Overview

overview

10

Static

static

5

6ef08a64ca...18.exe

windows7-x64

10

6ef08a64ca...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 15:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6ef08a64caec6f6e5b75c06f27c51799

  • SHA1

    8cbbe6f6f9e07ebc1b4dbd2bad90076ff3c954a9

  • SHA256

    62e9ee7a83ab0bf5110ea657a9474417d69bfa53849bceb72dde0254e215e324

  • SHA512

    8273c351e0095b802f6021a0191209b21471c22150b3a2dc99e0db2518244afdb9dfeaf711cefdf99d72b82955233bef1c012c7c5e7d5b6534ca7c276de0cbcc

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6t:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5A

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6ef08a64caec6f6e5b75c06f27c51799_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\iefswqlkre.exe
      iefswqlkre.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\SysWOW64\ohthroeq.exe
        C:\Windows\system32\ohthroeq.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2616
    • C:\Windows\SysWOW64\kpdrsirivlcinkd.exe
      kpdrsirivlcinkd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c nzwcbjohgvckc.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2476
        • C:\Windows\SysWOW64\nzwcbjohgvckc.exe
          nzwcbjohgvckc.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:2480
    • C:\Windows\SysWOW64\ohthroeq.exe
      ohthroeq.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2588
    • C:\Windows\SysWOW64\nzwcbjohgvckc.exe
      nzwcbjohgvckc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2156
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1748
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

8
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    4a714c96c74467226e5d95ed61deee1b

    SHA1

    54e68ee31bec2eaf8bc0eea43a83f867a2e2b1d3

    SHA256

    16217bfd0a588e7fd0ec44f8aef763815881256ae38dea1a1a370e2f9531455e

    SHA512

    a643113a555f59d4316528dc3f2206e2cca794460c1cb46a040f04d7b0fb9a5c36748fd97b822824dd5b4550325e1692353b812098e401384e9fb072fc0994d9

    Download Submit
  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    9a72b8559117693526cd85e76dc54fa3

    SHA1

    a571695480514ac5d17a260ad45965d9ad85687c

    SHA256

    3aeebd9b92acb042f943fd0799b03c44fb4b11adc167209ae8d843f8317e0c28

    SHA512

    c6b441b1039710a9725fd73b4697d33c461055dd1c7ba9bc648d22ee038006576580717dff9b4a1d34bb348ee1834f860864cb267bd6f2f59e9297eee72f8d37

    Download Submit
  • C:\Users\Admin\Documents\TraceRequest.doc.exe
    Filesize

    512KB

    MD5

    654ede579a556a4dbc6b90c75c22bc35

    SHA1

    b51aa4910d6b04ec8b828785ba3acabd04cc32ac

    SHA256

    8225dbe57b52da9b5e283d0235d351371c7aea002c3eeadf50a3dd17d22fad91

    SHA512

    e0cd7487af0043d067937ccc5d802b7af214ea821a9678f3f13594fd23157f90e69e4fdf9ca17c8cbcb074d8c10601131ad83dac88cf740fb278666b9331f815

    Download Submit
  • C:\Windows\SysWOW64\kpdrsirivlcinkd.exe
    Filesize

    512KB

    MD5

    2448aff13f70da0e9a742c81ae7a857a

    SHA1

    5b41014f54b2bff6dae8bdff6a9c1d4e7b9522b7

    SHA256

    9ebcb1e1e0ec475bc84ecf743b5341d9e4370c59b1ba37344fbdfac676338314

    SHA512

    2cc47fcb732650468e9b07cb6811c3227bfa319ba024881d56d7895fd76e99ae61d48d736bae287d1e22647cc1b352ac33402e1415c4ff6ad99f85e244afb913

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \Windows\SysWOW64\iefswqlkre.exe
    Filesize

    512KB

    MD5

    5b074f735ee2a4b392f8826f9f788f6e

    SHA1

    65ff0fc46f34b7a5d7fcafe8396ac8e2817a2ecb

    SHA256

    23a8ad54204ab5453d3b9bcf1ba4acd14ae49da9dc02511b62150e4342078309

    SHA512

    de12fbaa80ddb6cc930e0e2d25fbedb6baac15f6f593c2574990d74f3be73df2611502406d61e73a33e3b691e1be52da718f4fb7f2a64e0ed35b1e23b02c84a8

    Download Submit
  • \Windows\SysWOW64\nzwcbjohgvckc.exe
    Filesize

    512KB

    MD5

    aa90a1e38ee8b9df8190207e4a749b65

    SHA1

    552e83a135f8eefbe719892ead020a41f68fd726

    SHA256

    0f930b7e05f27569914986bf3c43a2df93581bd44398d6d5bdd7d4330e8cac7e

    SHA512

    0b57efb4e8550db58e0c3752c749e95c232daa03ea2b89ed043307faedeaf6ccccad646f38c327c7a5aa36c7fc1cb92d738a5203f55806b17ed91e56721ad9e6

    Download Submit
  • \Windows\SysWOW64\ohthroeq.exe
    Filesize

    512KB

    MD5

    dba74b0b32071756f3cdd8931f038b81

    SHA1

    80275c354dfb4c4a6c3f509fe228b5ad16656acd

    SHA256

    391e5266171ac66cf671b8c330e5bcf2ebe3f03cdc9f8952a5108221cfee7677

    SHA512

    dbd3391ffa61c03647ee0cb93900cb6cd8389915de28433fdc8ce624e315587c36707aea28168853280e1c0068e72418bf64bf04be91f0ad9da6baa6d1e0dfba

    Download Submit
  • memory/1748-48-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1940-90-0x0000000002980000-0x0000000002990000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2228-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download