Overview

overview

10

Static

static

5

6fd1083bf5...18.exe

windows7-x64

10

6fd1083bf5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 20:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    6fd1083bf5feeb646bd239a8a746071b

  • SHA1

    b2fa8706e82e41d761acb14bd8cb2f3f5c9297c1

  • SHA256

    a52f6ab0aa9602129134aeddd524fa53ed0b02e7f2f4c6e10358f12384c4cfd2

  • SHA512

    7099119882f3ed29b8e8480e946f2d8cf2ae38ab12aed10f65ae4d1beedeb99b9d1d13666f6f7c3f9f3e9a20322d57c7cd0db647869c4e5cd5103f98e9459c4a

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj65:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6fd1083bf5feeb646bd239a8a746071b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\SysWOW64\rhrsnekijx.exe
      rhrsnekijx.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Windows\SysWOW64\cvyqefxi.exe
        C:\Windows\system32\cvyqefxi.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4844
    • C:\Windows\SysWOW64\ruclageedxfygob.exe
      ruclageedxfygob.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:216
    • C:\Windows\SysWOW64\cvyqefxi.exe
      cvyqefxi.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4248
    • C:\Windows\SysWOW64\fmdcrixvqhzxi.exe
      fmdcrixvqhzxi.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1768
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    e03483300b65aec4503d1e089d307c97

    SHA1

    6690310d52052e811422d9380c14e49caf900192

    SHA256

    5d61dff703037806a92fee92726ae37481bbd5a11eaa5e8eca4487d4e34d2b93

    SHA512

    c5c3b4e07eb11bcff212d500a0e2cbb3a0b24b759e63edaeb7bf874186d328a07878ff318523c266a1501a4e9abe4d56a353920273d763e52b881fd42747bfa3

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    b0b19751160acb2cf46aa177fc5157cc

    SHA1

    6ea569694dd8e44ca3da208b09aa3d38d56c91ab

    SHA256

    abd6c57362d1bf02fbc819a5cc044981af98873039a7945350226f2dfc5b0fc5

    SHA512

    96fceac31a8edb12dc07cee5ebd7c71f745929878ca1db203024ab4f0a03e4db59002c47ae4bd9443cd331ddf54709910d27a7bdc356d1eee60865be11f413d6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCD96BA.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    035bad025b93c65ce759902c714f9c55

    SHA1

    dd824103772be2b3665e2e8b6811341a4f1f2cd1

    SHA256

    c10c7cc87068ed0f4f50304ddacfeb514eb658b0c555db9cb48afc3cb4513f8c

    SHA512

    32b4d2dfbe7e60f8dc26cdb0419c19d3c464cb4f133807cc6212cc72ecc7f783600ebf41c4674678d22607555ff72af7b2cba9b3865acbfc05b7f797dbacbbc4

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    09e3c2298876e8a56cd2ebdf42fc8ba6

    SHA1

    39fc119446d4f432a57bdae871c764236f8e89f1

    SHA256

    bb096b6c25548eecfa127368f67de87a625e9921fed0048d19bd191154d8c424

    SHA512

    a915d879556a0546ea41d143b520270457c1edb87845c65185737d80b6cfc6e0e2ebd13989d585d96f5c9cc66277a6efae8857ad8ebf093bd0046a1dc831d7cf

    Download Submit
  • C:\Users\Admin\Desktop\LockSync.doc.exe
    Filesize

    512KB

    MD5

    df625fbbca75dffc0d16b52b8776c0df

    SHA1

    b387d90d7f4e0f49a581cfaa78fc9dcfb5fe6245

    SHA256

    4e446282f6d5ba41ad48922f0fdec12ebf35fd3ee3892dd33cd34c1cd9ac2d7a

    SHA512

    50a978aa5283430c6959e8f07eb3e932a44710b927ca0d32506922d14596d59c28fdddfffb674920f7cee739477452bb38101c941164a970fb17eb8fcf6fbe9e

    Download Submit
  • C:\Users\Admin\Documents\CheckpointSplit.doc.exe
    Filesize

    512KB

    MD5

    deb505d1054cf54e2b27ecf1aa9819e6

    SHA1

    279570a87daa0a99f33b4669e44bfe4b24062a39

    SHA256

    ef63602a4c31f0de8b8b569ed1f64b342470e460e0794f4bbe872f03bd5e9a5c

    SHA512

    934274e7bf672846a25c29dc88d884288ff5f08189400cc29f8aebb0f6e9dfddcd786fec501ffdad3112bc28b6250a743ef6fddf1770e840a4987ec49c46b106

    Download Submit
  • C:\Windows\SysWOW64\cvyqefxi.exe
    Filesize

    512KB

    MD5

    7283470a8b608d3a0bc3ac7fe840d995

    SHA1

    030a38ceaf083d8f4eb991f2fcf971010cd278c1

    SHA256

    c5834eb7d3245e8a79e1ebf6b0e3a2802019f9d3cf761d6dfa2940b1a2ebffbc

    SHA512

    b15672793458df41a0b67775173e45780ba2cce92c557c8ef55925f2640e24b20e2ea59926e0af3e6f18cbb6323a285eaf104da26e4ee4e3c4a9844c001cb822

    Download Submit
  • C:\Windows\SysWOW64\fmdcrixvqhzxi.exe
    Filesize

    512KB

    MD5

    2c59434127152d0fcf42293330532d71

    SHA1

    fa5aaeb63ccb80f1674e87042f3707e56c5727bb

    SHA256

    a32f70483e63f0eadae5e52d8620a5fdb67dd9fa1b3e0fcf7b195fdadb2f705c

    SHA512

    b1945899d8ebb982e3fa7582ca5efa16080b341fcf1279d5a1e76f702d6083ce7bb473f3e175307c3172f62011aa89e5cb3a073d8c6b904d548900bf87acf2af

    Download Submit
  • C:\Windows\SysWOW64\rhrsnekijx.exe
    Filesize

    512KB

    MD5

    4e60d7093889284650daae8d391c9575

    SHA1

    9b0764ca10c7123293fd5ffa42e18ce6df9e4384

    SHA256

    2168b3a07b2b9b316d209fc2d3dcef126842e96c30e59da9f0f6af2557b9b94a

    SHA512

    857210950358e7ace1823177baae686a22b3c08a84636a3c5337f890f149e9ae8dc6990647d3e1003fd9265e6ca4786c1af0a47eac1705db3036b97fb86be8c4

    Download Submit
  • C:\Windows\SysWOW64\ruclageedxfygob.exe
    Filesize

    512KB

    MD5

    2ca8f25f4f8666ecd3b3cd6200ece1b8

    SHA1

    2901e22c6365e993299c99c774bddf2d4edd2236

    SHA256

    c9344cc839ae8fb1835444b26a64d36412b6eae8c8418f0b5a40292913b7bd5b

    SHA512

    bdb25a0c4b9566dd01181635ac94b0d14a310c5b5e48bd9f07e3cddf2c746647188c5376153b2495fc04040f48b4f0d2fc5d4a4723a76814d54402e5aea84560

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    fb750920b4de415e35a41af550a93fe5

    SHA1

    4f88255f40770479e82a763881c270bcf18fee32

    SHA256

    0268d282f270588022fff3d5bdcf0a7d073a1a2b5ef82d578dcc836b2a3a0502

    SHA512

    d946d52a1d964e9ca515c3dd4c54ed90fd5481bbb2a4290e9fd6956abe28263672cb36ff9004d858509d1a88024cd36db9eeb147ca332df39e750f544431e503

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    de1ff80999d5f7eb0f872c42c99e4e67

    SHA1

    50545e1268fc2e4073d83e5ddd07e0cb446f108b

    SHA256

    22fc75c4135e1242be0624afe02b54907fe8f36404efa3f6ba909e3189b55fc2

    SHA512

    aad6467417afc2e223b9173782ebb79ca954ed771be509c136213fcba803d64919de71559c5ee1ce17c4ba93c8a9572abe8f5bd2ba32c3806944a7829b3d784b

    Download Submit
  • memory/2844-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/4712-39-0x00007FFEB0970000-0x00007FFEB0980000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4712-38-0x00007FFEB0970000-0x00007FFEB0980000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4712-36-0x00007FFEB0970000-0x00007FFEB0980000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4712-37-0x00007FFEB0970000-0x00007FFEB0980000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4712-35-0x00007FFEB0970000-0x00007FFEB0980000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4712-40-0x00007FFEAE7E0000-0x00007FFEAE7F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4712-43-0x00007FFEAE7E0000-0x00007FFEAE7F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4712-611-0x00007FFEB0970000-0x00007FFEB0980000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4712-610-0x00007FFEB0970000-0x00007FFEB0980000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4712-609-0x00007FFEB0970000-0x00007FFEB0980000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4712-612-0x00007FFEB0970000-0x00007FFEB0980000-memory.dmp
    Filesize

    64KB

    Download