Overview

overview

10

Static

static

5

6f73e34338...18.exe

windows7-x64

10

6f73e34338...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6f73e343387eeedc27f087584c17d4af

  • SHA1

    46d842363f7000691c5764fcc538f843d373262e

  • SHA256

    4bd934558dd6db79cbfa70506f1ed70184dddc9ff7d7fe6a176ec7d466285307

  • SHA512

    bc5f4d2c2c7980202eecdc0eab3e7ac39191bacc117968c9461395f308298193dca224ec40a41bc7b9452231ece65d69c9fa9cb62ec30d10a822cf9fc5988542

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm52

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\jabcyybezz.exe
      jabcyybezz.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\jdbzsmgg.exe
        C:\Windows\system32\jdbzsmgg.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2208
    • C:\Windows\SysWOW64\zghslicptnznvag.exe
      zghslicptnznvag.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2796
    • C:\Windows\SysWOW64\jdbzsmgg.exe
      jdbzsmgg.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2600
    • C:\Windows\SysWOW64\byszhrxlqvwmz.exe
      byszhrxlqvwmz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1252
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      066d64b79348c509a651935154cade5b

      SHA1

      6ff0086a2df50e648e7dda4030eba678eb2e9045

      SHA256

      7525072b43ab3ca545551cb517bfa1db0df72f03d9a1236778fe31a391de1c7c

      SHA512

      76908ec171e93dbe4fb3a277f7fc3974e8263eedf8d5d0652005c9d1057f3698f5ffea166eb766eb1c43d8a4f2ce485161790ff44ed81708a17b17f6289bdc2c

      Download Submit
    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      dc167958ed5281f6c06f4138a4eb9fbe

      SHA1

      3c5a3d7021225539292054404b1a9a770010be73

      SHA256

      5d388530df0beaf69a464b72818f232918d4a10697101666e788e851d4007e5e

      SHA512

      678d2eaa4193ed54ff22a676c0f1176edf745e46d6a0321609ccbe73dd69a209d47da30afb020d97b52898844b721f525542649eb807425441cf6d0667f33cc0

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      3bfbf2cb2fbbf0b01a1a58b2dc8e2cc1

      SHA1

      0610e03a472353036b4a5999c6e186ef3225cabd

      SHA256

      b9664dd15be4faba48bf2f544773bd64fa5d6f8685690de7bc26724ecd2589b0

      SHA512

      30b32b90ffd9a4c6436c90158a049cc41bd8f346bcfb322082c23407e30a8b0ce9ea9cbb91c565f2479c793b6a744974163afc6c9d740a0612ca8e57768da7e3

      Download Submit
    • C:\Users\Admin\Downloads\SendShow.doc.exe
      Filesize

      512KB

      MD5

      84bac35f0b62ac7c50c7563c4a5154b8

      SHA1

      1d7acee9bf344f8b1d5fdf1fce9dd4890d79d55f

      SHA256

      4c127629dc3edf15d23db316fcd898a9479fe3cace33e0c5ac96e6e582236444

      SHA512

      5c5c186bb7a15f518872066a05c287e2195147f7ed4ebb510e380a36ca835848026ca1ad9c8f05f4d070577641e86e5066387b3900da0bcc42c3af69c7c572e9

      Download Submit
    • C:\Windows\SysWOW64\byszhrxlqvwmz.exe
      Filesize

      512KB

      MD5

      69c2c51f8cfeac1b55ebf6e896a72ea7

      SHA1

      899ff8ce08a4a3389f19ab70fe1ee28bb87e3b8f

      SHA256

      bcde0f70eee835f68a94079c14d80c15cbd004d72c05aa0a975fb56412576abc

      SHA512

      0df5c24c8f44e9c27789e43f30499c591cfca106ce8b9cb7e60175af5b97a2f168d7d1c782c56a1dedad35b248a9b983d9ffb4ab27605e9b8d7bd4734ec59144

      Download Submit
    • C:\Windows\SysWOW64\jdbzsmgg.exe
      Filesize

      512KB

      MD5

      a82425ddf5aebe757d17f5be9bc8c673

      SHA1

      489e8eddf72f974bc09be2a1e05ccda6f8471144

      SHA256

      2057e222190ce4f1a9ef7963dfa9ebab8c2e019b9a15e63097e5b6f52c729baa

      SHA512

      c8af8bd19c7744aafd3c674a5e22b693e806b5cb54cfe0facc45015b8d913792476894e58c7f70869cae143880ae19e69692b3e5fc6be0073351b81282f4c9b4

      Download Submit
    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit
    • \Windows\SysWOW64\jabcyybezz.exe
      Filesize

      512KB

      MD5

      37d774fc9d6627616e462c8064b70117

      SHA1

      5ef3a9c34fa19c12d35aa1b6c5877bc463585bbf

      SHA256

      3838c90fc06f6cbaaa52ea6e77f6720393cb5d6a53fd536960d65c9d2d218709

      SHA512

      8ae825181c38f6a9096b99519958127e01617c6800e4e31cf06ad28dcbe6dbd9b7ed59202b82e7fe6209f2653751d43ab9b5f83f293bceccdb35c6f3ff155db0

      Download Submit
    • \Windows\SysWOW64\zghslicptnznvag.exe
      Filesize

      512KB

      MD5

      c31e673c2988cedc91c588ef5b7f239b

      SHA1

      9dbec2188949441e1e5db55c18bee70fd5aa263b

      SHA256

      e56678303c5aca3742f2a74bb93e2c3eebf3fa71d3527deaa2d554a4a9390ac8

      SHA512

      1a4b7975c8df8740b6550b8856792cb1ee919e479ba02ec0fb14232429eed39fcb62ab8e31cc2c90a661e74163aa28a3eb80e66c67bb2e2e5d59740f8bea96da

      Download Submit
    • memory/1924-0-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2540-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2540-110-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download