Overview

overview

10

Static

static

5

6d17cb1c6d...18.exe

windows7-x64

10

6d17cb1c6d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 02:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6d17cb1c6d930030874aa1e3e5b62963

  • SHA1

    841eca2e02ab32f999dfdde2cec00b0400a1ad3b

  • SHA256

    bb5af4afda3a286a98cb5eb134ae1d04c46ac269006eff35088b03977cfedf4a

  • SHA512

    52a83d6557bd75abcbc8c271e973587e1e4a64f1dec4d80e648533e3d114832d6c99ea05111fc22ecd68132824e13d50934f91b8402741fe64e1347c3f4a2b8b

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5D

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6d17cb1c6d930030874aa1e3e5b62963_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SysWOW64\lulupkvlcb.exe
      lulupkvlcb.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\SysWOW64\jaqucurm.exe
        C:\Windows\system32\jaqucurm.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2188
    • C:\Windows\SysWOW64\sdqpyrffedbobad.exe
      sdqpyrffedbobad.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2116
    • C:\Windows\SysWOW64\jaqucurm.exe
      jaqucurm.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2636
    • C:\Windows\SysWOW64\rfrrckwwbxgzp.exe
      rfrrckwwbxgzp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2584
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2544
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

8
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    3b9cccd6ef117cde0b72a668540879ee

    SHA1

    11206a065b8ce71aeae7a77c8c1a040d55b653ee

    SHA256

    817d16d946320c85d418c0c3b3a8b165978b2fd3ca798dc47ad92ee8c4290072

    SHA512

    83e1f77a1f2aa8048da1ca80f576cee47312398414d2286cffe9c09e8fd7a0a3b68544fcb266ee09244f5e7d27d5995352354b011a7db19cbfe50ff3610dbb79

    Download Submit
  • C:\Windows\SysWOW64\sdqpyrffedbobad.exe
    Filesize

    512KB

    MD5

    a09b1cd2bf266d9f34a9396b49f830e6

    SHA1

    79915494720a7804783464680f51574b723ea8fb

    SHA256

    30522213d8aca0d824054dc32d358caf0bd8731afd674ab1d39326e4d72714ea

    SHA512

    703461838cb5cc97f829198ad62a4cbd35d7ff681417c19bb8944c97b0714523a061f48d5fab82627a949f55889199393d0cdd9acdf16c61112a0a15d3f74098

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \Windows\SysWOW64\jaqucurm.exe
    Filesize

    512KB

    MD5

    bb5eb5930f18ffa805ea65557762168b

    SHA1

    35f80ef532eb93442a34113224126d72faba6e0d

    SHA256

    98bb24737ae7d1f616916eb5693ebcd293f9ef341eaf5375c9c7594ddbe781cf

    SHA512

    64c99b209740459cf47d8453e80e0af5ae64239d7d2d08991128eb210db3c18ef88ac59eab33ba3a6a6126764aed4e174e8b449affc4dbfe7fc20fdb6515eb6c

    Download Submit
  • \Windows\SysWOW64\lulupkvlcb.exe
    Filesize

    512KB

    MD5

    a24374cea1739afb42868681030baefe

    SHA1

    671970291ddac0c758f7aaf289cac6563874fc73

    SHA256

    251e47d38d4f7658afc168ad6c7f0099e224fcb16f85607c37c13d247c0c3b87

    SHA512

    b9308ef585eba58cdaad99e8ab1eaef3f347d9609875218829f74d409a1bd45c2d3d66d336c7652a6ca38f6497cdcd3fd9d944bbf20c57526e1aaa2e05c08009

    Download Submit
  • \Windows\SysWOW64\rfrrckwwbxgzp.exe
    Filesize

    512KB

    MD5

    00f935469d6d217a1842e0ff5eaf4a50

    SHA1

    78b141d82801661bf189d79588b858f95903abf1

    SHA256

    e589e02d0ef70aefbe1c8b09c4d580d1d44323c09ac35a207b25523b5aed561e

    SHA512

    8368119927e260a5bd358855d2b49d1e7e9f4ed9272f08ee35a4e90094f764e2eacb912c17a99b05f7e92f7a1d9e2a7515a084dba6e04ed14af6494a37a8a96a

    Download Submit
  • memory/1924-79-0x0000000002AE0000-0x0000000002AF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2544-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2784-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download