Overview

overview

10

Static

static

5

783fd152ef...18.exe

windows7-x64

10

783fd152ef...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-05-2024 06:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    783fd152ef4fb11f362a90431f597393_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    783fd152ef4fb11f362a90431f597393

  • SHA1

    7b7e29803b5f8e235bf4078b58e815eae184e5d4

  • SHA256

    602882ca8e8bc2c7a1f0da904a3a603fabb27a24a1f133f02cef82068d66ee4b

  • SHA512

    7775037728ad59bea6bb7706f5963c9754f988f07298fa6f4b0cb7e106942f7aa2dfbc87b062b942aebc7674c5b3926f3acb2af30f8fc0c0d32afc5a325b2831

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6L:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5o

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\783fd152ef4fb11f362a90431f597393_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\783fd152ef4fb11f362a90431f597393_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\SysWOW64\odfcpvdlkp.exe
      odfcpvdlkp.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\eyfhqddp.exe
        C:\Windows\system32\eyfhqddp.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1724
    • C:\Windows\SysWOW64\oyaopmiuqhsvhue.exe
      oyaopmiuqhsvhue.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2768
    • C:\Windows\SysWOW64\eyfhqddp.exe
      eyfhqddp.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2648
    • C:\Windows\SysWOW64\hkciazgcxbsqb.exe
      hkciazgcxbsqb.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2668
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1564

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Modify Registry

    7
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      bb30cb4eac2c3353e27d494140206a22

      SHA1

      44dfac8ee59d1b51fe8c1446b2c5ca69495bb625

      SHA256

      f354cfcd342d6b807da6962e823711da8e39367ce53667bd6f316fb1bb7ea2aa

      SHA512

      4ea394878bf3493740ea5d16c606db7b0d366a31010bb087258c1bb925278719fd9a8936522b423c0f6d41564b2dedcbb75699526e1a605cf9154023e655533b

      Download Submit
    • C:\Windows\SysWOW64\oyaopmiuqhsvhue.exe
      Filesize

      512KB

      MD5

      6a171b4a8f25c0bd228f6f35219572d9

      SHA1

      596ebbce89d513f7bb3e3930df33cbdd75be4b13

      SHA256

      e1058db6b75747e76033c772b7ca1531545349e2bfb4a134f69397cd88ea1d2a

      SHA512

      53770327271fc2d1402381eefc5c83e3dc83179f7601b287dc4b8db7865a5317e522c44bef57828a87466fc2854fe9c4cdcbdb73dc5cfbf3f874c02cfc71c2c6

      Download Submit
    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit
    • \Windows\SysWOW64\eyfhqddp.exe
      Filesize

      512KB

      MD5

      f5aaeae81443b1fb1e43f2a4acfbdb9b

      SHA1

      eb743c46a3a08b9928c7bd1c88269cf86667534a

      SHA256

      11fe201b79e9c90cee5912b38ecaa2ec5ffb02c09c404f8c52d58d572c55abbc

      SHA512

      1e46963d60679abfa7696ba020deb9ddf1ce7ef4c0abfa4c89fcc8c3e414578f147e93c3e93eee380c781bad5485cfbb28612252e3215a498a9877292d510340

      Download Submit
    • \Windows\SysWOW64\hkciazgcxbsqb.exe
      Filesize

      512KB

      MD5

      c9989722dec55862681dae604bd01eca

      SHA1

      020f239f9b4604cb86978270d384e7dc850825bd

      SHA256

      1a3b6e2ab2499b68343bd64a9401590b945471462363d6de0a05f4c999b150be

      SHA512

      5568c1b4dbeab50e3e5cf1e275d5a42762ee0944b06e647cda5cafaf36457ab31e09309abc346173f9a6a2812649291a670fd7325ba40b7ea235c8f3dbe91fda

      Download Submit
    • \Windows\SysWOW64\odfcpvdlkp.exe
      Filesize

      512KB

      MD5

      b954b560a3a7d6a600d811918129cd4a

      SHA1

      820cb02daa59c9b45ad6db106c195e21394912dc

      SHA256

      7b8012e9ba15ee5981c6306c35311f7ce4527f00cbe0f7c2a8ab2bb95d3cb019

      SHA512

      61692b01e182ada8c55b935e6531fe77aa81c8659998a478966f0c2dda9447b289fa1490d72d9ac94d1b7c867b2563e0f02241ef81df88a4827ac8652929ce9f

      Download Submit
    • memory/2272-0-0x0000000000400000-0x0000000000496000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2440-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2440-96-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download