ced909d44a71af8ecdb511e2926148199c98e932ebdfcbffafbd6c834eaab6b0f3b3029aada1662fa60e611803b692f4e645b41

    Download Submit

  • C:\Windows\SysWOW64\jjtmbkmfeo.exe
    Filesize

    512KB

    MD5

    93c66165aab6a25fb5c16272dbf31430

    SHA1

    fe4bff52db6744d104596a7e6cfde93000e3607c

    SHA256

    6522f111ec2448541cf86961b7196d79274d58dc57bf73c3bedbc1da77c963c0

    SHA512

    9c85090d9501fe42a8bd68b3474f36b7a315f2b05a305a819bfa156c08764c6958c776ecfa4263a0067664b1b32388ca7111368f4627f57a99ebb122da208a75

    Download Submit

  • C:\Windows\SysWOW64\umyxnzmpcbdsmwr.exe
    Filesize

    512KB

    MD5

    2fbac6ebdf1172a59124821eceeb8252

    SHA1

    5ebcf889ac50ec23e1492c19d4a9d51c4a0e4f85

    SHA256

    04161cd595588dc81e34cff64d2f683856ffeec5e256efebd4314b82357b5b21

    SHA512

    c8ef377cb757d49b7b706223db283893d51a20b9cf68fa81b94410365c85692ae804b06f872eba8302a33b4da02d174b827e3091d9bdc74adc6049b2461a3f9c

    Download Submit

  • C:\Windows\SysWOW64\vcxohijhtkiac.exe
    Filesize

    512KB

    MD5

    ba0e6c34f6e8a6b970513f28cacd695b

    SHA1

    75d14542205c57664dcb0e1cbecd3978297dd324

    SHA256

    999a77c2cce915d9c6841384f05246314e718d0ea2054b3549483ade1a58f6db

    SHA512

    e2606f21597b29e560b0a9d8467f0cca3c7f2462748e82099c35fd9148173e8595ba10c9a1e76f139eb9a28eef4af2110c32cca4fc32539fb975e649b7f6ebae

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    e797afb8f6156f5a3ba29bf85d8ff82d

    SHA1

    902df9f69ba50f514edbbda9f72e9e686f003175

    SHA256

    e56534207d7ef22560cd100efa4e6d3f35f0ec26cabcc069e91d7b4c60aef20d

    SHA512

    9a5abd27c2852c8524a331b04f0cb20cb613c432f224b4202f07e5405e2ac2ea51977f8775505a901e3a3e3178ff79b63efb4baad2162f0bdd25459d4d60c3ee

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    b4b5937a7117e6baaa867f0e3e00e32a

    SHA1

    b8654350c771f0f922a7a7a3d76999dbc88deeb3

    SHA256

    191bdf6cf97a911c082b980277d361fe69d78c53c6938ceda7b6f7bdb4e0b02e

    SHA512

    c9b95f5be19ec58d488d68cae18ffe703320a77d984a4982dd76b38341797ed385610cd557bb4505fe50d7d29a0aa14060a0463c8f4d9ea1d7d44b463a48eee0

    Download Submit

  • memory/216-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3732-41-0x00007FF983F80000-0x00007FF983F90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3732-40-0x00007FF983F80000-0x00007FF983F90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3732-37-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3732-39-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3732-38-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3732-36-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3732-35-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3732-601-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3732-602-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3732-600-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3732-603-0x00007FF986090000-0x00007FF9860A0000-memory.dmp

    Filesize

    64KB

    Download