Overview

overview

10

Static

static

5

6f5fcfacc1...18.exe

windows7-x64

10

6f5fcfacc1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6f5fcfacc18ee9db4f7aaafa9cb96e53

  • SHA1

    a9ab2e589987bcc7dd8ec0240aed44c557b20e52

  • SHA256

    e424405384a64305ce9c6b0347c446e34e72f01fa5213665ae15dd4795b04bf7

  • SHA512

    c0144b6f22db495af0fc0e7c7e8c04cd71799bb717d4eb745c2427c76f37a38d89e1fa71eec9ebba7332ca0a2a904edb982e06562e8924eb35463e56bf0f8722

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6h:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6f5fcfacc18ee9db4f7aaafa9cb96e53_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\SysWOW64\ukwatedlwj.exe
      ukwatedlwj.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Windows\SysWOW64\zpttgwih.exe
        C:\Windows\system32\zpttgwih.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4296
    • C:\Windows\SysWOW64\tvoamafpdhodmhk.exe
      tvoamafpdhodmhk.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3516
    • C:\Windows\SysWOW64\zpttgwih.exe
      zpttgwih.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4056
    • C:\Windows\SysWOW64\ixwsneyyputon.exe
      ixwsneyyputon.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4564
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2952

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    bd3a7060ed5265211a00d7255081d973

    SHA1

    b7c71448343d1aec881aa422c9613c38157bcc30

    SHA256

    09d6d78605f86cf0d8b6ebadb2ad29ac95556213e05c9a706593ee9f16e770d4

    SHA512

    fba1ff61303d0a77b9d03a10e8a1b67c2e8b26c327bede54fba5ac5a245e6267b6958fbb5b61ea1e29150f7fab2855cccc736fe40fdc8a76ccf6f69f24afd79c

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    5cb6c2ed720edd2eb99c6564a1f9327f

    SHA1

    02a4f63670e3c0250ced865b30eb01029ad3a974

    SHA256

    1c56868fbee783bcb5fc12b2a2499368a9348b6c0ae6bf3f7326bbcdc83b1b69

    SHA512

    45d3fd2c6f7cdaa4473c89a1c09107cbaa922b137905043af74526cbc3e3f955eddd4c4dfd60628577d76fc9727deab5a3564e02919d4ec1c8e896f66169706d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCD784D.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    1619c4e8eb723bfee441873bca8b63f8

    SHA1

    c51c2ea893f0e1a5494096da37e149a733e4b76a

    SHA256

    c01b356de4947e4afaac205255789763c48c86e3a310c25f4771503ce374a168

    SHA512

    34453f4d8e68ad9a3072f1b5358dc09e65ca0c1d392a4503f1eeb4e78211acc1dd4b823d9906291dafc8bd032f0a79bbf42c8ee69124217ca5343f24eb3887f2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    9765fe0a63545a6ea036d310be530b55

    SHA1

    a704c3218a45721e122ca1fabc09869c7fa5945d

    SHA256

    5edc56bc77673125518b7209ff3e14a8c0bc89f271f0189e25c21914359ea805

    SHA512

    e63cd73c5c440ca7cc15a1ce1ce721ccc475c6379b193d5b6f357d57c7d44b2d19023b57b137f524ac6392d4153bd46c8873c6ad877dfa741a8eca52e32a87d9

    Download Submit
  • C:\Windows\SysWOW64\ixwsneyyputon.exe
    Filesize

    512KB

    MD5

    4caa251f9c85b671ee43ccc3076119b9

    SHA1

    21ef9e6c5159e4271009f1d59ce5952e5068828f

    SHA256

    6245dbe690d800206381d3fae8956930fb12a91fddb421fe070a5c664dc7565e

    SHA512

    0a63e8996583de76812c6b82252ff34aaf8425f0b313d42baa8df6571204d6817e3151748c4010193cf4363ef302835f3475c7b2a44974bc410208b4b86b1000

    Download Submit
  • C:\Windows\SysWOW64\tvoamafpdhodmhk.exe
    Filesize

    512KB

    MD5

    76383dbd8c54712c05236b9944f7fe21

    SHA1

    36f07a4e4a14e4b639ebd02f696b19dffb34ddc9

    SHA256

    759f74193acf793cde4df63b6ca83b192f67a63afa230b8c99a0eb1fc36af4fa

    SHA512

    adfacba292ea48044aced7878f3ae7c74ba83ba34aac8421df5a4ce3b373a658c84f7820d8e5d6bcad3bac2ab4d71d01b661049faab0e5a483b736425b9774fc

    Download Submit
  • C:\Windows\SysWOW64\ukwatedlwj.exe
    Filesize

    512KB

    MD5

    ec2a462ea238e24143b5d79f2457bd60

    SHA1

    61974a4bc7ad81d35103e9670bb48d8b702801a5

    SHA256

    ca9f7d1cce38645c773f5445f621dcef1c8a06df4c9917c21122f2a9bb95b373

    SHA512

    6fe9f6b0e5d571297195b6fde3d9be77a1d32477dc6038789ec82e2c5c738c252a1acdfb7ed8872316a8923298a4980f8a7fc6a78bdf973fabc45d8ef850fafd

    Download Submit
  • C:\Windows\SysWOW64\zpttgwih.exe
    Filesize

    512KB

    MD5

    bd81c555a89878a47c601330a2d16b61

    SHA1

    93644f8b50eaa597fdc519475b7ff0b5323f0a6d

    SHA256

    23c4831f3bc7fba051dece86b97902b12d38aa699a791a053b0d05a223217d83

    SHA512

    061da086c9a272a9790469414fd1276a9145b46d7231899a23d51dbc3a4d8ef4d9c996bf0baa583ee2d800bf11d17757801d757b9a9409d4db08c9eae10f063c

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    e168a8c78ff514ec7bdfed1a5d514b6a

    SHA1

    9bbe542f91e82e57e05ae4c88cf7873cc3028ccc

    SHA256

    015f929fa567f2aed0d25a9c3df9b8c7dcf3fff9e74bd35b516702a62235b35e

    SHA512

    8795d8b82d50149165a33e175b52f31bd0402cba56b3b5ab5013c035897c13122630cc77f48a517feec9bce09be3214e27106ee060d2b91ff2420b96108d954b

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    e790cb5785b931d88b40acf615d4224e

    SHA1

    5e210ee2864bf31a4cecd3d94fbcbd77440df5d3

    SHA256

    ccf9af881e94af28c86d6e260684d678fba370694f76eac4330f6cd2aad98896

    SHA512

    04c7381700e23dc134d8dc3550aa5876a4031ecdffee03924caf7332bd63fc842aa272d001f5fed2629e7a6fa5abf310fe8709019fa4d1b5cae697baf6745cbb

    Download Submit
  • memory/2932-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2952-41-0x00007FF820100000-0x00007FF820110000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2952-40-0x00007FF820100000-0x00007FF820110000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2952-38-0x00007FF822770000-0x00007FF822780000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2952-39-0x00007FF822770000-0x00007FF822780000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2952-36-0x00007FF822770000-0x00007FF822780000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2952-37-0x00007FF822770000-0x00007FF822780000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2952-35-0x00007FF822770000-0x00007FF822780000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2952-595-0x00007FF822770000-0x00007FF822780000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2952-596-0x00007FF822770000-0x00007FF822780000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2952-598-0x00007FF822770000-0x00007FF822780000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2952-597-0x00007FF822770000-0x00007FF822780000-memory.dmp
    Filesize

    64KB

    Download