Overview

overview

10

Static

static

5

6d716201c7...18.exe

windows7-x64

10

6d716201c7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 05:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6d716201c7e6ef7e37b8c2ad787b545e

  • SHA1

    eac84117fe480aafd5ea040868ec51dbeb4cb457

  • SHA256

    3eea2b9e75ec223dc8037a6809e487f77a15fd97a8c0213bfa6545a5a47c26bb

  • SHA512

    12c4de2fdf357e7ff184bb2c29907b16e680fb7471f88579c446797551e555c78a743260eedf58ef1a1ff93c0371e79f1c5570ab4b196387a6839bc8bf16ff11

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6d716201c7e6ef7e37b8c2ad787b545e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\SysWOW64\lfbwuqvkbs.exe
      lfbwuqvkbs.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Windows\SysWOW64\bbxfpbte.exe
        C:\Windows\system32\bbxfpbte.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4008
    • C:\Windows\SysWOW64\ulvoqlrtrzqlvjz.exe
      ulvoqlrtrzqlvjz.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3980
    • C:\Windows\SysWOW64\bbxfpbte.exe
      bbxfpbte.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2996
    • C:\Windows\SysWOW64\uhsosyrthyykx.exe
      uhsosyrthyykx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2540
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    e7958e518e803add3b8d2f9b01a0482a

    SHA1

    f85fb1231abe2a7ec50c758a932afb407de81362

    SHA256

    f5e3e2c4dabbfa5afbc0084fa0e6c5258a5e6267fe72c2ee3fcee2f3f9706fd6

    SHA512

    a5447cdf300ab3ee06a7b540a60fdb09b48d7095e97655a2d960511f45e0f732ad138460369550553c6c89f4f782054865ee0823e5fa8a748ecf410ff8f08f7b

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    468b3ba87692a403cd3ebd62fd6d096f

    SHA1

    6651db417f8302e788f34fae1c5d9941c45e4170

    SHA256

    82f3a2063020780882905045c94e5bc5d3093f8e553218f12992856844eef2db

    SHA512

    2d2be5c2727541d07d40e6bd501dc3039d3161c196b20ca48ad34f265eac3175655476cf5072fd3a4212c411fbc40cc37bc6f60bf72414645743f7c2a6358ad8

    Download Submit

  • C:\Program Files\MountUnpublish.doc.exe
    Filesize

    512KB

    MD5

    42a18c551f403e9aea25ef07565057b0

    SHA1

    57974dc8417a533c854353bc428c79443ac26e17

    SHA256

    1664f0835d2c5bacce361c6c886f9c4b53421226b7057d13c2ae1645107f56fc

    SHA512

    f42609a2a9cc6a0445c76ca447218cb010efa0397863fac6947d81fc6ebce611ead6c79a337f968c42eed2ae8c53481528cd3320137150e1e111ca50a927e579

    Download Submit

  • C:\Program Files\TestDebug.doc.exe
    Filesize

    512KB

    MD5

    556bde865075255476c955463a6d7163

    SHA1

    925a7e03c6522a2884469f89ff60ba200fa1bfad

    SHA256

    0a262506369d58163d75f8a10eccabdae0cd01f193ca54cd5d28269905cba8b2

    SHA512

    d7f958f9a82a3d7ef80c396f79dc353ccf946e4f35b878b03d4c6f0687f526fb86a021772a25f59771603900869680de65608f2605dbac24158bf252765150af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD8AE8.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    955cfba83c355f3f6ad29e889ef145f4

    SHA1

    e0af6190ffa9db812ff91cd876ebe4e124cd0d7e

    SHA256

    e7c59d033ba6a5ea308e7d7251d7a73b4446637dfe25e212a74b02f0f97879f0

    SHA512

    52e3b919ff075b11fab36855bf9bcb5f3756c4602267ad61c8d46de20c8cf458b54bf638afe1c1b4b7503d6cc18ab32acd200d455144a2bef45fddd4b7d5a5fa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    cd78a8a19a8e82396c9ad49e4aba1ee0

    SHA1

    97333d17b735a0a38c2e488a1eed1415444e6f59

    SHA256

    7b082ab187ac201a7fe94ea68773a899b34f46e51f07d4a8528440ac23f21abc

    SHA512

    e6633c7f64c279c4bf4b3eecfd653a195b23775502ad02e4c0ce2853b033655c7ff957440bd86c73ec1008daf22e8f814622b62b301bcaffa3a34a046d85eaac

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    dfbb6fa9b6d139e251dfefa35db87dbd

    SHA1

    06e731071e9c852fa0075f5a528744fbdc779388

    SHA256

    2b2ce1cc25696dbf21ad8764b3d3eb93f9b21a21a4ca62ad58c44ab73b042f2f

    SHA512

    a1122bed86c01d8a21b27c80f0f8ec7895cae76ae1310874d05514b87b693946349ca465e12fbd95ca46c2c626946f0ccfabddcbd75be5709e204a50f543c839

    Download Submit

  • C:\Windows\SysWOW64\bbxfpbte.exe
    Filesize

    512KB

    MD5

    dd8a7f5fc93e16a919e2c24e2f2afce9

    SHA1

    610616fe33669816c05557cf0f5193f0dfb32495

    SHA256

    75a1d4d24ec8c9e0e0d428545d910b0b93b5c5222a8941f4012bc659fdf4bff8

    SHA512

    bb03a2a7133f667c81c905886a51ddf89a86a2d8c0daeb37541552d404725113b1b9d48e153a162a6e96c4b3102aabf7890f25ae17ec86a0b35b14471b320981

    Download Submit

  • C:\Windows\SysWOW64\lfbwuqvkbs.exe
    Filesize

    512KB

    MD5

    db087a746b271775842253fcf4c224ac

    SHA1

    b3737019ab0db16a432222a6e5949570e7a1a0bd

    SHA256

    7a6073ff3603b9deee9dd3be629d7af1dcd121214a0e2b58181cbe87b88938a6

    SHA512

    fa6d62edc0ac3f776a8781c8b3a99475fcabfea84fb81656c245c021153df7e959653edddf0de827e3018b2dbae45cc377568cd93dc68deabafd7384c52d6341

    Download Submit

  • C:\Windows\SysWOW64\uhsosyrthyykx.exe
    Filesize

    512KB

    MD5

    7ad645a32567f2f2d30f4563c6ce324a

    SHA1

    99da0d0b0b5944c523ba33c1c372facc34b9cffc

    SHA256

    94909d6939fa73f701f8342630a028e4e5d1ed0afcd3a4ddbb3c32ca46dbf7c8

    SHA512

    bd1d00fe0a52b99bea2844572a9da753e636f94edbd58d8a3311d4ad620c5c3384e8ce172afb8884ae610137d51ab92d0183fe90ca5af592ff54dd2b760d6b35

    Download Submit

  • C:\Windows\SysWOW64\ulvoqlrtrzqlvjz.exe
    Filesize

    512KB

    MD5

    42d80c6f3570fe1f3265fa29cd335995

    SHA1

    6c4e1d5c97bb91585f2252887e46b1faec466495

    SHA256

    5825855a976833c3229bf379cbfa2b90d136e9c144923d7e7646b3bab39108e2

    SHA512

    920d61739c6860d1ec0469976412141e01b9dee1507b860a606fe4cbc58ad4d9ecca20e35976426112207ee94fe6d930c47b04157f7fabd9aab16912c44320b2

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    7823d7a6a7a6b14f8b8cfa482d34f54d

    SHA1

    b1129d9e074d4471579ba6053cbf8290613f1116

    SHA256

    ece99f5f2efaeba2ba84d203adec062adc2126f4e5c4501d5f50f8219f11cb0b

    SHA512

    2717b1407cb5e5a5d96b3d7452f09c24f0a67925cb7855bb6595953463752d81fb18a5ac874992171e3f97723ed46d98576b45e0213b2cd6585b237b1fcaa0e0

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    84c8777f6fa33d6e60a9f1853b5f58de

    SHA1

    a76dcb45af72d1bdffbc20cb06107a0df5d07866

    SHA256

    e52b95953314c7ba4c9a2d0c30441459f1788f82dc85d4e63d9f3170d8ebc238

    SHA512

    f067b54704c873a350ca9953a31135600c813de476f16e8feca588c59dca6445b01cfc2a2598847567c778d996ddea13415de6255d2b92d730b5aa8b6d65f689

    Download Submit

  • memory/1160-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2720-37-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2720-38-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2720-36-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2720-39-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2720-40-0x00007FF95C9A0000-0x00007FF95C9B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2720-41-0x00007FF95C9A0000-0x00007FF95C9B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2720-35-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2720-606-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2720-608-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2720-607-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2720-605-0x00007FF95EF90000-0x00007FF95EFA0000-memory.dmp

    Filesize

    64KB

    Download