Overview

overview

10

Static

static

5

6f91d10495...18.exe

windows7-x64

10

6f91d10495...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6f91d104958a5ca488ef235eec0c5cb4

  • SHA1

    da2b08f41effa470dc52346de414c245ecd7a464

  • SHA256

    b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee

  • SHA512

    d267842ff5fd158fe1700cfa7be1c6b086e9cb12a86f836e068adddc1574793a5a08f1b8d299c188ca597a036bd191612df3f32c0a9f360a99eb3f183be6527d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6f91d104958a5ca488ef235eec0c5cb4_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\SysWOW64\kbtsvkuycz.exe
      kbtsvkuycz.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Windows\SysWOW64\llpehlwm.exe
        C:\Windows\system32\llpehlwm.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3476
    • C:\Windows\SysWOW64\yawyydhogbztgse.exe
      yawyydhogbztgse.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3628
    • C:\Windows\SysWOW64\llpehlwm.exe
      llpehlwm.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:216
    • C:\Windows\SysWOW64\xfkqvalnokcbj.exe
      xfkqvalnokcbj.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:464
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1796
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1228

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      b74c65235a5ad496a5d24e255dd0aa63

      SHA1

      b3d3c577b773a6aac7f399aec5e2d8eb14600876

      SHA256

      96de1ff8612e3dbca68b863241cbcf96a0f718bc2e8f4b5406f0f7de5dd0a490

      SHA512

      a09f9a2db9dd18dc606c63c2aafdf44c2ed8df88b07374f5ac885facdad5e1404992c417957e70a64c376f97008be9e109f23cb0a75e4c0f7ef70c76906eed6f

      Download Submit

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      887ee727ac138e4743c3fe8bd95c2bc0

      SHA1

      9d5c1ed37c11c4f27d383572fd80c17f0eae9c13

      SHA256

      bc238389d983758efc7589c2ef13c94fe4fd15f5edc08d72dcbdd0eb26efbef5

      SHA512

      3740ad39993919f0003667fbbe56277d7038bd76f36a05a127298181367452223fa41e88243a021cf88d0f4d1200f828284a7b9083a1229ad9eb2826449a5766

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      239B

      MD5

      12b138a5a40ffb88d1850866bf2959cd

      SHA1

      57001ba2de61329118440de3e9f8a81074cb28a2

      SHA256

      9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

      SHA512

      9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      3KB

      MD5

      df3dba635252e4218d12604b3925d81b

      SHA1

      c6789288ab5ede2cc344354a5ac6b832a3dcd977

      SHA256

      c5d325dda34aafdda9dcb289609fdc11fd75761c2d354e01eeaaccb57303d9ef

      SHA512

      5d03531f03dbc5e9fee5186095b9a30542a80724c94291db01eee386699cc0b5bbaeff56ab436ffbc5baecd4aaed3ea6501f798ea241006b1f3e9188a44e4c68

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      3KB

      MD5

      8ee444ae95c3b8c4d4f6dd43e9874810

      SHA1

      88c91f7eb3d427fa24cb57be19ea4878cd1bdc85

      SHA256

      a847c68fd32b9887eec8a9f0b4e32299059c3d6363e50e811379fc88ecdb6312

      SHA512

      0fa8e9b52396cac7a76e705f4f01cc4cd2d18681cf7f0217c93de54d6f70574aee804cdffcec1e90795e57fc8d7cfa60d062a832bbe540d606c720d64c4a5596

      Download Submit

    • C:\Windows\SysWOW64\kbtsvkuycz.exe
      Filesize

      512KB

      MD5

      62561148aa140f8a9f6d44c6c7d8e66c

      SHA1

      f466e9e359c2f11dd0f1c7d64a025a2ae89e6252

      SHA256

      39a0dd5592070671034440b2a86d0a64328f4858e6e82a3ce9681293453db63d

      SHA512

      ac227755690271b9edf5a5a4bafe37cdcc490ff59823b5af5ed7736af0f07e121e287558706f87a339378d5802018ab439bdba140496fa4eaddfafe4f2e1a86b

      Download Submit

    • C:\Windows\SysWOW64\llpehlwm.exe
      Filesize

      512KB

      MD5

      61533a1efcdbb7339413c91053202708

      SHA1

      877efc8b624afcfd5550800359997c4f3e7d9969

      SHA256

      f94464fbc611fbc24f2d5de0836e34ee1f19bdc3887d928f485c96f75fa3ca56

      SHA512

      65eb46086a411a507b18cdbab2df2bce287176aa8b6db5fb190e5e50b8ee712dc546a22c66928d622fd9ee985f680ba40f12aef044c180fc1b20543a475495a8

      Download Submit

    • C:\Windows\SysWOW64\xfkqvalnokcbj.exe
      Filesize

      512KB

      MD5

      21c431cb7d981e0eb23116a39cfa84f8

      SHA1

      b1392ce814a17a2c229c2bc255e8a04cca7f655d

      SHA256

      b198e95352112e735c2f68190a4e4f9020c5c37e5881fcf77a5f81709f709aa8

      SHA512

      1389940db529fad6d4604f9e4b4661f92762feb6b2e3935da858e66e76dff920171147f5600dd11a8f8b8ab19741cfcc73437e693ff87e591ed4d5440fa346d3

      Download Submit

    • C:\Windows\SysWOW64\yawyydhogbztgse.exe
      Filesize

      512KB

      MD5

      a57949e43c37a19fa03b7c914d23c653

      SHA1

      ed8d6a69ed3030ebb4fbd7084eb44e613a742033

      SHA256

      dbf353bcbd7ae9768a7e83f317d098190ad56ae9f1a8b0ff9adfb22f9b5e9572

      SHA512

      7e15e5eef4f2df81972b8d30f024969474e317e1495429f916b5200a889e7ebdd54ca1ea5d5737f638bb226a11eb948b456ce758f17e7270b22f54ff5b007fb7

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      512KB

      MD5

      2788ccc3823995f95a318b64fab33f6f

      SHA1

      2ee4fd3a135ce5ca6e78f3b7a81960fb99f8ad92

      SHA256

      faa17f29300936a73fdfb58209264f85d25dba9ceb79ca5cef9bd894ec8da421

      SHA512

      fe497efcb38d7357ddd670dbeda91b236d52d8730a36b8d57ac10a0288001114ce23bae759d3b41e62e85e54f023bfc9b39ff6d8cd698eb1c30844443625f9f0

      Download Submit

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      512KB

      MD5

      8992bb7e17bb5b6c2057b7af7319762c

      SHA1

      4eebaa3a01a4d7102594a50daefa81e081352f1b

      SHA256

      d7cd960b84806c492d1b8efefdb704134beec1e8dc97d39be00a7c83e7804223

      SHA512

      fef8edfb6ded56c9f6ef4d50d20a3c4573042458c8de6bbe346593b793f310455e696d0faa5d6a382ee0036661c5cc14203e1b5c789c9a1d97ade189c8f3a9bd

      Download Submit

    • memory/1796-39-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1796-43-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1796-42-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1796-41-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1796-40-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1796-38-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1796-104-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1796-105-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1796-107-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1796-106-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1796-37-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2332-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download