Overview

overview

10

Static

static

5

6fd9a7f9ea...18.exe

windows7-x64

10

6fd9a7f9ea...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 21:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6fd9a7f9ea4230b01d37da830d9fc2d0

  • SHA1

    7cb56b8b19c98b78857b9ff7a3ec91cf4d358970

  • SHA256

    f18826b5d3d6f6f9fdde8c8a9639a47228ec8a276a1601bccf8aafe300b50948

  • SHA512

    47d16ac61e43e42790dbb3f26d8b2cb669233f76e8fab1f3c0647163d9adfdbdffce9b06148f37530ec5fac40bd160e2c21933488f23f2372a3dc1708304a675

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm53

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6fd9a7f9ea4230b01d37da830d9fc2d0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\rejymzcpew.exe
      rejymzcpew.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4656
      • C:\Windows\SysWOW64\zntesjtg.exe
        C:\Windows\system32\zntesjtg.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3928
    • C:\Windows\SysWOW64\mtbsqdazxszlplg.exe
      mtbsqdazxszlplg.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:924
    • C:\Windows\SysWOW64\zntesjtg.exe
      zntesjtg.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3932
    • C:\Windows\SysWOW64\jqhksfrdmxvnh.exe
      jqhksfrdmxvnh.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:856
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:5060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    a144c19fcdf605b7ad40ad75abcdbc9c

    SHA1

    25babb42311e6ef8a6854d98ceca94d51d7687b0

    SHA256

    364e34d56c96015794a106d1b4e2653529ca056c36977f553e47ca91b0f86959

    SHA512

    f0306d41d0e412770a38132a46b889366523e549c8d897816d285981db88e508751961286d2ca8fcaa0eb71e4160afd6f406e6bbac74a70c0aa7a936f4da1b0e

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    447c0f86468b1b399d786e7cd0f9f9cb

    SHA1

    b0d71d9a1df612180b16e9cc06a346dd6b29ae0b

    SHA256

    707960465de7b6ec9834e374da2612178b8d0cfdfb699645d18bffeee7c1c0ea

    SHA512

    2c34bff5dbd3c38c902de36d3a78aa6b2e57666cc44fba8e33e35b88fb0d80c824bb08ad8e3fea297503ffd82167e95ffcf834dab859a858f9f468090b2e7f6d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCD824A.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    41c9a73104fc9ebb3f1bedb44d037ffd

    SHA1

    fbda03cc7edb1d06e058afb31a82bbfcd970cd30

    SHA256

    fe219a3fd70cddf0e7d3d49ebef5f5220c9fa4eec7cdf60af2cf88e87e310116

    SHA512

    19f322299fd7566c2ffd39f99de8b691b9c3292dbd1afa725d73820ddb247ef7b75c263b579f70b9f28c53096668a4cbc86f7383827632be4b9ef3d057737c9b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    06750688ed1af046ab7f577d4c8ffae8

    SHA1

    f681063c1da80ca296a155d14504087b7b708ab4

    SHA256

    6a17d51ff178373299ed933b2b5adf546662077fbfead56d233c44393e49eab3

    SHA512

    396c59cc0656eb2128b85a57806a4174a41c8ca50e320562256576157cb61e7c1a7e257e467b47566f01a8756c1725d739e43fb3bc45ae9847d87518bb539d18

    Download Submit
  • C:\Windows\SysWOW64\jqhksfrdmxvnh.exe
    Filesize

    512KB

    MD5

    fb8d006ff546f32cfd02cc9683294110

    SHA1

    4a2a180951d4b500785ab3fe11bded4bd0bbdba9

    SHA256

    67096ddb3e64839a1c5d0a0297d4b15fac54d667fc1a6241499baf00f9c18a39

    SHA512

    d188efa46ab636a3f8798d6e3027229d6d2ac07255039bebc2bf816880bf649a412faadf0f3ac9f3daf9e310d681dfff123830b30f60659112a18023872f4fa8

    Download Submit
  • C:\Windows\SysWOW64\mtbsqdazxszlplg.exe
    Filesize

    512KB

    MD5

    2cc00701cca979076e5901bed8ec7341

    SHA1

    69b4a65af4ab9f20b906d53c4528efc08e15e1e5

    SHA256

    c1df8fec4c424a1babcae22e6aa98b514e8563f801977f9bcc7b849e5d8b17ed

    SHA512

    defab434ea3c4fd77d95fe56431e68b5651f9a6aa3251d24e5f42c22933a1d1fea089ae591c8ff7db517fca80d43038f3d45693584dc5cd8ec09de65e169581b

    Download Submit
  • C:\Windows\SysWOW64\rejymzcpew.exe
    Filesize

    512KB

    MD5

    83ca10dd139615a4846a043c16b47a09

    SHA1

    05e1b1005a54d34776881655a2de38ae839ae7e2

    SHA256

    30e6425917efb312287d2f146850e1e964a0d04c2bbb9524ca9a831ba57c1b7a

    SHA512

    020c5d455ca2f7d90b110693c7e163a35104fa0336a1cd90057a6e0f7ce9a0ca3fda59175b6ef19b31fade29ba5114f9c0d18b977fdecc9147785606dac65a01

    Download Submit
  • C:\Windows\SysWOW64\zntesjtg.exe
    Filesize

    512KB

    MD5

    4c8614dbb126ac17ba44f479c9bc90e6

    SHA1

    4c9fe416e4e27950014fe68cca5515568eb6469f

    SHA256

    00719e79a25e7995eb99e473992ad00a9da84ac245f179486c5162543061c1e3

    SHA512

    85be64c17f64029966d50374a1aaa50d3c8f31422877c8b0685799db99a355a938fd27896eabf3ff329c7e0a18f0e2c623d7a6ab39c295cb06a598c87266a48f

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    599e8fa74da19659a268dbc6cf0f4f5a

    SHA1

    44751ceb9d3be8c59ff66e542267f2d20104fdfd

    SHA256

    8f1bb3a690c55851b5744530d11619efba2f9fca2dac51900ed480ab20f675fe

    SHA512

    05f529ca3c277c0fbdaa5057c34940539079e9ce2e5e5c14ea9eb6e439674000d2c7eb218ee35506bd5665842f9974ae005a4d605d2e2ad773d8eb97bf0e17d5

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    9ed610d388bbfc5cee6c7afd1433bb9d

    SHA1

    29f155b4554f6df4fcf6eb96e84a16807c814e42

    SHA256

    168a7efe93800b591b3af45eef495edac3d6c2107d43932258b8a2db88c94cab

    SHA512

    c50be0b3a4db441394ea407d786ca3eeaf3f838e74fd5c46188ded7cd9084c9477dc6a9d82365fb6e3e0251ab663e57853fd7dda247decd174e3f3038a85e0ff

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    a5c0ebbed7f16ec5b17c33a777a9bbfc

    SHA1

    931a43a22bc00d340f9ff10449df404620cba257

    SHA256

    266ba77eb1025ea670b736e1fb6d9a59da875bac9ccb51eced872ff292817448

    SHA512

    4c0c0751f23978865be87ad9b851b12ded2373fffe65372ef095422f885c1fb09eb9119139f4271c584e93353d8a21dfef169c12f7e95d3aa7e116c4c3c3964f

    Download Submit
  • memory/3012-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/5060-39-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5060-37-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5060-36-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5060-35-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5060-38-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5060-41-0x00007FFEC5640000-0x00007FFEC5650000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5060-40-0x00007FFEC5640000-0x00007FFEC5650000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5060-604-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5060-603-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5060-602-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5060-601-0x00007FFEC7B90000-0x00007FFEC7BA0000-memory.dmp
    Filesize

    64KB

    Download