Overview

overview

10

Static

static

5

6f73e34338...18.exe

windows7-x64

10

6f73e34338...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6f73e343387eeedc27f087584c17d4af

  • SHA1

    46d842363f7000691c5764fcc538f843d373262e

  • SHA256

    4bd934558dd6db79cbfa70506f1ed70184dddc9ff7d7fe6a176ec7d466285307

  • SHA512

    bc5f4d2c2c7980202eecdc0eab3e7ac39191bacc117968c9461395f308298193dca224ec40a41bc7b9452231ece65d69c9fa9cb62ec30d10a822cf9fc5988542

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm52

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6f73e343387eeedc27f087584c17d4af_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Windows\SysWOW64\qqjfutpakl.exe
      qqjfutpakl.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Windows\SysWOW64\hdfyidys.exe
        C:\Windows\system32\hdfyidys.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3256
    • C:\Windows\SysWOW64\ypsoujuwvhnoter.exe
      ypsoujuwvhnoter.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1804
    • C:\Windows\SysWOW64\hdfyidys.exe
      hdfyidys.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4624
    • C:\Windows\SysWOW64\vveaodvvaxcyi.exe
      vveaodvvaxcyi.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:688
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    67572fe13ffba5a75b03ebec784392be

    SHA1

    3d9f09670ad5246647ef2939533ab0e0da1804eb

    SHA256

    8640f92ff3e03b96414693af7d127f9fb38470544e6b6f4f2a40f46a2f787efe

    SHA512

    99109154d83941fb770f8b20fafe23e10148d6fe63d12cd92ca0b75408903f07f56e34dcb09c2851af5162ddbc92eab751bde7c262c5c851c85be8aca9cbc5ec

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    6bc3a7ed0a0d8a98d655427159b31fdc

    SHA1

    222146db9d8958684aef081e94a82acc20549844

    SHA256

    b9eb8a55ff99ba9178adbb0f3c28f17bcbe0f20d40b8fc9ebfb8a20d25f64c23

    SHA512

    f7250630622df693cf2ba857ece8235e81a36cfc3c04b53aebed047c63cf6b1b26d3f649f18ec8223eb97111abd9b1d2056c05c4cff3d51dfa22de6ae04b9699

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCDACD1.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    d7cc71bfa8a5eee9a3c4515fd5d05588

    SHA1

    479e92d473b9a973c5b5e9853425601b3fb002e5

    SHA256

    ca3bed5cf0718cc40ec6e24c82e276472a3d27293291bbbe4c2626893c04fe21

    SHA512

    f901bc2721b9937b7eda1dacd634f0479e192319b67b47c7704d693d6ed8d35b7132748babc300ae8410565e7456108cb2ad1dc5602d57e12f3ac5414c6e80cb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    e3ec651920798bdecf51af8821aaeaac

    SHA1

    498a50d4916e7a385e3523a4bbb9d8e2e60a4639

    SHA256

    e1ce68e41dd8d9a32e0b0dede914f4081536d44eda73bf9ef520a00c175c5c21

    SHA512

    49f6fe7a9878bb249d0970a3e5572c5288df9babc458939367e7e5fb2f611652ad21d7bceef72031832d3588446d1da88a9795ace8119524aa69783b8f30057f

    Download Submit
  • C:\Users\Admin\Documents\ReceiveDisable.doc.exe
    Filesize

    512KB

    MD5

    c7ec070aa27131f0d7c125ef486abeaa

    SHA1

    be5ae5f13c28f42a269a55330848426b9a98efb5

    SHA256

    eeadc1e42b010d8e75254c4aa6cfd4bf57b438284d66aa547e0f7d7c9ef561fc

    SHA512

    6db355f4348acaa202544cb13f39f7b8ac7608113d249b0446c9307748ad3f19d8aab46e6796a94268a114f5feb7b2b0417fb15a9f84f48ee6d8a69971188a79

    Download Submit
  • C:\Users\Admin\Documents\SkipGroup.doc.exe
    Filesize

    512KB

    MD5

    5cb47686ec97545bbf43ad0a205c16d5

    SHA1

    1538b042dfb2590bc6e6877b054221f8299ff85e

    SHA256

    3985facafcc00ff7f49cb245ed38972c732f92a9d53e004f5376c00f1dc1bb60

    SHA512

    388b04867a1342b45b5c3d4607fc50654838da0f92fbfaf32bf8a02041c17e710bd809c5fc8a09490c1335a4911910a2cd2237b0d3092ece28052faa1a3700e7

    Download Submit
  • C:\Windows\SysWOW64\hdfyidys.exe
    Filesize

    512KB

    MD5

    133c9c3df9a5d2e9ad715bf2534715e3

    SHA1

    9f579d338286c50ba33c968586cdf08dc29b6883

    SHA256

    9d18544b63c02325532bdd0f9be3a513f9bec22f8372ef14e1e95becad601e32

    SHA512

    d8ebcb34718cbcfacf9ca1c5ec381d93f5402254ee1f45061025017bef0a864e6d9cec64ce8b63973943a78b01841a32bc4b8685a237a305aba4892e189e4392

    Download Submit
  • C:\Windows\SysWOW64\qqjfutpakl.exe
    Filesize

    512KB

    MD5

    b9dc276330d7ca9a567c4cfacf1d8281

    SHA1

    955dc57b38e0fe082a34af043e0fd7a7842139ce

    SHA256

    e21b6a6ac2d0416d80f6157962148b8e95f6c325f4bd09d76da4a5be47838d48

    SHA512

    f5c0998d843296fbe7ec6e0b66b1c4b12bbcf1811ad83a1bd02f1ebc9b7fb912aa1fdf8b37c94132589871c349ecc6fb5fe69e45e3fd83ea86b8be6537c7108b

    Download Submit
  • C:\Windows\SysWOW64\vveaodvvaxcyi.exe
    Filesize

    512KB

    MD5

    b11885f10f7b091785141c8db79a97be

    SHA1

    cf2bef329b8be3b6d2c27dbb00ecbaaca511d68e

    SHA256

    4c025ecc6ae54b2860cb3c82a44e2b83d0668586d1be5ab54c386574c20a7ba1

    SHA512

    acb4e871d3d87de25bfa44186dc67ef02e3065a7fb574ec65294d5c5e361eb60385b3cb1ae0ffab1d5195b584e195d66c13090ddc901073cf04c663ea820b502

    Download Submit
  • C:\Windows\SysWOW64\ypsoujuwvhnoter.exe
    Filesize

    512KB

    MD5

    a8a65b59e1142a07f090f9772fcc8847

    SHA1

    a57150eb310d31dad2336e756ad4771eb15dd34f

    SHA256

    00215d733bb6f619def3d2293bf6fe05090d7388ef6f1625f9142009e5503073

    SHA512

    9cbbed127cf9888a13fe2d2ffb039cc23ded22257c3f13ed0d74f39041df1c956996cf722010d451a78bd21f6cde1d1fa1f4aef97640ac9efcd83ff2bd093b02

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Users\Admin\Downloads\EnterExport.doc.exe
    Filesize

    512KB

    MD5

    10b546f605fdb4d4b18f01e974abff0d

    SHA1

    8f79c84b1c0286e3510ea161dd43ead749ec7f5e

    SHA256

    b7e6aa448ce23b4411a4a3212c9eb2ca5605c5361e5d7426df62b6fd7e302857

    SHA512

    e7c3104b137646cfb2d0af1e8770457ca543a1de38d420b9e8f38fdb22eef56117718fa669d90e172b7e20cded3f2c1761e8191a2a57ed114e528192d3acb42a

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    e9dd257dedeed7459b5c2b158a52b05a

    SHA1

    6fbb296916fe22a1b275edbf638f9dbf390a5c06

    SHA256

    3e7ff985542e89c36ee2ec7e5065decfddecc35dfd44a3ca0da5e10592752d26

    SHA512

    9ba3067900a49ca9f346f45d58392346d8b851d340ff8959f252a16c13bef0a441ae245ec1083601ddea0039f224081dce324bd05d08231f39d26c433f0ba2ad

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    3f652960fa28c367464cf17f8d7eb2e9

    SHA1

    94c1e8442af38bc53737d62e450d024a95426c46

    SHA256

    1468571e6d1b1d521040f6dafe8635a7c79325b074912cd5f066d39130e5aac3

    SHA512

    bbef824910904f16dd5bac7a7046a408431245725d32dbf58f56229e5938e5073392b30a07c24e42a51622181fa746e0bc3ded1456b8be40e1c2212547a7ef5f

    Download Submit
  • memory/3448-610-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3448-41-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3448-40-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3448-38-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3448-39-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3448-42-0x00007FF7CF6E0000-0x00007FF7CF6F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3448-37-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3448-43-0x00007FF7CF6E0000-0x00007FF7CF6F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3448-611-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3448-609-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3448-612-0x00007FF7D1B90000-0x00007FF7D1BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3668-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download