Overview

overview

10

Static

static

5

6fe3cb2dc4...18.exe

windows7-x64

10

6fe3cb2dc4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 21:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6fe3cb2dc4388e19c65af3d0db5525ec

  • SHA1

    ff5812a826a147795cc8c8ce9420e6bac9c49ee1

  • SHA256

    5cef037a03b7fcfed6eb99589fa864213689e61e8582476d135aff73d6761eda

  • SHA512

    da8aab36d9d1870683f3837af83f5f34fe3afd52583e5b71cfbd254e1772717d6d8c7acf697c93b3b1ed391f5c6fa7d948fa5aaeb15815d59e8805cb1c01fde1

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5L

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6fe3cb2dc4388e19c65af3d0db5525ec_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Windows\SysWOW64\wjyexttmyv.exe
      wjyexttmyv.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4456
      • C:\Windows\SysWOW64\efpdhgnk.exe
        C:\Windows\system32\efpdhgnk.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2700
    • C:\Windows\SysWOW64\tdoloqroighrmve.exe
      tdoloqroighrmve.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2332
    • C:\Windows\SysWOW64\efpdhgnk.exe
      efpdhgnk.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3404
    • C:\Windows\SysWOW64\jtjpfzsinfhos.exe
      jtjpfzsinfhos.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:932
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    ae5f378319beba75d64d92bbd7b4502e

    SHA1

    7b69250d4fc43eed3f20b55d9c4a716043311bf7

    SHA256

    50c65ab20c83c4a4a20a5f5adf6e62e6b44d4db6ae7a141e185b92b461fc929b

    SHA512

    5676e2c9ef97d7fee3850912520d3a7c8b3fb67ee2606d88c61b2b18883b7b986eee6b1457d43c6ed87a43f8c0adb3ff325c33290eb2e3d825c43c9ed3dd2d58

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    f1447f2cbb687067d2bdef8e89aaa64c

    SHA1

    4304ac8afd3903d1d3925b25355d7465b76676ce

    SHA256

    de8fe12c52b4b7377bb133a853d37b5052ebb927ba033453385d827cf81c7945

    SHA512

    e928ae4c5ac9c4890164a9f7adf1f228f3d7f34fabb0bebef0307be29fb44bc65806054a786244c876ebdceeec3bc1764ee22d130878b1f8892f25216bad2d5b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCD90B7.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    cb7a94d02c814d42e0d36752d23604ff

    SHA1

    a3dc9b99402aad1776c01d4ac787c4fa6336ed20

    SHA256

    fc3e2de613545cf33019b5dce9be49db46e0f38b61012c7b81fefc396501e537

    SHA512

    4b808c4adbfb0a918850a0c1fe548ae9dec14b3b6fdb60f0215f5863d79e1d420b338cb171b74195bedc714dd3a0bd301f36b7cca8583491dea8fc57c26346a5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    c3aa6f643b139c1170f1d2bab37b3ca0

    SHA1

    9369b0090ccfb0397d1871be30161ca76f79dcdb

    SHA256

    0f72a36ffeba076125ceaa73407542f6dcd8fdbe70ca73a559174981e90c1cc2

    SHA512

    5a6ad60ff59e602c1960dd634614bed0033c0cc7afcb19770a05c7ee35b3af5cc9726eaa2aaceddcff8054847d4ee64645dcafbcd517ee337aca524e051e49fc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    5ccfd42faa74afdc6c215790ff846990

    SHA1

    32e6cfc406ff1a63764bd9346ac14c9daa6f316b

    SHA256

    bd8df1780c9d2e038edf19ffa38bf9609271fde9ccf8dbf06e689080f07e34fb

    SHA512

    742847a1e23ddaeafaeea14070b8c89d99887043023d20d6d9f28a6e193628f7d004f1cd3c2567c53d9a9ded0683d77460e34d2e341f074029cdd190db9e84a6

    Download Submit
  • C:\Users\Admin\Documents\WaitPop.doc.exe
    Filesize

    512KB

    MD5

    67fd269cb8bbc027ff7a565fe281f7d6

    SHA1

    519d7166c9b0687c95c443f03193f9e05e4820eb

    SHA256

    03f1408222a147d8c3a9db27606afde744acd4f0bf255afb4b1ea3c9c14f8e5d

    SHA512

    6795908c960d1e06a600412db94d5b522e085f3e3cd9b3fb4d21e390b4063601786a7d5fcaab0b994dbd45c59cd87d8a4eff2ab406b70dc73af84c2531889d12

    Download Submit
  • C:\Windows\SysWOW64\efpdhgnk.exe
    Filesize

    512KB

    MD5

    d58415c7cbbaa4d9339eaf53caa78a8c

    SHA1

    c8794cfe204f9bd83f631a4cb4909f8bdca43a6f

    SHA256

    99b6982b9c0020af0a9838be3f60f8bdd772a1fd25cc0f828b832846190b61e1

    SHA512

    6d5676741b385be30358c2d6f26ab49e96319074b50e6c0202f62f64b06db356db98627a1854ebc32ac64db06ae475c57db1dc7290257f784cb76a528e0cff4f

    Download Submit
  • C:\Windows\SysWOW64\jtjpfzsinfhos.exe
    Filesize

    512KB

    MD5

    b1aa1822a6bf918b97ccd1f7dd3baedf

    SHA1

    8d040417e453d4c67e6fe823969a8d737d26869a

    SHA256

    3976dab4a0745e22bba124eaa044dfa2ead0786794f5087ff09419c3033c8f5c

    SHA512

    52fe1d9b983190abac4dc8020d4ecb42f3ee86389160a552b75d709dcacab0826847fec09316e5a7ae100c72562c5eacdd4dc8bebbc8bc0cf415341a516d6700

    Download Submit
  • C:\Windows\SysWOW64\tdoloqroighrmve.exe
    Filesize

    512KB

    MD5

    1fed91ae7a11137e048a36a120d43f80

    SHA1

    09f4d9d5dd9c257dfa5455627e7ba100f0f8bcb4

    SHA256

    584defe9547e6c2f468527122be81289bf136345fea370e6f5b5210eaaf0791b

    SHA512

    9e909acab7a8758ca43bf80523b9bdaa4d25a49329d2ac1ec583ae9d7b73c82a2d0b7b09fd281f192c7e34912d30da7e6cd6ef284a09d574cfd1d0cde18a6d44

    Download Submit
  • C:\Windows\SysWOW64\wjyexttmyv.exe
    Filesize

    512KB

    MD5

    bb3b2b0e4ff59466248ab4aa40592351

    SHA1

    b81d5f4a933853130ea11495e62f5030cb505a51

    SHA256

    63808040390f3c4c7aceeff97cedabd717a7277967b12a0b0d3c5c97a36d4484

    SHA512

    6028514431012c9814fe79974c547583d16af9bd046e4a8aac9651e2b174a5bd82d8af704eccac03ce185c08c84916f427c8d905dc45a705f7bc23ef8f275caa

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    b3471840c3952d34a283d628aebdab97

    SHA1

    589b0666830219e2a77cbf03ee3d65f12deb6a6f

    SHA256

    04f37c45ee8da3a806514e799cde3aa108b8f58ad20443261527ba0a2e3ebf89

    SHA512

    af39feaf0b2f2078da491d6b6d36942476dbc3b7946a279f0d54980e153b08924cbcce7e381e06d0dc0e4b4e105f89eaa8795223099429fd5730546601200b45

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    b7822a3a024cd910204f609faab64dfa

    SHA1

    05b43db2db765adca55addb8e6ee5c585e2bb7ff

    SHA256

    7c60d51862825d785a3970eb3f6b25327cbedf242698c0b3b6dd6bea42c99d04

    SHA512

    8a902c01e43c4e8f9be5abb118ceb8a28821a0f07c007a0760dc1003875cbe1dfe5bf04cda8075ee8ce07e8dd21ff1268ee67646fdb7d3648b418023efaa9855

    Download Submit
  • memory/752-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/4784-39-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4784-38-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4784-36-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4784-37-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4784-40-0x00007FFEA7650000-0x00007FFEA7660000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4784-35-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4784-43-0x00007FFEA7650000-0x00007FFEA7660000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4784-614-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4784-613-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4784-615-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4784-616-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
    Filesize

    64KB

    Download