Overview

overview

10

Static

static

5

6ab05762e6...18.exe

windows7-x64

10

6ab05762e6...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6ab05762e64bab75773f3d89cc4e7f45

  • SHA1

    bdb715a7e8071d9232e38b14c681a74d522ddf37

  • SHA256

    7b57c8b33de679d4024622f7cae20fe9e1c37a83383ad73d657dd0b0ce060bbd

  • SHA512

    1588cef85014f3ca3d01bc3fdf3db4af891b0bfd054862a1afb7e474b8411224c79dff5647f04fb9beb510b28bd398e1f9f03c6b4ee15a5a04ea5c27f554b4dc

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6x:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6ab05762e64bab75773f3d89cc4e7f45_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\SysWOW64\otgxqlvzun.exe
      otgxqlvzun.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Windows\SysWOW64\follskzn.exe
        C:\Windows\system32\follskzn.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:464
    • C:\Windows\SysWOW64\snlzbaeckrxyolf.exe
      snlzbaeckrxyolf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2080
    • C:\Windows\SysWOW64\follskzn.exe
      follskzn.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3016
    • C:\Windows\SysWOW64\cdwiveyqsnunj.exe
      cdwiveyqsnunj.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3568
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1140

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    236de3dbf3e6e3ec6a2a9624f9609898

    SHA1

    468e4cc9f5f2ed05d655332193c49440930dc0a9

    SHA256

    393f6c88c6d879ce2dc07d69f6d6dad60e4534ea4faec9679b0e8ad242f4562f

    SHA512

    330648c60aacbfeb39d4a28f7488028a4d8839d446c66d4e5edb2d0db5bdb287f8828abb2328da91805e3463ffd7133b67afb525709e2659d8055e0e1a1feba7

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    c87917a81c42c5385e234bb8cda983f8

    SHA1

    a826ebb5f27809143ce6a5f1ba1b67a9a7008fcb

    SHA256

    e8ae88b19e3a9754c16385cffa790636640a82aed3e6f33c00a2a0e3876092bc

    SHA512

    676a762ba50d82a85bb404cbb009adaf4898785bce1bcb181e60be2b2608226dd8b2b0f3b9e4e6dd03da3be6c3ee2af76b03a8bfa1a9fd97b2969ad77c03a37d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCD945C.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    948ed6dd91b0fc60f7884761f429f19e

    SHA1

    c6f29c76da8ef4059ffe7d3102f85308ac0e62e3

    SHA256

    25ec240e04053d9240929be0d0878541448bf4c8894971a5afcd3a305160cce2

    SHA512

    44d0c571ed5419137443c71333919d03d881aec8c2c8a1cf79fb7235b2b1a86fe816f00ebcdad48b87b6e2ebcb4b66361f73d4dce3945b661204e285fd1a4a0d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    f6bdb4115d1a9c8d9f1fcfde333d95af

    SHA1

    6b25686f4833cf06ef36370b72497c2996172e64

    SHA256

    550c018bf988da64875ed177179c64f3cfd2d75b5fd99fbc0c10650ce3654878

    SHA512

    0dbdb0fe875e6f1d6af5ae9f4b3c88abba6c66c4e15241fd5cc83a252b5c13d2fc047b72db0fa699a0bd2e028619b54e23c94299383b833c17820392fda8d400

    Download Submit
  • C:\Users\Admin\Documents\ResizeSubmit.doc.exe
    Filesize

    512KB

    MD5

    a7a9a10fbafa87d0425da78d4c569c00

    SHA1

    9abb3851d7fb817d8d880e9a0920cf1e6632d755

    SHA256

    3430803f5ec29eac50b2b78b95d5d926952881cbaa8d52378a0e5930c0cb81c2

    SHA512

    c58431b374502ac6feec499cb4f64fdf919ebaf435d4d4e98eabc940e9bc8a26499a478a9df3256f7fd968b8f970593e92fdf186596a11058ada04e0732cc294

    Download Submit
  • C:\Users\Admin\Documents\StepLock.doc.exe
    Filesize

    512KB

    MD5

    c91abb9fcb56b94f7fc34005d01b9e20

    SHA1

    aea0c3576c10e4899c8bd0c55880062e2334d520

    SHA256

    b945853726460719507cc37f54fc91275a014694863fef3fddc103cfb4998954

    SHA512

    311b5751b1524af0b33c3cf35f342ebdf8f451934a2246c9338fc534ac125c83cd24060a43ecf9e00002c526550a8e9ce6bfb78e98a635a2d40b25ca44774ba6

    Download Submit
  • C:\Windows\SysWOW64\cdwiveyqsnunj.exe
    Filesize

    512KB

    MD5

    fb89df37c00299dd9bd944d43a16793b

    SHA1

    16f80e2403f05b155ff664b768c5f6281ee29e1a

    SHA256

    add3a9144be0a90e9125d94f753ff35147555660786e143e39654a803df1a8d4

    SHA512

    9e3e6aae78fdcc4022eec29aa0cd630d31c4fe9456ea1e8a60143f88d6bfe15977797c3f6f9a21f7cdd93a902a5eac1f4fb2aab57a1185e2ab86ebe54eeee2a6

    Download Submit
  • C:\Windows\SysWOW64\follskzn.exe
    Filesize

    512KB

    MD5

    4c6f61b9bbd82c4c4ac2246738570f5c

    SHA1

    d394f7986ee3d08f6b7d1e2a55f436007ce2d246

    SHA256

    291909801f285ee8a7170f52f04b53281327e63da502c4435e0cd1d7cc17cd22

    SHA512

    376ab4c592d1dd3f2a02dd6dc864706117eadd1d6eb08ef25506b566369bde39f12077ff1f6adfb45c3f8f8df2f84627c7e234627f1ac6f612093a09a232bbea

    Download Submit
  • C:\Windows\SysWOW64\otgxqlvzun.exe
    Filesize

    512KB

    MD5

    333f72aa690e9db9d6dac9b0177c6e25

    SHA1

    5d3a5ce54ab908c902e779aca551e15fd5ba11eb

    SHA256

    bed12936882664696409c4485a8a1bda7441025dcd2baa780d4740807a5bcb05

    SHA512

    8e2614fdb331d2387026492b47b81215bfd5b9209cc784ef37f84f68608292925b56aca3b09ea4a618d4d2d1046589c2fc2f9cda1980305d3e19e1665b5d51de

    Download Submit
  • C:\Windows\SysWOW64\snlzbaeckrxyolf.exe
    Filesize

    512KB

    MD5

    3da95825e837c114fc7242342af0258e

    SHA1

    d4ee42fb60bdd57eca832a605eea608cce392a2f

    SHA256

    b23c934d7922e8049abb145424e0b7adf03a86841d4492066bc5202b90cc8736

    SHA512

    e956ff55f7a887e9765e8b5eae6db0d7990eec9f7ae57a09d3f9cce786a7bca7559cc749d25229b74d4b298a6abf6e143a0dc9519f67df33c7ceca191d65aaf3

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    4c8b73e10da71c4cc1690de574b8d78c

    SHA1

    aa2b9ec9611c706ba336492182e9a3169bd8e0e6

    SHA256

    736b4842aa46bf9edf3d6b8dd5cbcc2d5e9367bc827ad433a1d1a52e87c71fa1

    SHA512

    f3452c8d0833d336338e46d1f165c24b83f4850aa3f3540e07f3343fa279cd8733efd9d79d63915f5b522912eb408eeda97ef877d6c8e8c7b16f46c50606ee95

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    22afc1c5507357f8997ce5ae3ef65aee

    SHA1

    073c3e129b74fda19d5d747dfd5f2a1f696b905d

    SHA256

    5be0516ed5ae1bcc430f8a2db0c9602ba727f4be76c214084100986f8d3df89b

    SHA512

    278c746938afc75fa749069f33e0ba433a1c883ceacaa31c62bcb512f83b864a481fc22ecc30ccd09d92faacaf9c46f40606181dc51fa92aa1f21490e66681b4

    Download Submit
  • memory/1140-39-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1140-36-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1140-38-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1140-37-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1140-40-0x00007FFD8EA90000-0x00007FFD8EAA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1140-35-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1140-41-0x00007FFD8EA90000-0x00007FFD8EAA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1140-609-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1140-610-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1140-608-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1140-611-0x00007FFD912F0000-0x00007FFD91300000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2492-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download