Overview

overview

10

Static

static

5

6fb724b425...18.exe

windows7-x64

10

6fb724b425...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 20:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6fb724b42557af172c355c56e95dbdbf

  • SHA1

    4acef96b3fc9d3acaa76c707898c9c65c539ab9a

  • SHA256

    5ddd7e482af881f861cc4e67d8f3fb5855af28d074656d5d293869a6b90bb540

  • SHA512

    71b8540f5cfb6081e37daf7e7759cf51835eb7c2b04c64dcdcfe0f4508a845d5a484e1038aad1e429ea7129065b0932c5cb9b3935473a678d3af139a4ae2b081

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6J:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6fb724b42557af172c355c56e95dbdbf_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Windows\SysWOW64\zxwmgdaiwm.exe
      zxwmgdaiwm.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4784
      • C:\Windows\SysWOW64\qmtgzium.exe
        C:\Windows\system32\qmtgzium.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4976
    • C:\Windows\SysWOW64\xhiqvvzgqyjfsvr.exe
      xhiqvvzgqyjfsvr.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1944
    • C:\Windows\SysWOW64\qmtgzium.exe
      qmtgzium.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2080
    • C:\Windows\SysWOW64\gplrsooiavzic.exe
      gplrsooiavzic.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2720
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    c27c912afde8b27b1e4af6b17bd6a811

    SHA1

    5d03ac857137b6d963910726a8e78f34bfc60e5e

    SHA256

    ec782349612ec74a74cf52940947343c76a2a2c3693c309da242132face4557e

    SHA512

    fbffa6a2e29a3202ba71ef294ce8b317ac3e148ba5178f6c5554b696aad7cb6ed7479cb52e416b68188719ac724f51c7afca27ad3038e63ea7f60b872a97c763

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCD7DF7.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    3703ce54039e84c89b0fcddaa21e8e3e

    SHA1

    cf36be735d2149d9f82055f705004c46a5f62a6f

    SHA256

    0e2ff1d173218a0bc688beecf7b1aca489511d7c29b4fe37877c5d5394c48645

    SHA512

    f6a0a17f8e2223c626e541f03a0b7a1898202b83fffe6e2eade4e47ec8cf4c158801aeb972f3840c293ad6ccc6a5240bb65762bd849e9dbe7066e1f76e481c14

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    a82bd59fac73fd928b148c44ff28641f

    SHA1

    e842ad6d961fc9dd88224acf7b6d1ad34f7220da

    SHA256

    6b836a206a9dd0558c15c42738aad38d37502beaae288c8f5f5d91e9a9fc521c

    SHA512

    8ade4889e3f07fa5bba071b4af208b00103c6e86a2224442055051b0885203e1c76e5ffe9b50b6a46dda4df0a8deb1402a87a41c37a35d869a0e9414b9cae9f9

    Download Submit
  • C:\Users\Admin\Desktop\GetConfirm.doc.exe
    Filesize

    512KB

    MD5

    f2104da5d7393a847b7f15a4fd26a913

    SHA1

    d4d4117d16305f669565e237aabfe02e1194e68b

    SHA256

    f44c922bdb665c6e78c56a3709a2dc7f2003bef033973120d31b87127a0e01b8

    SHA512

    defe96de5f8ad1c9f2c3f6e0ee8654b75876005d2208fc2da8cc3079148468973f1ab478e8a46aab421f2ba9c2bbcc1bb9361dc78fd346027e14a260b06d6fd2

    Download Submit
  • C:\Users\Admin\Documents\ResizeReset.doc.exe
    Filesize

    512KB

    MD5

    8038441d14f482194203ade9665da0b7

    SHA1

    41fb585ed99b7886e13f98739cf24aeefd6cc5d0

    SHA256

    f564820e18b536436664b016a80b4ee91bb5b800e4157d191b0b1ec1c07f4f12

    SHA512

    81024f6bb7f90a64185a9df2a14a929712db23701625144080bfbbfc41add805ca1a6c2fdfdbb7561292a131c9d43ffe3be75724eaea4f7e3707b7534eb3f627

    Download Submit
  • C:\Windows\SysWOW64\gplrsooiavzic.exe
    Filesize

    512KB

    MD5

    d1a25faf9380903dc73478ef1f9c08d4

    SHA1

    89316d838efc08882d5fc1a52ed176ef0ec557c4

    SHA256

    9aff7c3327db2cfdc3803a07f5a501affb8d87e15a9f6fc6aee7af5d51850312

    SHA512

    c70b22ccb1720fd65919cc11d6c1e7864e13c0f2af031d2a315718e838c70ea036376171cd8cf9b917c66d445a2aebcf67875bf19d04d2e78bb7a5f919235277

    Download Submit
  • C:\Windows\SysWOW64\qmtgzium.exe
    Filesize

    512KB

    MD5

    526b5377a7ac87d200f7506c950bda94

    SHA1

    5249868f23c7f1a8d6927bcb043a6fe011f1dc89

    SHA256

    eaf521ca4d2913afe27baef21937aab952b21d7cc644f57233ef81e1b9f3a214

    SHA512

    d305b2fca662861321b3aa612a54fe78850fe4cd23f8d59dd3af18b5eaa30ff13d84cd7fd329f2ecf1bc980867734e3b412391debbb4531332e56043657f7f62

    Download Submit
  • C:\Windows\SysWOW64\xhiqvvzgqyjfsvr.exe
    Filesize

    512KB

    MD5

    a5e965c9697e60b4c0d6b9808d986558

    SHA1

    871ad3c7a4237960130a7dd44472e26dcd956cc1

    SHA256

    fa2914c2fe6c2f9dedb77dfbaaf175ab9de1af71c6d6c23bbc8f54560914ba2d

    SHA512

    001b35fc8600c44b17ee84d470cd6d60ff999900d916eef57510c31cbb589851950a5b993d38b7aa698b03ac87f671f90ca09ac02cb694bcab475aa5e6628d03

    Download Submit
  • C:\Windows\SysWOW64\zxwmgdaiwm.exe
    Filesize

    512KB

    MD5

    6f0a7c10989ae2cca94f202591ea7903

    SHA1

    877c8772d4932e31d42dda76f8f712c06687e3ab

    SHA256

    86b565377caacd0a50aa6a9d347250d9bbfb785dd548a91043117028ab3811b4

    SHA512

    39f69a70d820d717c526e703c37c3713c8ff416ac7d1e3c8af58eadff114ade2189a8b3e0e1eea2703285950490cc3ba275050c1611361938d52a17d4d14922d

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    5e6d242fe722a486450a35100c4b7423

    SHA1

    d434bf824e8a36e41c12fe22f230dc724faa4ae1

    SHA256

    d11fae1df9dcd79d6a4cf26dadb30af71a0daa00911bcea3e63ddc35c928a936

    SHA512

    026d567e9788d665458a0f7f76199c2822240c7e06d13b1e83dad57f0c16d5c05bed899ad7337bfb320397915e49d17e735e3bc9cbe67833e8683d728a4c8371

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    68c9431e2c7ab56cc4a7ad37b8b76bff

    SHA1

    c981e4dc28f56e829f461ef21cf8a35365f6db97

    SHA256

    cd1d4fe97f5c4f1aae8434191dd9152c7a9e50b4bb178ed369f684c741f49212

    SHA512

    25e580fe58ea9c1fbfd45b7f22ea9167f1e592e1fd4a885802ea17e77018e9095a520e8a82914cd6abe6f6240b6aa70077b62a736cc3816876606ca6301041a8

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    9fb7d06c9c5074da6faaab291d3178b4

    SHA1

    4b18073812435378a66f8544d6bd1cdf46b0f7af

    SHA256

    3e229e804c1357036f4fc12f7203612b67e0378caa86706035a2f6e0c9fa22c6

    SHA512

    08164259e66f34d253b2c4f5e9f95b9dad5b6001ce8098e433d0c1f8a1204b1a49fe7f8f8d6b1fc9d23ef6dbf4a53a1e85acd27b73ad19f6cd15008315f8c7e5

    Download Submit
  • memory/4504-42-0x00007FFA30290000-0x00007FFA302A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4504-37-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4504-38-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4504-39-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4504-40-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4504-43-0x00007FFA30290000-0x00007FFA302A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4504-41-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4504-615-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4504-616-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4504-614-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4504-617-0x00007FFA32BF0000-0x00007FFA32C00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4572-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download