Overview

overview

10

Static

static

5

7822ab79c4...18.exe

windows7-x64

10

7822ab79c4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7822ab79c42b8084d8e1ea3b498d6828_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    7822ab79c42b8084d8e1ea3b498d6828

  • SHA1

    4ba32b1fe142cc8fcffb4fd5d3947ad78920e016

  • SHA256

    0db52b09c8c7c64c51c8923c1c7580e2f27b70e91172b00b20ccdceab99dfb33

  • SHA512

    d4fa69712661dd9c5125d770a8944f9a06f09d325c6393d4177f1c94fc246f5bd00a451dc24702bbd7875ffa719eea5c0d2ecf6b2ff3fd22b3d743cc4f8e7a85

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7822ab79c42b8084d8e1ea3b498d6828_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7822ab79c42b8084d8e1ea3b498d6828_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\Windows\SysWOW64\npqjwnxtdv.exe
      npqjwnxtdv.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Windows\SysWOW64\lviiczll.exe
        C:\Windows\system32\lviiczll.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5060
    • C:\Windows\SysWOW64\cpnlpbxemqondlv.exe
      cpnlpbxemqondlv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3676
    • C:\Windows\SysWOW64\lviiczll.exe
      lviiczll.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2904
    • C:\Windows\SysWOW64\dhqgrayvsglwx.exe
      dhqgrayvsglwx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2040
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    e4a1a85a6f11f5cab66908a3660cb01c

    SHA1

    52bfc7ed20a79b07b92a6ac033511e7b4c8c498b

    SHA256

    ce68741cba528d1721d470b7607ac01954d22478df4c0d5ace55e2250e8526cd

    SHA512

    ad53dccd68878df61064ab72feb1063f22207c5fd611bd4239965f64187c78e01abf42af8b8601af8a7aa7c2217834baf93bc7fd9b63bd36484b4d4a1b50cc76

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    661e7826bd4e1557fd8670058e15f238

    SHA1

    f3820963e61df58153aebf67f91d83cb6a054770

    SHA256

    db82f924a4e99af4f8f5fed83363a286f67a03df5b468760ac9b77ca894d8a9e

    SHA512

    ec4e763355c6777543cc363eed9b28bfd31ff81497ff2f62fbf222398d864ee7e648c56c1bf47ce35271e93abfc723bd2fd4fef8d519fed391d7cc6e944b3782

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851218[[fn=gb]].xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    14fad22b9a49a2c3303105f604b6b6fb

    SHA1

    ed78870b1e5213bae3d7c30e18621a02ce4571c5

    SHA256

    b9e3108303718ba094ae6078378be22027bba881044877d07cd34cc1eba299ee

    SHA512

    a8b5120435b4eb0ab2c3aa1ccedeb9b3edcfa787323a9a6e77071a0f93e589719c6aae7b70c820f0efab2cd3c696e74f259e509f28b4d88a386342da8c7022d4

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    a696800875c954ffb47a2089c2c22970

    SHA1

    83e3a55da1328f050513d6e62db11746ab0c1d64

    SHA256

    21ef9729a6c28497b8b8f1651c3058766f43071726a9f6ad7b88bbf9db6e5dd4

    SHA512

    9f97e5e72d9d2be701578a024f98159ef75162bbe3b6f0ca15359738b5987e6cee30a91889db41fd38d20ac37d18c05622897a940ec9cb3d36cd9d10e6e11cc2

    Download Submit
  • C:\Users\Admin\Documents\WaitOut.doc.exe
    Filesize

    512KB

    MD5

    29d13c6cfa66676cbe80f11e8592c5a7

    SHA1

    a5e1108ecea60260bf0297dec1d18f0224c8d5eb

    SHA256

    6fec382d2fcc341531c5235613c2c5e8971c6d5f0a11c4bb958aa5a9dd19d7ff

    SHA512

    5e9b0e5259dd14b2cb4d984bbef5afcfbc8ccdb859cba0cf471163c6090004469d335c57628cada31d9cef47360dad26208b4ac77ec68f42ebdc061bcc85ae09

    Download Submit
  • C:\Windows\SysWOW64\cpnlpbxemqondlv.exe
    Filesize

    512KB

    MD5

    9bc0bf70c5864ea2dd3a3a0b89179ce3

    SHA1

    50c0033a286254b315f09ab7ed7d1ce33f865861

    SHA256

    85b6cc2c247ac527270284aa0ad26ba076d018990e9f8fbcb3c32d3dbb2f31b8

    SHA512

    cfaecef32069218ece9828470c65dc9183f8a467627c582c2fd25adc56776a07aae9c56529b8718e0d893d32b809a791ff2e20bd81c5a0f264df65f4fc1da65b

    Download Submit
  • C:\Windows\SysWOW64\dhqgrayvsglwx.exe
    Filesize

    512KB

    MD5

    85d9da4754a40ebdd509bbd46b84efde

    SHA1

    6bce51775c5c5add719bcba8a282ea5c4c5bb555

    SHA256

    90b0df85cc25c868bb900e96240c4a68278bc421e79495aa282a33a9598fbd2f

    SHA512

    3e72997f635b8a4e0bd34ec4196f017652c0009aa0aaff89e3e38409d03f9cc3e8248c3decfe38e720637c38924a8da0da7883102f0f62b5afff96256244be47

    Download Submit
  • C:\Windows\SysWOW64\lviiczll.exe
    Filesize

    512KB

    MD5

    27d02a469cae3be0f57a8c393960f066

    SHA1

    ce1f1a9aeae3740b5ed2296accf0a8c2017a9eaa

    SHA256

    812728312a198c35b83cdead660771c5e08b8b7e8d3e7e94943c521a6f49d024

    SHA512

    955128081c67536721171c2231f7f2426774cb242591d76a2978d19cf58047fb7491f364c6713c05bef8b09acdef7425933112e3cec85541216227c32515bd29

    Download Submit
  • C:\Windows\SysWOW64\npqjwnxtdv.exe
    Filesize

    512KB

    MD5

    997eafbd257b15f47759b2fac2235aaa

    SHA1

    f2e56c59943f9e3ab52f87199154394e263f816f

    SHA256

    ee8f73233a1f7441f8997b6bda2fb336b270157d55556880c8cceca60fcfc838

    SHA512

    d5d1801781daa3eae48fbb8678f24a460a8c44ad83df8150f16aa05c4fa2f646a027bdc13694bf709bd7b90bbca205dd6f3a067fd03729961dfa5bc924aa3f0e

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    7a4b0e8c530328a98dea9aa0de7ecc30

    SHA1

    70652002fb8822918cdc4569e924ff6eac8c55af

    SHA256

    289c9f71dcdd7eb55a4fce05157c21f149bcfc53a870f6551be42882c8e586d0

    SHA512

    210523d1c30cb2caf9b2edda822d6ea6e30631a18e1ee9cff6e9f186cc437458ca6c0274cc679fc97467a4699b5cf12192ed15cebc910dfe3036629187bd93d9

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    585100d695730f262759ff951c87e5bb

    SHA1

    3b23536f2cec1e9ab2409885b4dac51f46965bf0

    SHA256

    68987c22a800fd5e001f72d3a16b8c901b2b375822f63bbf2e3c096804bdfe87

    SHA512

    766e95ea5d18e18d8d0f9e027ae703c9d944d3e2a8f376196d15a3d97b02bfbc84158fb4209128245f108fbeb3c245df3d1e3936562942c9ce0b5164b4a63924

    Download Submit
  • memory/4436-36-0x00007FF925510000-0x00007FF925520000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4436-38-0x00007FF925510000-0x00007FF925520000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4436-39-0x00007FF925510000-0x00007FF925520000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4436-37-0x00007FF925510000-0x00007FF925520000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4436-35-0x00007FF925510000-0x00007FF925520000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4436-40-0x00007FF922C60000-0x00007FF922C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4436-42-0x00007FF922C60000-0x00007FF922C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4436-597-0x00007FF925510000-0x00007FF925520000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4436-596-0x00007FF925510000-0x00007FF925520000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4436-595-0x00007FF925510000-0x00007FF925520000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4436-594-0x00007FF925510000-0x00007FF925520000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4792-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download