Overview

overview

10

Static

static

5

6ea7489aa0...18.exe

windows7-x64

10

6ea7489aa0...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6ea7489aa08bee41cef6386d5a73435e

  • SHA1

    0644d2bbad493521b8122cb7c7942f00d3de7828

  • SHA256

    521a832c8004a78a7577237e9b82a558793e0f5ce759a2456b3345430213c0d8

  • SHA512

    4fa5049bc4a1eff9d221af11fb7e7a1ecef53c058548df930e9c890ebd66efaa931a0025f7d64a4396ebb77a2627bf37c9753e148a066e055a5dd8ca70f32142

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6ea7489aa08bee41cef6386d5a73435e_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Windows\SysWOW64\hfhqhumoig.exe
      hfhqhumoig.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\ttaardcn.exe
        C:\Windows\system32\ttaardcn.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4184
    • C:\Windows\SysWOW64\khfiqdyeukvaukt.exe
      khfiqdyeukvaukt.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1368
    • C:\Windows\SysWOW64\ttaardcn.exe
      ttaardcn.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5092
    • C:\Windows\SysWOW64\pwvyogfgwhviy.exe
      pwvyogfgwhviy.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4192
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\InitializeRead.doc.exe
    Filesize

    512KB

    MD5

    e75d68511764c9b07f9ac92d2549058a

    SHA1

    60241a66dc82808e5a8fb8ceff41dd93273fc4c4

    SHA256

    77da9c85914cd3a0cd54b3f782c649500e6d906651eb1dd7afb8b01b93263c24

    SHA512

    2f607dbeb60e0f079fdb28b9daa81a28d39ea5d81c93f5bdbe91f6fadf7f12ac19428514def32bb98e5c8e84feb553cdc2af98b96f02cffcac9227c4239a95db

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    2b581185fb2d58b24a5018cd4a586772

    SHA1

    ff8cd4ef5adc55eb88f2a9c00655cdf94740947d

    SHA256

    6f4a3c7b5c1a56f29b33c00fd1c601a9bb041768961a65401310d89ae08a0d69

    SHA512

    f90021ff2613e211d62bf5533c7043c5a957b292d7532797337675e3dd5e64c19b1066788985622ce7f95da48ef4d56e672ccba2a967391d88257ec7cbb816d8

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    14caf79cdbe8bc95a3ef5cff5876f7ea

    SHA1

    27fba3e2a335c1b0cf975921785dd84b6417bc28

    SHA256

    174f78c1a83f1e3767ce215528362e7b12d9b7737219e840343a79d4141d569a

    SHA512

    bf65ee430da40b5ee700f4fc4157a6f3c131f90a0d8f33f47695d5c7cdc98a66ee0c3175637925f95e1252d66d5d65b7a147a53fa37ceeb4731fe19c00d11805

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCDC531.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    a2f476fb970ff4f078a53f0164f2b959

    SHA1

    531f3f100f11ff07c32df8d88038f4d5da7a58c3

    SHA256

    f35b49bd36bf81dbce2df6540b03155ca43ef30609b3ae1d947a62eaf289d2c9

    SHA512

    f3187e9e0465b004e3eb6320dfd1b75b37b79ff0240d989bd15cacc547a97d0a38a3b73deba81a824e71a2ae3306aab32cb692bde594dca3c2328eda16defe79

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    af51ac86b8365a4729611b6a17784558

    SHA1

    5ef9b162ef9245db87f262fee2c61e2d6c5fc68c

    SHA256

    e16e4507b297f1fe192b4324c67bc8c3d7bcef038c773a67a5a2fd848293a795

    SHA512

    b82d0803571d2863901ea1a4be1ce4415275db3c21b5e3b017b3f8e260081be1f92aa035203bac63cd251ac9340889dab83fad0d4299c4faedc3dc473e18af78

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    7e5e436654b1b4c745eac326c22a484f

    SHA1

    eb7f3ba655883d475affea53bc074eb6c45637df

    SHA256

    02cbf8dfeeeefea228792d3624b84f500399890abd2e3ac0b9cfa8b159651929

    SHA512

    b3ec57e51f4407dae235f66e100742a506de838df4d0c1cc3b0117d5def076578dedef059f12790d4480b4e7a7806191f61bec401ee87d8aab38dc97e9e180b0

    Download Submit
  • C:\Users\Admin\Documents\ShowFind.doc.exe
    Filesize

    512KB

    MD5

    bc9ee746c90809d55e7262db4bf7fb8e

    SHA1

    3bbebb66188bbfbf663a4d8b86a01f0f468f9a53

    SHA256

    3cde44bcdef84df6c63f0221d64d64c1989b6c36a4ff7b90673f2d7d02d2511d

    SHA512

    02e95b0a80749a5ac084b96ec3d1657ba8046cd9ae68aa6af05a7337fc4464cd605b3443f00beb9f3aa11e52024da1815610ffa984b5468c56ca155d079a3f14

    Download Submit
  • C:\Windows\SysWOW64\hfhqhumoig.exe
    Filesize

    512KB

    MD5

    99fb0c515cfa58624dbd37ad9a4423a9

    SHA1

    621f492cf9838ecefe12abbf0dcf408e87e33c28

    SHA256

    b9088d8929caf37d66f315b10fad65d7030e7c441671d0f5f6fdb6f68955a2c0

    SHA512

    6c8aea09a152f7430ceb1b9713dc4ced31ba8387a9a6ddb62b4f84fb69a90d29dcc6288d627d155f3e2629c825e58ea80aa8dcb89f067cb15301b99d9ee49043

    Download Submit
  • C:\Windows\SysWOW64\khfiqdyeukvaukt.exe
    Filesize

    512KB

    MD5

    a30445174110e4fa45e79b802db1db83

    SHA1

    f9e9474b0ad9a5a2344b0eba118272cd980903d6

    SHA256

    d4257563b092982b5fc221839b83ae3dd4be0ef8ba4cb2fea066ce45ce5f7a0c

    SHA512

    1e8856ee38f4ed5ba51299b6c30fc9c480744d690f877ad7eeee47db24ddf594aeff47da4afe9e9e6db64bd6972da124f6ab68b1bbd7b2cb86fe96fd401ebcc5

    Download Submit
  • C:\Windows\SysWOW64\pwvyogfgwhviy.exe
    Filesize

    512KB

    MD5

    29f7148f4a8fe5d898f78d92724a32a9

    SHA1

    7c44a7eeb8095399160b79a9f02954b3abf00956

    SHA256

    781a58a90d4f9f0e24e7753dedce71478a0bd35b01bfdae8c02aee6fda9ec1e5

    SHA512

    809c232019236a115e3066c11d0788b5184ece03985e46ebbc264583ab685c01888ca0b049acbe7aa000f0761a9e2df1dc0073cababf91d69927fffc4d0ec4b2

    Download Submit
  • C:\Windows\SysWOW64\ttaardcn.exe
    Filesize

    512KB

    MD5

    fb0e157d88b878eab1c9063d0de1b0d0

    SHA1

    402603a7db74350e67f1bedff636b3586c223738

    SHA256

    0b8c1bcff9c949ab3b0750c8e0ff1581867966b3362f06ca0bbbe77fbabfe6a7

    SHA512

    7e67fe68fcd9bf5efa3cb96d2900e1cbc72e05d10f7da5672453f49eb57fcdc0545545d6a67b3bdd9fb1949b7e7dc483a791803ffea4165d49b4bbb8b1229560

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    660ccb065ca8826a22da494b85e8738e

    SHA1

    f4d086f7c8fa3f57dc33dde843c70ea8695ef6dd

    SHA256

    bc6e6f2eb19f8162ad855e977ed961c3be266c7adf5f40a3a39e569d4ee9e489

    SHA512

    1a6eaa9c4f4d8cc00c59dae70343f65efb65bfb38f8c3b951eaa426c0209f0d566e1edc9f9b9f84962b032aae6d2d98bae1b6fb2465b325c764f83b65e8073db

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    e375d8da4ba792bf2d81bbd931fc3241

    SHA1

    ae6143d5bda36d033db9521e3933b824bf562df0

    SHA256

    6540e018c7f5c8fcdd078b468843697667062445a324980fabd7f29f8778a3a3

    SHA512

    f7c1f08088082216732ef86ac5ab6e520efa7a4ffe32942064c635483a925ee847311446802d8dcc05cd515db8cea4a1649a2ef7be7d5118ed2d0e8e78542cf2

    Download Submit
  • memory/1764-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/4516-39-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-38-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-36-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-37-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-41-0x00007FFBDD4E0000-0x00007FFBDD4F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-35-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-43-0x00007FFBDD4E0000-0x00007FFBDD4F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-606-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-608-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-609-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-607-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download