Overview

overview

10

Static

static

5

6efbd040de...18.exe

windows7-x64

10

6efbd040de...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6efbd040de315fa09810caf92722ba6c

  • SHA1

    007eab42ac0aee941486b8bf78b57c3385e1174b

  • SHA256

    40e8d566afd8269708d7dcd017cacb6150ad77bdcc98c9d41f112c5adeed1bb8

  • SHA512

    b462a4e51941aa7826046c9927c2276a88360d1e58c2bb51e4dd0cda4b79567201272a2f4c21b531ff519dbd9c996caf863e5b6c1bc984cfa789982f808640ec

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5p

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6efbd040de315fa09810caf92722ba6c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3756
    • C:\Windows\SysWOW64\ftreqhpfep.exe
      ftreqhpfep.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Windows\SysWOW64\qlizuhzz.exe
        C:\Windows\system32\qlizuhzz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5072
    • C:\Windows\SysWOW64\oqdxadvjiapbnqr.exe
      oqdxadvjiapbnqr.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:832
    • C:\Windows\SysWOW64\qlizuhzz.exe
      qlizuhzz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3512
    • C:\Windows\SysWOW64\dexrapzpbvoij.exe
      dexrapzpbvoij.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1224
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    1dd24e622b5fba1ceecd31f7c8457e47

    SHA1

    f5f170f5d6655545d87aff33891391440f994f6d

    SHA256

    8656300a1c4b83f9d7cd43c664ddec3ff773947420f5448d78ec214807ab8f98

    SHA512

    bb57381d37912fe58b94299e04637e89e7aae152f3bf4c7d45480fa98132e823b6b56e4f63bfa8bef4fef4479d547f14c15d90201ffb5c6ce245dc40ea053dd6

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    a26ee202afe6a85d90cb936028f6a984

    SHA1

    c69b1a121a7f9d614849f2ae549c5201afb3ff16

    SHA256

    8d73a7404e511a90004cc81fbef509ca8f365c32a15fbea45831b022fef729b3

    SHA512

    912df29a6f773821e49bf384811e28ed2ebf2a522a32951435705094541882c0822150cf03a95cfa5365b40368eaac5cf688a9f49a91d9b583d261724d952fbb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCDBB28.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    c0458d84c21e6a33d9dd19954db113e2

    SHA1

    ed281badb74c7dc0d4cc42e7bdfb1442c2b7fca2

    SHA256

    9f644dd6e8fd46e1607d736deaae1ef28b2b043d7c1fcf97fda64f4044b047cb

    SHA512

    de0ad401e167d9220d2fd8d08f5f14ca22e68b0e6260ab7b5fdf17e8db8aa442ed9f5326f84f65e4ae93650c182f6e09639d83e8a3798fdb2389ac0422a82f34

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UE5BDNCEHVXYOTRV5FOL.temp
    Filesize

    3KB

    MD5

    212636dab92a043d014d461e888e0331

    SHA1

    a6255212081a85fc036ccd784930d905bae7bfea

    SHA256

    775e58bbb0edcea56c24382d6f75fafea8465f37ffa15ac6a8a8f306a10d0436

    SHA512

    1a7c5ff83bd13c8782c1b06658bdf80442c4fabdb4c28a852409283c1f680c76550094d7c5d62fd69788ae7cb36ccd2a0bf8f89ec560855672ab718994b0f7e7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    1f15f0806056a89fe6ac1f4b5886252d

    SHA1

    a49ee55e1b38a8ea8a7c0331bd78b502848a98fa

    SHA256

    239d2ceab6ef4f5601fd64bf0fe4d611d0d166297c0c9171ff82926c16bd32c7

    SHA512

    b9744db77245f80ce8bd30dd52d6cd0ad5eaa2a25af763d3728b1dc69609c97b4f9c434718998fcf51ecd6742c8327f1f4319cb32d8054aed6ee215bdcc418ef

    Download Submit
  • C:\Windows\SysWOW64\dexrapzpbvoij.exe
    Filesize

    512KB

    MD5

    6ebdb4e4d023a2b1d204bb2274401ca4

    SHA1

    e43648bb90092a83b43ad686edf9c545e43f46b4

    SHA256

    b4a70fcca68a2dc6abdec40ace1a8df9aed9af9adcb2bf84c4cbf125ff15dd43

    SHA512

    7c8452e663dd084a695ca87bfd5203dda2c8b76947dd9be902f988f2929f385e098ad961f0b9361de8d822b5250bf8bd121e7b40db4ed73f8c63373e83a8c683

    Download Submit
  • C:\Windows\SysWOW64\ftreqhpfep.exe
    Filesize

    512KB

    MD5

    a4b68c7559deb73def035201486c9fe5

    SHA1

    f3a251c44c2f4e57f812d015f0ac95a5440f6391

    SHA256

    292003ded43114dc3d4b39461303648ae29ad228f06fb487230a70b3d25868bc

    SHA512

    e4238691512565e2ac06faf4e794a62e548e0009c5a2468fb92810a45a0469e10b4b7b1833c976f6114033696af3f553403c701473fa86d83816acd3e2a09888

    Download Submit
  • C:\Windows\SysWOW64\oqdxadvjiapbnqr.exe
    Filesize

    512KB

    MD5

    7f77951fbf7f39331dc831dc5527f0e0

    SHA1

    c623570f27207388c30e829e88581d33359f55f0

    SHA256

    2ab2dc9ad4e74758d176c111f2ec7db5847db53c2f7b880a5db8f1ba0bad28db

    SHA512

    9da64043d3ce99bc43dc0897287c8c952c4c22071aace40f3aed2c671c198784d37857aac9dd78d9902f89c052c24fa95ee7910c09d017c0a9941e1529373af4

    Download Submit
  • C:\Windows\SysWOW64\qlizuhzz.exe
    Filesize

    512KB

    MD5

    68afa2f21e8c2869be88e283009d9eb8

    SHA1

    2944a1b813ccf486f12ddade197d715df9766002

    SHA256

    fb251f242b4f55b809833cc1c95eb2f80437c8d4abc83ff76ad5745b60e26e93

    SHA512

    98bb1212a68cae4b3e83cf0f2241568481c4a0703bdc8820536236a477d96a6143144a6e702d07b058764200d626def3f7a3294accae2c91912e1978378f42f8

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    bc733a2c81ab0a023af06decb52b7c3f

    SHA1

    3f28dca199c22d9116a60e0981405f59bf43eda4

    SHA256

    0fbacd1ecddc394316795476d0f1ac9a7b2d9445fc6fd75d9a8ef8be42dd2267

    SHA512

    d349b35897ec1507f570fab8a6d5bc2c486134daa98afdf6aeb3a15d8ef1a28d0e010242c32ac367f6539742ca2aaf19e7ae7fd85684d8933e4e9894d92cd2fa

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    4b826314382251034274f1be484dcb6b

    SHA1

    f4f5f3139a1912c7e4d60eb54a5fcecb20ab4d07

    SHA256

    b422f219bf4bf71e11ebee951d28e2ceb0930a991b6a5b61331240bd18abc379

    SHA512

    d705e707d8c8bfdd3cfbc89e80e372c23ad9a456915e112150317f7868dfe93c5a9c642f5cbdd944af4d0441239e669c210daf87b2856479c78dcd647194c22f

    Download Submit
  • memory/3756-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/3784-41-0x00007FFA4CE60000-0x00007FFA4CE70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3784-40-0x00007FFA4CE60000-0x00007FFA4CE70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3784-39-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3784-38-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3784-36-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3784-37-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3784-35-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3784-594-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3784-595-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3784-596-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3784-593-0x00007FFA4F670000-0x00007FFA4F680000-memory.dmp
    Filesize

    64KB

    Download