Overview

overview

10

Static

static

5

69f5d47856...18.exe

windows7-x64

10

69f5d47856...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 04:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69f5d47856a236e062f07142c98fe7feJaffaCakes118.exe

  • Size

    512KB

  • MD5

    69f5d47856a236e062f07142c98fe7fe

  • SHA1

    05f68d26f87700fe6d205be181d9419bacf1d5d1

  • SHA256

    914dd25472fe32554ed5147eeee0930b2ee42750257cffee9fdc72d0387c622f

  • SHA512

    51ca4db9b7be7ae841a58b4304aa06610521e3dd15428013852bdc36f6679a85f925fbd0cc11885691b72c84fbb6c3632e2680746aadb90becbf2990795187d7

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69f5d47856a236e062f07142c98fe7feJaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\69f5d47856a236e062f07142c98fe7feJaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Windows\SysWOW64\wyprkathzl.exe
      wyprkathzl.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Windows\SysWOW64\xuuajulf.exe
        C:\Windows\system32\xuuajulf.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2532
    • C:\Windows\SysWOW64\xueopsbsrlaikqe.exe
      xueopsbsrlaikqe.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5008
    • C:\Windows\SysWOW64\xuuajulf.exe
      xuuajulf.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4896
    • C:\Windows\SysWOW64\cebdvgcsbhmun.exe
      cebdvgcsbhmun.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2072
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4400
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3532,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8
    1⤵
      PID:2300

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      98602f99a8b01f4e15703b9f0a1cdaa7

      SHA1

      ce486df0ccab813d879378a9dd0d6a7bdb08a716

      SHA256

      e11b89a61f2c2627df0052e1f69d166e8d5b3f2a39ea731c1eb672dde99b6b07

      SHA512

      2b7ebf75587a31c319b0fa88634cd58fb14603ead0e17a04212ecbabe0c02d91dc3de07f6f8857ea7616a2e31de326a9160de8f8c5ebf5269ac1c68df4b74268

      Download Submit

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      652d58bd31567935493477749a57043e

      SHA1

      e25424e3b250a1885961390741b4f62c7d7a93bb

      SHA256

      75a71fa639b311293447942f01362b4143fffd3ef6aec137c4d699be6cd4530f

      SHA512

      ced2a3f032f073d905457df73ada65814e5295f5bdabf152476539eab5ff68bd9aa7e3ac6df6f0ecff5af08552112c5ddbc22415d6c63a85f7046602c82da17b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TCD4F42.tmp\gb.xsl
      Filesize

      262KB

      MD5

      51d32ee5bc7ab811041f799652d26e04

      SHA1

      412193006aa3ef19e0a57e16acf86b830993024a

      SHA256

      6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

      SHA512

      5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      239B

      MD5

      1cadb61212508387aa14f9da0e6ba0ef

      SHA1

      81c915ad2918adc569d52a5749c9d4492ad1df47

      SHA256

      aba137161c0f8695ec2190d9f85c29f266d044e3873716c3efa945c8c7ee2420

      SHA512

      b25111ca53055cb6b2800ad094e1deaa3a022b8bb0d52a1c7c8179a0dd9f7ffdcdec2254e3ad6a446a65293557160908e9e6d2b925b22ef45aafa20da504b62e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      3KB

      MD5

      2bf29d247123c4d04a6ef74b1abb38cd

      SHA1

      fd055fe912e74141495501696a6ca1fadf7c9d37

      SHA256

      1f7e00f6e1ceb2d13548ca18d18221316c18a571185ca4b54fc70dc00729e0dd

      SHA512

      b407ca00b3a1e5b77fa8f285ea7f9392869531d158d67436cc29d36d0fa1cc302d57bf42c432a338070ec2cb26ec09877d8876cecbf637e8c6c698cf51d15b45

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      3KB

      MD5

      371da8808147715727d4225d86716cbf

      SHA1

      469dccb01860602002e29c3afb931a9220713449

      SHA256

      bf6d81ad6e3c074fe1ad20cb54c77db21e61e82d8f1e053f61323a3f7c802b06

      SHA512

      7c51a0c0de7d94a4737aaa14094712d6d54146db9531d5496ebe854574c8301d70b95cf3db4c6a55622038faa587394ce3ffaf177268f4141c9d81376abb73ba

      Download Submit

    • C:\Users\Admin\Desktop\StepUndo.doc.exe
      Filesize

      512KB

      MD5

      1b7b007e75648a79db1cce290245ca6a

      SHA1

      dc8055fe8b2797239b7be31dcb7754e491f707af

      SHA256

      56cff7931ae1552e887eeed829ef7b8f1d71207b1de96ae023f7d7812bc310bf

      SHA512

      c8f2f79be3732d9529a372f3fdd2fb44856f4107c60735bb81d9685370794b6cbd0f2f1e35dfd5b98ab6d43501a90b8e6e3b0165f1016c561365fe7a4aee6a8c

      Download Submit

    • C:\Windows\SysWOW64\cebdvgcsbhmun.exe
      Filesize

      512KB

      MD5

      e0c31fd174566c3f6dec24eadb8c025a

      SHA1

      4b3c50332f026c2797407ec41f44afede73bce61

      SHA256

      1329298d6d24c18032d84ade1eb7c7d86c406f353d837f4870458b6a55495219

      SHA512

      b5e9845fb6fe8d5950bc3a435117ac1d5e3ee555a848397694a380da408eb66b9877a81a0c3c4b6c9ddf334ae31ec225a40a8a7c97aafb140b1c3a6c053e1dbd

      Download Submit

    • C:\Windows\SysWOW64\wyprkathzl.exe
      Filesize

      512KB

      MD5

      3931bf00fc75689098378fec2dce97f0

      SHA1

      7a050033b13d44cdd18ec03fefd0b3dae148b0cc

      SHA256

      765b99ada70571523bf7f688e7e519db5b1abc914d0a69526bb4e7a32e33ee46

      SHA512

      2c0906a5acfeab9a003472f6ff1a8604f595329d16e900f1e4f954021fca894de1e74ca87a1e6c62147a2373d8974d34bb4ef1b588b6f129cd13f3e9488a863d

      Download Submit

    • C:\Windows\SysWOW64\xueopsbsrlaikqe.exe
      Filesize

      512KB

      MD5

      d6b8697700f2b281f8b52ec4c18e42a9

      SHA1

      aa77963ff6a95c165bef5b9ed52d011bb88db01d

      SHA256

      255ffa47d66e1da393197d05f83186d9c2919ad16c5a0fbecd9e08f3d9a6111a

      SHA512

      9259d2c4a94a63b9074a0358e15b9998f1a5d10c4ccc64b16ce6c8add8208a08271432df0b2811c3bd3e30f5c8497961cc6eeb4bc99b488abf077f795d29adfa

      Download Submit

    • C:\Windows\SysWOW64\xuuajulf.exe
      Filesize

      512KB

      MD5

      22148fc11e95b985c1472b1e9205f1c2

      SHA1

      fe216e03dcbe0b5432dc9bce7295f457015ac4b4

      SHA256

      2b6234477b322d748094ebe726db0315e293c77f5d1b432b92edd854e07cf095

      SHA512

      1b6b651291df3e2a8e93232c7281a509eb3d0d617bb48675c97f1ee962d3193d86edffa1045c34abc4aff1c4542a81f4626f719340d022d8592a0d043af9de20

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      512KB

      MD5

      7384adb2c985f6fba0d711bce5b2f9ba

      SHA1

      e26d2cf4fb408773bea09f49cad0c9b48d80448b

      SHA256

      723bf354495dcecafdce408ec8836abfb175ac0522e1d41987424e367f758b9c

      SHA512

      6faa0d03a4393506ad97551ac2edd06648a5133b1f590806c57be4f7350dbf30380610fd11a6961dafd09dcb83e962aa469086f6f8d9e2f2ab386fb3ca08a1e5

      Download Submit

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      512KB

      MD5

      434d3c248cf3f7d2880672887e7cdf80

      SHA1

      cd726efebb3c002754cffd18b01b3961661b98a3

      SHA256

      ae4801b3e9db258919412dcf8ad2674cf94002b2335df94326832d6bd032a34a

      SHA512

      d3e4f90d3961f87f1519626c49109c9233b6b491791def2a8023c93a0bd6722a3b372672948ef3825c1b8ad0eebb4b10ceb5395f5f99bcb9bf6368d142bf8008

      Download Submit

    • memory/3708-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4400-36-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4400-38-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4400-37-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4400-39-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4400-40-0x00007FFB1CE90000-0x00007FFB1CEA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4400-41-0x00007FFB1CE90000-0x00007FFB1CEA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4400-35-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4400-598-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4400-599-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4400-601-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4400-600-0x00007FFB1EEF0000-0x00007FFB1EF00000-memory.dmp

      Filesize

      64KB

      Download