Overview

overview

10

Static

static

5

6ed598a9f1...18.exe

windows7-x64

10

6ed598a9f1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 14:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6ed598a9f1ddf1f7c13c941791dc1421

  • SHA1

    0d88b3f9bdca3e658bdbcb7f81c6b7734fa265ff

  • SHA256

    d0ae482ab119e30b2029dc3361e8b9388f1fe96d7944311309e8aa7c4264a926

  • SHA512

    677418ad1fd659ccebed44085a2ba1be90989373fb52d41deb0c0767009a46a977bb9aa9bae0ff1c16308452fcef34dd3cf9c4c301e19f5c13b7ee257277c51f

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5b

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6ed598a9f1ddf1f7c13c941791dc1421_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3828
    • C:\Windows\SysWOW64\ggkwuwglqf.exe
      ggkwuwglqf.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Windows\SysWOW64\lekteuia.exe
        C:\Windows\system32\lekteuia.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3280
    • C:\Windows\SysWOW64\hfbltevousvdvpe.exe
      hfbltevousvdvpe.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4008
    • C:\Windows\SysWOW64\lekteuia.exe
      lekteuia.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4332
    • C:\Windows\SysWOW64\tcvggfbxjoefe.exe
      tcvggfbxjoefe.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4148
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    a6c80548476a2895ae0b7445de23b0aa

    SHA1

    702824442a26822e769bb1bb93e8018dd847d409

    SHA256

    abf2ed598ebfae6c724179edc0b3c3aa1a91be7d93ef35488051ea3d60aae7c1

    SHA512

    1825b86345cfb9cc41c375b967c8c501053a86c05a0eebf26ec2ac175913128855a9a942830c29e387a214b29dba0d8c6873520c7468291deef853d7d6b00215

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    4b4184bb3860b1b1cf40923b6e9002df

    SHA1

    c808d9ff85ae24978ba7d849b27339cb3de59d6a

    SHA256

    a5940c642840a415e27240f4e15004428375e89fb6b9a735bc5848974c94e5cb

    SHA512

    43d263a0af7448020d11c74cd9f1dca0411dbd5db963b345974065c2a7dbd7bc6fda5f182c76b4d81d66cda14771dfd3b9ddebfa28f1be156d2dac1cc82af2d6

    Download Submit
  • C:\Windows\SysWOW64\ggkwuwglqf.exe
    Filesize

    512KB

    MD5

    8c7b157eb3b45097d75d92f27f1dd657

    SHA1

    8f943391987e1b59e46d29d375768d56db6625c3

    SHA256

    d88f92910baa9542307c1094dd25fbbdba642aa2b5543342849e1dbb72eb2487

    SHA512

    e1c26ac0a6babfad64b56bc3aa9417599211dc039f79fb6d5808ef7204cce08d5f1857c6edf97c21846e29a30dba98e313a56a92cc317de792f19c9dbc40d16a

    Download Submit
  • C:\Windows\SysWOW64\hfbltevousvdvpe.exe
    Filesize

    512KB

    MD5

    bcd9f3b73c0e1fd9fb6cb4dd08a45a09

    SHA1

    cc7d0ad1ab546c2ff6f925b1c96d0760595713f9

    SHA256

    732b0135039323bfdb9e0395cb2683badb5522130c7ca95d372102359c6925c3

    SHA512

    b95a9705eda31bdacb4ad834b5c05201ce579310ff116f6964a270c42c8358809296edb0d8c19ac434b382b50bf97b0603c773296ba7f8d0c433960434b682b8

    Download Submit
  • C:\Windows\SysWOW64\lekteuia.exe
    Filesize

    512KB

    MD5

    51752915806424b0edf171a8d5491bf4

    SHA1

    c1e476a9318c10770647ae7bd4c186fbf42394a3

    SHA256

    57b13791330c5dd9410458d5262350c3db5d82fdb66fbdb480f719bd7e50619a

    SHA512

    55ebddeda69d272cd245d2a2df2e826fc3139dd1168c2672fba579074cb21d803197522c0458a72319483c29afbc78016b70d1491c494f72bcba0c8fb897270e

    Download Submit
  • C:\Windows\SysWOW64\tcvggfbxjoefe.exe
    Filesize

    512KB

    MD5

    47b4fc9f80c89a2a3cbb5ea2d1688f3d

    SHA1

    f71682bb25a4967b6030e296d262ac11b5c00f8d

    SHA256

    1942bdfbe6645ea47ac2faf0ba63c953249bf45b99b03d777595f9772a62bc98

    SHA512

    e765ed4b2c0676e987a91c0a853ffefc6a821ef35dfa808baec099c33e6d047df7137825b503a3b6ec34baf62edf585effc75462f1a6591ea5e0d65c1106f115

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    9a49ee87ee128b5e9eff6e353be6b332

    SHA1

    53f961031d771a540f7a8dcc5db7e4ca4e63144f

    SHA256

    e90f8c774e31a46bf9bb8be3954e058e5e4c0f2a28eedc119d80d0362d83d9f5

    SHA512

    921182800b10b9891d451204e4ae78a28fcc1eaeed3385ec29d2e9077225b77b54df98681bec7c3f70636136a3c3e2e2770cdb795443864d47ab16a95bf4c6af

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    b3ba7b4f110d250bcfc2ba7a4cdeca3e

    SHA1

    98da73fc0820c7fc6984057a00c86d4b3a348ddc

    SHA256

    cb48f31c6c06bf4af3c55c58b23b417e2437e777c3c4d1a7c780aac5ad9a8494

    SHA512

    ee92babe5148c62fae419b31cf633c3774e4198e92b0c228bf9ebf619a914e5e0d6b961a2606ce4f208b22632eee800df9ceb8e2eabf2fe32cb7e3c7d1dedf65

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    0bd3539991ce763f4a6313e0b5dd12bb

    SHA1

    b1cbd56d933eaa0f11c480dff4dacb3aca5dee2f

    SHA256

    bd10ee3f9025185183f19ae8d8b03da94f45328c60b2fb862933cc4c7bddf9fc

    SHA512

    69f3564e9cb25be0fd5b7409b7265acb2f7451ff866c4ebbac531497e12c9997dee9523e7037f164020606f5050678017d98a90c7360e1064663b999b68095f2

    Download Submit
  • memory/3828-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/4352-35-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4352-38-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4352-37-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4352-36-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4352-43-0x00007FFA45EB0000-0x00007FFA45EC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4352-39-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4352-40-0x00007FFA45EB0000-0x00007FFA45EC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4352-600-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4352-602-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4352-603-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4352-601-0x00007FFA485B0000-0x00007FFA485C0000-memory.dmp
    Filesize

    64KB

    Download