Overview

overview

10

Static

static

5

6faf8ed502...18.exe

windows7-x64

10

6faf8ed502...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 20:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6faf8ed502a1238bf9952e8ef9cce25f

  • SHA1

    200b03e5e2daf5f6be4e25036ef682091dd6d853

  • SHA256

    7e12bae0d5ede6bc024333bd1a7eb7edfceffa0876043d274df30780864d09cc

  • SHA512

    89fb2cc3a3f991d4156f425257a0624f84ca2d0d6d6955aff8628fae9ac61b7d8d6906bb6d4bda458028b2468b97ac610f9f503bc417a8203942302c40e8f33e

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5W

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6faf8ed502a1238bf9952e8ef9cce25f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\SysWOW64\bakgxglapy.exe
      bakgxglapy.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Windows\SysWOW64\bkfvhiro.exe
        C:\Windows\system32\bkfvhiro.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2892
    • C:\Windows\SysWOW64\jfvzmdmdtvhincl.exe
      jfvzmdmdtvhincl.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3852
    • C:\Windows\SysWOW64\bkfvhiro.exe
      bkfvhiro.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4912
    • C:\Windows\SysWOW64\txtndwqjyvvlc.exe
      txtndwqjyvvlc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3620
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    91822f4b334809d6a99cf11e912260c6

    SHA1

    64729db256316c45501925652d548fbfcc517198

    SHA256

    915cc62f4a253176545f1134dfa38705b57ef640195e9062adbddcc667358d16

    SHA512

    b2c275046ebf6bd2b8abc7be965956c2385f2fa5f0e3f62d1306136cb451d728e0293567851a37a3ab048a1fe3489acab7a0335950bfbb561646060cf3a974a4

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    d7f988b07698be002783bd9cab2cf25f

    SHA1

    ade441d96642b1530f5f53c34bbdcaffc4b99385

    SHA256

    e53d4bccc2789733984d3586614cdd76016302daf381dcb1f07d64e6b6d1a551

    SHA512

    5a48333542c1f763b1de1ed110658cb6957705bbd61deab83b381a83e80a4e4df30e78ef5ca954af14d0e0015bda959061dd490650ecb3ac48c33538d66cc3c2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCDB971.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    f691663f4c6b236ae77bea0a6654f904

    SHA1

    b23e95c00583eed4213175e9393112f630d7c8da

    SHA256

    05bed1afdfb16aa1bc51e61b0ea1dd6da1d2d682d9cf69133536fb1b94235119

    SHA512

    3ddb9dd451f8246f879b31e136f896a52429b7931fc54eac4343aa48054d426c9bb74941ff018934ce20f4eeebcf4a9332bc9c7e5d20960cb78c02baf0ff192c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    516ef38a3edbe998ecf62076628de403

    SHA1

    2b41ba7d9b78c904a741c1351e522f5712179e29

    SHA256

    39b765f024cbdb2c7ce7d0b7a8df29fb5504d444536edb7d1f6047eeeca7d6c8

    SHA512

    61de6b8e098f42482ff0e6efe25c57b703b33fbdd7c0dc97c287870a8af3fe993cd7c48731d9cf18570a1df12911d88c04d5d6b1e54b31205ba34bcea2a56b90

    Download Submit
  • C:\Users\Admin\Documents\RedoUnprotect.doc.exe
    Filesize

    512KB

    MD5

    0cbf7ebb8b1ca344a09257c60600da31

    SHA1

    a58b77ac6721f916d47f576cfb5f9788d84202c6

    SHA256

    978a2b185dbfd1d7e72b9409931e8fd6e339bf959a1d4ec623003ef16a74262b

    SHA512

    65e34d65e4afd08fedac0f66d3f971dfccf0691acb3a37ec81e4ee46e5e62f0b263c946aade9d3c2480571369ea70621dc7980c2fc6042736bc77bac17a708ef

    Download Submit
  • C:\Windows\SysWOW64\bakgxglapy.exe
    Filesize

    512KB

    MD5

    dadebc729f3634976801977fab27960c

    SHA1

    badc0a58258c5067969b47ca02fede9db3421246

    SHA256

    4854ef6a0c033d2c722d6e8b1352810153462dd06e9f6e2c2c8531b1e245b8ba

    SHA512

    befb7c55f0117d4219c7f4ba20023de71758cd80a0bca5504acd42f470340c39153dd8d68f500250e098f447eedf8af7416df1da6a2dde7d690d5ff1e0e7cc09

    Download Submit
  • C:\Windows\SysWOW64\bkfvhiro.exe
    Filesize

    512KB

    MD5

    fce29fb5399ddf5a0a0506c9413faac4

    SHA1

    8b7884a03451685e281816edd7a33e1f82b8585d

    SHA256

    d99bd473e110e53652111132fff3588fb94ed8b0d665433f746c60e177b39b55

    SHA512

    90c67e25a4393dd1394bc7ced9619d092f33b1dfe073bf29da85597209f9c02829a921e8b4f377f40c93bd5f5307ff79944d5b5a8b5bee176e10c2c8442647d9

    Download Submit
  • C:\Windows\SysWOW64\jfvzmdmdtvhincl.exe
    Filesize

    512KB

    MD5

    99cfe0ab7f29f603860df8136266cb5e

    SHA1

    b19349473df0b57c98aab33d731883404c5fed8f

    SHA256

    454f91c5b8a6228fac127ac40af05dc7b33439e662b356fd127d4e6f3a7068ec

    SHA512

    2a5f6c1ac33739cc3c4ca5d2f0bcffca999addb52aabdd5dff5910a8471d435d9ecc4f3f58a411b81fa623d589d001397cc52f8e9c9d110c451b89ebdb611681

    Download Submit
  • C:\Windows\SysWOW64\txtndwqjyvvlc.exe
    Filesize

    512KB

    MD5

    d6a74bb632f772a4a232070c860aea68

    SHA1

    a38351fd792c706a2bb99a1367099a7d359eb159

    SHA256

    fc8843df01f390ce362c0a87ed1bd2bd5f4bb41e3fe586ed806277af507192fa

    SHA512

    efaae9cb0a3c281c959f30f90459f3ee57b02cb58b7a759d3c61767a7f5238c3461095acc77682f309c8052006da394583a8d072f5ccf82b80ae6291a5803406

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    9d759d1c3146f3804ce10bd42f0bfb43

    SHA1

    1a101de3fb5b49d17af7b68ebfebd709dda0b092

    SHA256

    3964ccaf134d5cd4e853938602c694f7e3d81c9a00ed2dad09f052ffc0ea4fc0

    SHA512

    eda77764a36960bda47959c60b3708adbff28cbfebc3a5669afe82e4a6bbcfc1cd2702d4e49e61a3e4d79963a1c97d00ad1e0ea95873b6dfb2b9ce9be5751818

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    8fb3803e8f7dc943f1ddd55595a4e4ff

    SHA1

    822147a783296fcc53bd198618f632919216c10d

    SHA256

    538c31f3c152f3861f3a5722c1aaa9aac3ca5dd0fd9362163364cbebc0be6f59

    SHA512

    cf029deee4d3804dedbe1da464e7cad23c6e73b55de56dd5f688521bd29a59fcb8fd219ab0ac5cbeec9d783cb6fd4b1fd45a0d4aafbef4044a609b5202186e47

    Download Submit
  • memory/1632-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/4080-36-0x00007FFA27E70000-0x00007FFA27E80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4080-38-0x00007FFA27E70000-0x00007FFA27E80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4080-35-0x00007FFA27E70000-0x00007FFA27E80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4080-39-0x00007FFA27E70000-0x00007FFA27E80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4080-40-0x00007FFA259F0000-0x00007FFA25A00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4080-41-0x00007FFA259F0000-0x00007FFA25A00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4080-37-0x00007FFA27E70000-0x00007FFA27E80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4080-607-0x00007FFA27E70000-0x00007FFA27E80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4080-608-0x00007FFA27E70000-0x00007FFA27E80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4080-609-0x00007FFA27E70000-0x00007FFA27E80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4080-606-0x00007FFA27E70000-0x00007FFA27E80000-memory.dmp
    Filesize

    64KB

    Download