Overview

overview

10

Static

static

5

7822ab79c4...18.exe

windows7-x64

10

7822ab79c4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-05-2024 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7822ab79c42b8084d8e1ea3b498d6828_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    7822ab79c42b8084d8e1ea3b498d6828

  • SHA1

    4ba32b1fe142cc8fcffb4fd5d3947ad78920e016

  • SHA256

    0db52b09c8c7c64c51c8923c1c7580e2f27b70e91172b00b20ccdceab99dfb33

  • SHA512

    d4fa69712661dd9c5125d770a8944f9a06f09d325c6393d4177f1c94fc246f5bd00a451dc24702bbd7875ffa719eea5c0d2ecf6b2ff3fd22b3d743cc4f8e7a85

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7822ab79c42b8084d8e1ea3b498d6828_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7822ab79c42b8084d8e1ea3b498d6828_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\SysWOW64\vhobimvnxn.exe
      vhobimvnxn.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\ikdclcrg.exe
        C:\Windows\system32\ikdclcrg.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2704
    • C:\Windows\SysWOW64\shysewyqrkkikky.exe
      shysewyqrkkikky.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c xvurabpvorzsi.exe
        3⤵
          PID:2700
      • C:\Windows\SysWOW64\ikdclcrg.exe
        ikdclcrg.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2556
      • C:\Windows\SysWOW64\xvurabpvorzsi.exe
        xvurabpvorzsi.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3068
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:536

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
        Filesize

        512KB

        MD5

        54e999b12a7127cdf935aa0acbe0d2ad

        SHA1

        c6399a3911db946534cde5b384c0afdef1bb2f49

        SHA256

        74c1ddf37d8fda71b06904d0de44c75b3aa0e1ab3e5bccc8b5ba9f927f521180

        SHA512

        3f23e6b7bfb66449a9a1ddf9db5ed9280729c64a085ce80c1f413d73e03f1e8a3a9cc75a795d0561428524a106a777f14f372cbc2b5565f0a0a6fab4cf746318

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        e9963e76f6f0e4dea2c90a2fbf8ffb66

        SHA1

        4b50f4932d1da9b5ad863bac66374863130ba37d

        SHA256

        811d0c8c831c1698b8dbfdb4537735ba755f6220b5b4904c9412755a1df64604

        SHA512

        75d4b284d8d2c0716bf55a3f1e108295cd06fb1af4f23e5e5866facef93aaa6a775b2e787af350aeec65a52b2e28f803f42e25dd7d5491ce430fb783c6b335fa

        Download Submit

      • C:\Windows\SysWOW64\shysewyqrkkikky.exe
        Filesize

        512KB

        MD5

        7b3c57b053d719b578687a086fe2e2d8

        SHA1

        83761f035fa8c421a2d4228fc9c4ef1297de2510

        SHA256

        fecc3eab87bc88e7ead329fad411ad43016477ec5b0de50b23c859789f81e921

        SHA512

        44e8d6b9e6aea6973b258c62d25f3cab2d6c7385d2b3a514898a5c65044b2bb6322c7bcd2a5caf62bb4c3a996e12b824685feb8d0e4731a514713f100dad19ad

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \Windows\SysWOW64\ikdclcrg.exe
        Filesize

        512KB

        MD5

        9085206d8ff105e9a8feee3a276e13eb

        SHA1

        94aab09e6666f6a52de3b196938154fbbdfeabd5

        SHA256

        a2a0ebb7da113acd5c3d9d1b096aa459754b4b7c630c9c877ad1dcf84d87326b

        SHA512

        67cbad1bb45421a19c4742d5fd64d0a18253a43446e9617e4fc3029f84770dd0cf0e1f581f67b0191b73d3e4bfe373190f41feacdf484c76e9c88828d0f944bc

        Download Submit

      • \Windows\SysWOW64\vhobimvnxn.exe
        Filesize

        512KB

        MD5

        13d0edbf5aff74da5bb32f6e60f2fc14

        SHA1

        03f7126d6b083198c985b91065e690da6a54211b

        SHA256

        204e3d6d29055431abeae350381cd60fd6f13d3ed6900193b2d38d8904af91a7

        SHA512

        00dac63309fe8b59957aa2587bf8c4fa6c2518a54dd7af212578e147e1463564ca5c68f80343afc38980f2296b40337f4273733648ee037a7c29882e95ac8a5f

        Download Submit

      • \Windows\SysWOW64\xvurabpvorzsi.exe
        Filesize

        512KB

        MD5

        cbdd34541a42ef0dc56ebdbaf6c18eec

        SHA1

        26aefe3bff376cfac57d582fe19bffc8b81a3a05

        SHA256

        dee8d497b7564f0ff7dd8aa855e4efec9af7de9af48b39dc30b8f8a4ef47d815

        SHA512

        69ff4bcb6aa8e193d703453f5e421b0d5ed7a46ab305d09ab15455015c64b32a342d3ff43aca5069367e9d76bae6526d2ee7456bd69407361624916d1ff3634b

        Download Submit

      • memory/1196-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2416-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2416-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download