Overview

overview

10

Static

static

5

6fd1083bf5...18.exe

windows7-x64

10

6fd1083bf5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 20:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6fd1083bf5feeb646bd239a8a746071b

  • SHA1

    b2fa8706e82e41d761acb14bd8cb2f3f5c9297c1

  • SHA256

    a52f6ab0aa9602129134aeddd524fa53ed0b02e7f2f4c6e10358f12384c4cfd2

  • SHA512

    7099119882f3ed29b8e8480e946f2d8cf2ae38ab12aed10f65ae4d1beedeb99b9d1d13666f6f7c3f9f3e9a20322d57c7cd0db647869c4e5cd5103f98e9459c4a

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj65:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1844
    • C:\Windows\SysWOW64\lroqynanyn.exe
      lroqynanyn.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\SysWOW64\ahcgwmlk.exe
        C:\Windows\system32\ahcgwmlk.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2568
    • C:\Windows\SysWOW64\cnxmtfplnviilbe.exe
      cnxmtfplnviilbe.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c eoodvxvdctpkp.exe
        3⤵
          PID:2600
      • C:\Windows\SysWOW64\ahcgwmlk.exe
        ahcgwmlk.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2548
      • C:\Windows\SysWOW64\eoodvxvdctpkp.exe
        eoodvxvdctpkp.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2360
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2428
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1584

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    3
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Modify Registry

    8
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      2675f5be187957917f7b1e869bd34cf3

      SHA1

      16fd4b3dc157e5d9e2aa7b7795d77b275652490b

      SHA256

      bb7d76599ef966174da614d5f6fb67701c1556ed0f07e66b767c57b704280eb5

      SHA512

      831703be8a4ca5d979b090d969d4717e61806f0adadabd1db4420e1251b4689cd1646f337fceff083f9b4341dc7da6ad61fa9f7bbc281f8e3fe912453cd5843b

      Download Submit
    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      b6f71f597c183035012eea5c1ed0202f

      SHA1

      b84cd5a02cd385110c97f08f8bb41474fb75f7fe

      SHA256

      3e8a312d99bdbeb11edf93a762c7998562d9de827ab3f58faf4a13614815bbc4

      SHA512

      67b5635e4cb56d378c8b2d5ef4c96c4726886089024a0c80118b7e4c06f40b0c03c21200546a7ba94576968849f4433368d88e9d03b1ade570bb07fc0159aaa3

      Download Submit
    • C:\Windows\SysWOW64\ahcgwmlk.exe
      Filesize

      512KB

      MD5

      88ef9ae72549aa61d8f862925cb776ba

      SHA1

      87fc6c634fbaaa1cd8e0a2b3460c9950212c6b1e

      SHA256

      bab5c2122a73bef43617e6325d743727e1ddcb99c03e63d0bce793a261b4188b

      SHA512

      c07af3986d2b0e0f8d7f09688af6941c74a8ba4ea58443f30d48232560943f30f33453bd60bde7012325bb2e548f348d2dc15246ebe41c040c3c54cb8f122b87

      Download Submit
    • C:\Windows\SysWOW64\cnxmtfplnviilbe.exe
      Filesize

      512KB

      MD5

      7a23d168463b4ad9eeb803a20a1f6ef8

      SHA1

      d6e0b61297b037f4612f38a5d63111a1865f14ba

      SHA256

      a086f0aacbd851d09adbfee677f861885c4e0870ce44a3882ce89f9f6a4f8c3d

      SHA512

      43a349236fe8114e253be5d4eb0fb488d74d4170a9fed3f411090f5bf460e87e0be3f375c2e1e7e8a6187a93fd91bc4814be9aaec72505570889de29644d71f1

      Download Submit
    • C:\Windows\SysWOW64\eoodvxvdctpkp.exe
      Filesize

      512KB

      MD5

      0225b99129d8acf80e900731e26cc617

      SHA1

      23682f305df2f18cf618d6cb49758260ec874fb1

      SHA256

      b49b879db45fd29b514105c1df904f4ad3332b7879b8b4ecc24bc7593665e237

      SHA512

      c07bfea7bb76160dc4779c4a4aea43f724f854dc006d9b6e5f2d8d0d030b55e4cc8c591a7f492c80ee8498bf839c780fde1340406e5921d5c145519eefbb7097

      Download Submit
    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit
    • \Windows\SysWOW64\lroqynanyn.exe
      Filesize

      512KB

      MD5

      6b16e7cb6d175c3268c88227ed781cbb

      SHA1

      43079649a1ec4f51243408954d00f635cb68fbc1

      SHA256

      6b47912cf3486bd1164222aa9ecba68b8ebd54d4bd5749216fe5f1a5d5f596c0

      SHA512

      f1a331b4b79f85977a9334733dd89184778639019c7089d35b11c971bb7ebacc0a334008854e19abf8f6c0eb635d8baa16d231a390231dd780dafc5159d3d187

      Download Submit
    • memory/1584-83-0x0000000002B50000-0x0000000002B60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1844-0-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2428-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download