Overview

overview

10

Static

static

5

6d716201c7...18.exe

windows7-x64

10

6d716201c7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 05:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6d716201c7e6ef7e37b8c2ad787b545e

  • SHA1

    eac84117fe480aafd5ea040868ec51dbeb4cb457

  • SHA256

    3eea2b9e75ec223dc8037a6809e487f77a15fd97a8c0213bfa6545a5a47c26bb

  • SHA512

    12c4de2fdf357e7ff184bb2c29907b16e680fb7471f88579c446797551e555c78a743260eedf58ef1a1ff93c0371e79f1c5570ab4b196387a6839bc8bf16ff11

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\SysWOW64\aeqoildjqe.exe
      aeqoildjqe.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Windows\SysWOW64\etfkluzf.exe
        C:\Windows\system32\etfkluzf.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2660
    • C:\Windows\SysWOW64\ydimoegvwtlpcoo.exe
      ydimoegvwtlpcoo.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c keglcxcirwqhs.exe
        3⤵
          PID:2500
      • C:\Windows\SysWOW64\etfkluzf.exe
        etfkluzf.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2720
      • C:\Windows\SysWOW64\keglcxcirwqhs.exe
        keglcxcirwqhs.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2780
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:2404

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
        Filesize

        512KB

        MD5

        a3fa4b21f91fbcf3b9c744cd40a3c26e

        SHA1

        5697de1fa152f339b7e0bfbf12705461d5b617f1

        SHA256

        f7d15cbf9ad8af24236c9fb24d213f13ef07ca87c1839911352cd3232e727e62

        SHA512

        2079d0bb1e33b3d99defcf52e781622c1e51b2bed61c249933d2e6130ee9dcddcb40e0720abcd8b1eaf6e19f1ac617517f8cfe7b9213f439fbbaa4d9aa14360f

        Download Submit
      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
        Filesize

        512KB

        MD5

        fe2adb1ecd7aa5eee7a05e6b8c772d7c

        SHA1

        4b7f61b292b2acc53489b488e470bdede2ee4d98

        SHA256

        ddd28b1c407466d356fea2afdc40d12a370752e1468ed2120e3656233af34b79

        SHA512

        b716157fb630fa5301121c89bde56801aee4c597564fe9b0d94fa8354cd7e24e0dc37d3f8e358d877c98e0ffee4a9abfc5a310e93cb7eed4d9827336a0eaa33c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        8b70af9fcb098772e3706626b1fe9093

        SHA1

        cdd6d712c4b7cc25faa4b54d1be45681f0faa188

        SHA256

        0a7d5afc19b0109d156d135a425a45317016e2a2c8ee1864cc79c8bfb5e4d274

        SHA512

        0d1750e37de0e445cf31105687d69d131a493b212f812328f7ca41d1ed3acf99beb83627e6ca2e3125ac8793f5d24c449efbfcf9b8404339e572861b69a5da2c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\ResolveUnregister.doc.exe
        Filesize

        512KB

        MD5

        9f18e09fa6c00d63bbf441710bfcb3f9

        SHA1

        c2e0bd2af2083dc580c78cf64564f8383d32b7c6

        SHA256

        9fb0cc172069a0132c0804c7225db013b3bc70067229b55bdd82a401cdf82d81

        SHA512

        bec6b894093580a420e8923eeb5d01dd4d37405e0e5cf139330e89f5565fae99509555aa6cdd2d113a175d739551f7a138fac4e3bb92eeab04fceac5f66872f7

        Download Submit
      • C:\Windows\SysWOW64\etfkluzf.exe
        Filesize

        512KB

        MD5

        0a868a34e4f813ff2864302bbcbe311c

        SHA1

        a0b092d4a1642df716a6b14e64aa384cb572dab5

        SHA256

        0b0719b4172967c2ba683d111aa6b8741295cac8d6d9b0f26e0fd17898566f73

        SHA512

        7089157ad380926e0b1cef76b13265f637cb73f45bf251c36a3ec52496defada89548f27492f37fe696dc9167ce094cfe971a352e3c67e23a40a106154f5b93c

        Download Submit
      • C:\Windows\SysWOW64\keglcxcirwqhs.exe
        Filesize

        512KB

        MD5

        86867986c31be383a5859dc2f6663ba2

        SHA1

        b87615cb06c7835d79082a5bb87947e464e1f6a5

        SHA256

        79b4fa97f4d40a13d7b1f97d3a2017d015d63afb806c40ce93003c0a107fe19a

        SHA512

        56eac4f2892bf6ff1aff84efc725241b8543758e65c887769f5352c2df8e98b5143c9c495842f6ac0838ed396c4fc20b5b6e8b7da3e0349f0bc68012761af606

        Download Submit
      • C:\Windows\SysWOW64\ydimoegvwtlpcoo.exe
        Filesize

        512KB

        MD5

        c1bb3f5c6e03ab59efa314e96330c591

        SHA1

        d3f10eec602a0798d49b9e92663ab54d467efb0c

        SHA256

        94ec7f3cb8ec3050088748075b481fb63b6018f2d3cdc14075fa898958721c3d

        SHA512

        7fa100a332fd54e213637488d0f1356abae8383c99bd3e116ff1dd3f66f858746854befe4f3a4c0cb9fa105292487f6b6def4da608f19d71515307b4f70db683

        Download Submit
      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit
      • \Windows\SysWOW64\aeqoildjqe.exe
        Filesize

        512KB

        MD5

        97260e421b628482336d4cbbefbb4251

        SHA1

        d346795ba2186a0d27b85c9b9899f8e6e80ad5da

        SHA256

        7abcc00c20ceff556fefe64779782892f53228d7949405f38508b42c9e36dca9

        SHA512

        5723b24ae35569fb84f2d3f0b271fd2f347e726c16def106338dfc7b147253061f66e63625b0bbeb55e3eba21a4b3c57f18d06a8b50a706b111cbc9edf98f6ca

        Download Submit
      • memory/2396-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2396-101-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2576-0-0x0000000000400000-0x0000000000496000-memory.dmp
        Filesize

        600KB

        Download