Overview

overview

10

Static

static

5

6efbd040de...18.exe

windows7-x64

10

6efbd040de...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6efbd040de315fa09810caf92722ba6c

  • SHA1

    007eab42ac0aee941486b8bf78b57c3385e1174b

  • SHA256

    40e8d566afd8269708d7dcd017cacb6150ad77bdcc98c9d41f112c5adeed1bb8

  • SHA512

    b462a4e51941aa7826046c9927c2276a88360d1e58c2bb51e4dd0cda4b79567201272a2f4c21b531ff519dbd9c996caf863e5b6c1bc984cfa789982f808640ec

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5p

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\ftreqhpfep.exe
      ftreqhpfep.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\qlizuhzz.exe
        C:\Windows\system32\qlizuhzz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2548
    • C:\Windows\SysWOW64\oqdxadvjiapbnqr.exe
      oqdxadvjiapbnqr.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3044
    • C:\Windows\SysWOW64\qlizuhzz.exe
      qlizuhzz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2668
    • C:\Windows\SysWOW64\dexrapzpbvoij.exe
      dexrapzpbvoij.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2776
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      7829759a6b33e8e5f340bc1c33e9185b

      SHA1

      e2ca4bd79147afb93728a22bf9942106fb32d5df

      SHA256

      d9126b4bd28a83105833eda9ecd8b0074dcabce290cdccfdb3227b1b7f62eed5

      SHA512

      310692661637a07f63ebe5c435d90a357974efbbeac76a49dc4f3255444ee4a783d1c95bab60bc57321f7a4369485dc9abfaf80a4a4dd15b60d94a38f170ff7a

      Download Submit
    • C:\Users\Admin\Documents\CompleteFind.doc.exe
      Filesize

      512KB

      MD5

      4523f03bb852f13b0b1a4e05b8534b8c

      SHA1

      cb7cabb6c14fc5c7ab5fa2257f14aced106f0d6d

      SHA256

      90e8afae202265c73f094be06e19f5c0fe2aeab35e212782d4c7dfdb74ab3a73

      SHA512

      5bc170592f68373a2ae7d642df892d39e8279a64c49394836cdf349ae2b68bccd4e1140c21ec4287f7336d41bc509e3ac28d7a17dd404ac900250dbdbf929baf

      Download Submit
    • C:\Windows\SysWOW64\oqdxadvjiapbnqr.exe
      Filesize

      512KB

      MD5

      01d37b213c4d933a70d1da8bb0d4ff23

      SHA1

      8ef3366a7ee35844830af7529c0ed3c6488f98dd

      SHA256

      254499db5f7ec0b70562088b9bc9631e2b9552151faffa51ddd447dbec15172e

      SHA512

      22810fa0b2e879b92a40f51cef0dc936d5ad3afb4725fd2af2ebe901d3df9d1c7c79ae2c2cba0e5d46c043e87b85e2ab5ad94ce612b55ef89d3faccece968ef0

      Download Submit
    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit
    • \Windows\SysWOW64\dexrapzpbvoij.exe
      Filesize

      512KB

      MD5

      d290dc3bc45356ec34ccca46546c42dc

      SHA1

      1b79c71078ee4104d0bd33f2d5aa13e5b52abdf9

      SHA256

      dfd3487df1a80619dd930fcdc4b8053956d690714b223794f71b006803c644ba

      SHA512

      b07179325887d51420aa28dbf466f79029eba81d633a100e3fdc4079ae9c0b90421c55f6757afd882f25707237d81dcc95a2fa8a662f21bff995fb137b0d5e0d

      Download Submit
    • \Windows\SysWOW64\ftreqhpfep.exe
      Filesize

      512KB

      MD5

      95a50fb50319ba0cb4040a8d447d2970

      SHA1

      f622015dcdfe78d678070d005da54cfa90f8c867

      SHA256

      d3905f673c5a1f5a04b89533d9951159fb69e2e3188cf3722ab23f7d8ad0dc00

      SHA512

      03b0015927b8b736dc98d88b037fb096e1760655c9c9e0fb2377f68a118d88cbbd8ff5c31312d718cf6f7671991efcdae35e1c11b1d3451fd388d7d7ba514d65

      Download Submit
    • \Windows\SysWOW64\qlizuhzz.exe
      Filesize

      512KB

      MD5

      69ef16e4c7af522a03d6cdbcbb3e07a9

      SHA1

      1c0d1f6b60cbe371cc3c95f3ea23ecb53b462793

      SHA256

      73d2dc81f8f8f148707890dd6ab443a705e4ead66d50bf82b49ea931dfde20d5

      SHA512

      bdcf2a6f024a9c569e48992608977c400b371a85e243dae15f0cbb73feeb67dc632fef4b65d2b552dc09e540ffd05a65fa1cc701caf35855cb7c7615e37b3d2f

      Download Submit
    • memory/2756-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2756-107-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2988-0-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download