Overview

overview

10

Static

static

5

6e680ddbbc...18.exe

windows7-x64

10

6e680ddbbc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 11:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e680ddbbcf07f65e472b75485ce2514_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6e680ddbbcf07f65e472b75485ce2514

  • SHA1

    b8d87c2bad765ee6644af76ce608e7451940681d

  • SHA256

    911ece796811f0d61fc4bb7215de3139ed351813e7777d5dd469a85778589a3b

  • SHA512

    a76a6e2c40f89dfd0e32ffc9367295f22e515c716889a7c8dd2faf3717fcf83d249d7d53d5ed5c19a323d799fdce17a4bde1a704419ae2fbf604b79d0ee777a4

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e680ddbbcf07f65e472b75485ce2514_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6e680ddbbcf07f65e472b75485ce2514_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\rtsuklntlg.exe
      rtsuklntlg.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\SysWOW64\rkrrqpra.exe
        C:\Windows\system32\rkrrqpra.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2404
    • C:\Windows\SysWOW64\ldghalwxamjgrpw.exe
      ldghalwxamjgrpw.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c jzyirvncsswdy.exe
        3⤵
          PID:2548
      • C:\Windows\SysWOW64\rkrrqpra.exe
        rkrrqpra.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2640
      • C:\Windows\SysWOW64\jzyirvncsswdy.exe
        jzyirvncsswdy.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2420
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:540

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Defense Evasion

      Hide Artifacts

      2
      T1564

      Hidden Files and Directories

      2
      T1564.001

      Modify Registry

      7
      T1112

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
        Filesize

        512KB

        MD5

        f1cdb57817a57a7757e26688d9ca0124

        SHA1

        2ecdd8282ebb862f575f88c171bc0f594f021f04

        SHA256

        5eebd3bdf84cc2137b999800cfd00cd93635c45a1c98a6219c5f578feba5d753

        SHA512

        154f13af13ea5d8de6f91a1bac1c64ff06948b8ef36d293a80cace7189712ab518475bc24949e1f8be24f849fc1a883791ed5dcffda8c093c194e50b51e8f5f8

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        70c708d0eba8857ab229dde9b8ec8120

        SHA1

        e264cbc2e7fa8092451a062eda0a929d4526d7b5

        SHA256

        1adc4f6928a254e0805c3efb419336d397038175acc6baeecb5945d2010c2b1e

        SHA512

        39c2e9b81c301a6371b6690b47fd4fd2ff5bdaa4bc9b22362042a9b8b22e1055a9cac42d5084b8b97002793a8e603133711b6629362e082c1c1140d0901aeb09

        Download Submit
      • C:\Windows\SysWOW64\jzyirvncsswdy.exe
        Filesize

        512KB

        MD5

        34a8ea8d43d92f4c7717bf0af8ba4006

        SHA1

        d43ad8f533c8631998ce279e94bc8fc5c8d0f78d

        SHA256

        f09e065710f5454d1307f90035c72a9d271a7020df96d0e6e9ed4d9bffc1c168

        SHA512

        946c232f23db46ebe486912b0e591c5c5289ac5d8f760c866962732c59374136dffe1b020bb1bd9c63db7893da95a00aa3411a4e2d62bc8fa4fe0a10359c836b

        Download Submit
      • C:\Windows\SysWOW64\ldghalwxamjgrpw.exe
        Filesize

        512KB

        MD5

        c57f74e194bc9715ae9d2b944438ed16

        SHA1

        f6a896372c5213e985521d1c92b85f59c40a0292

        SHA256

        23a46245958fcf005b1c3b3eff8727b3b888e0cf0593fcb4a7a247c211765785

        SHA512

        b6852b3242e59d47a3fd75b8d354643eca1de114dcc147690dcea40b45b80695ce203abd476c99690d19fc62db33a5bbba25981edc6ab81019d2fe24de9dbc8c

        Download Submit
      • C:\Windows\SysWOW64\rkrrqpra.exe
        Filesize

        512KB

        MD5

        51180e1dbd94dca8f07a38f5ef46613c

        SHA1

        b3b444e278fd9d264692e96bd6a5a3aec83a6606

        SHA256

        3adb68fb53b9045b70f913e26f5ad23b42bacf0da8b6f2320f71e34c12a1334c

        SHA512

        6d8cad594c42067d6a5ad7fe9ecb1fb6eef597c92f7678645425f7bca6098d82a61a036e14d1df876855cd70c685e6f2dc4fddd1420f968214129dc5c3789422

        Download Submit
      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit
      • \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
        Filesize

        512KB

        MD5

        041701232b4c6073d5ab036a6bf2f94a

        SHA1

        6e4748d4aa5d915315399140cf735264489db9d3

        SHA256

        3c0a24ef3e57e220c33023defdd4fa3d8de5c99bf225d963540fea6fceb8bae0

        SHA512

        0633031793a1bc364a37e86c2b7fb544b1c2883fcec39b5356a7195c31b65111a3960aeb2127b644984c8154a8d36629ced91addeb0241cdeb87aa1d64671b3d

        Download Submit
      • \Windows\SysWOW64\rtsuklntlg.exe
        Filesize

        512KB

        MD5

        d01b9c809c53b20a1aff05c00e2fb153

        SHA1

        b7144c2dea8ef7c6fc9a70f2d493aa25a926e623

        SHA256

        0f666d99fa8dbcd416c3f4b2f0a17ef0ac257aab75c14170bfda8ef2070ea5b7

        SHA512

        3107e7a98bcf88b375ac1a66cb934f6e0da766b880d9502c3bfa7c3e92822363ab417f4d1c7c579fdaa8671735c23e15d780d4b9be8442ec69b349c36bbb13d2

        Download Submit
      • memory/2156-0-0x0000000000400000-0x0000000000496000-memory.dmp
        Filesize

        600KB

        Download
      • memory/2936-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2936-100-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download