Overview

overview

10

Static

static

5

783fd152ef...18.exe

windows7-x64

10

783fd152ef...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 06:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    783fd152ef4fb11f362a90431f597393_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    783fd152ef4fb11f362a90431f597393

  • SHA1

    7b7e29803b5f8e235bf4078b58e815eae184e5d4

  • SHA256

    602882ca8e8bc2c7a1f0da904a3a603fabb27a24a1f133f02cef82068d66ee4b

  • SHA512

    7775037728ad59bea6bb7706f5963c9754f988f07298fa6f4b0cb7e106942f7aa2dfbc87b062b942aebc7674c5b3926f3acb2af30f8fc0c0d32afc5a325b2831

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6L:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5o

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\783fd152ef4fb11f362a90431f597393_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\783fd152ef4fb11f362a90431f597393_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3760
    • C:\Windows\SysWOW64\odfcpvdlkp.exe
      odfcpvdlkp.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\eyfhqddp.exe
        C:\Windows\system32\eyfhqddp.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:64
    • C:\Windows\SysWOW64\oyaopmiuqhsvhue.exe
      oyaopmiuqhsvhue.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2232
    • C:\Windows\SysWOW64\eyfhqddp.exe
      eyfhqddp.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4932
    • C:\Windows\SysWOW64\hkciazgcxbsqb.exe
      hkciazgcxbsqb.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5064
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2204

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    efc31545d40d5be83a028c5ed80f3cf5

    SHA1

    b5269d52a4eac8cd98f5b8802b797a3f4b828963

    SHA256

    de8d69073cb7cdc00a9ac5e3edd54499be90f5b8a83208eb57d645f78b2b6f5a

    SHA512

    c1c71ee96a149909e08099c45a8fa625175b05de6b3d755abdcfc31ccd0b987210a1b520fe65863a8c1e8945c9cdd45064b37d8d51a565711b713df0cd587537

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    043b0185a4eeca2378bb823cee386d78

    SHA1

    0c745fc3b26977156e10d1d72b6856444dd90cd0

    SHA256

    29e9d09c83f4d3a5f6b934f9119df6dd72cdfc1d5b75e260ef991136b1453f29

    SHA512

    33e7b6eb11dcef4d1bc3f5e3c1ffcbcfe636eb52d5ca03b1f56ebefb6b0f8143c654fc1b4e5c4749bd2b9c0d4242e8752082948f875787de01396e1cb3d97872

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCDD098.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\AddClear.doc.exe
    Filesize

    512KB

    MD5

    615d4d8a93b40e8f3fd249888beccf9b

    SHA1

    9fb09fa50c7238d3b330b76cd1197a74bcb1d6a1

    SHA256

    5fcd2b1c71f0c0c2f90989a28693c6c72005b414b518ffd837e207af274b3a01

    SHA512

    9863cded6d86f87c1de40d6d5936c2b946a72356b4ba2a0cc334f62d708a32e6f9c01e309a341288154f01fe611ad3c86e949321b35c130cc74f2891348aec00

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    04cd73b007e9d84f9f45f07205e6a7fc

    SHA1

    bf79a170e70f49b185eb5b91fcc8310e5366b6a7

    SHA256

    08964209f7eefd7c7ef378fe2c4df3427b36aef75a1d7882278daa6b2d329c64

    SHA512

    9a53d536a4b441d7c4f3b0999516f6ddc213ec259e8afa2dc4b30f8a67858dda297d9488248f9f4750ed58b421e586224ff6bd7a881cca4a2d05d99b56792a22

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    719d90df9891ffe0717477ec6f18ade7

    SHA1

    72b0270f23aba88009b36c8e87f55e85d1eb3218

    SHA256

    7c381d9f68a3bc852db936f5a7b732ce1b2dd3e05a118a69b39a32e914cfe91d

    SHA512

    7ce628816f033fc67dc86cbea15304112c51420e36d070ace91ad1a4a8ad36306a32a4ad3b1ef8777b9db911f2044736a07aaa4f9b19b937e8f40fcb329f4128

    Download Submit
  • C:\Windows\SysWOW64\eyfhqddp.exe
    Filesize

    512KB

    MD5

    396b9542b2e4ba5a7d6ee2538c84767e

    SHA1

    7a992661b7dc767974f4ecd85c69417818467294

    SHA256

    cc9c78531ac3f141556e999701346ae99a729063c7e5cad46405274b2a190c04

    SHA512

    1dabab3388517c6416c89ce4c3837b175881c6d290839b0651d21538b2c682531fbaf254f7c82c23f48a2efe0f02606cf25b2816b25c09e68ae201a5aacffe97

    Download Submit
  • C:\Windows\SysWOW64\hkciazgcxbsqb.exe
    Filesize

    512KB

    MD5

    ca791ec8036a7bb8bccef3c2bb3bed22

    SHA1

    c6283f97ba3dcd14c30b6ecfaa4b3b33445f279d

    SHA256

    a73476d63f2f003b7563f038fd800d07da7445881a1711b0e523f8871a389b44

    SHA512

    11e79855aea6e368e3cd516d2e4d89b98e9b18e413fcfb8c230940eded32ed16f56b069d659b0b459420d919fa3065db2a38b92968086099c05aa561bc9bee3e

    Download Submit
  • C:\Windows\SysWOW64\odfcpvdlkp.exe
    Filesize

    512KB

    MD5

    921fb67164c30d56c9c780a0661eb744

    SHA1

    177165a9766c717184f84bc0e3e90a15f849e219

    SHA256

    eab75cff22870cd12b35e8e2fb125962ec89ef602e268c8f5f302d90ea61e500

    SHA512

    175b14ac907a0c42770d0cc1d7b09f54a6be6d0547f2cb203204ac11764d58a5ecc497de7406a5a1d900f8403389c475f65615a5557291b429f5a0a9de863ab6

    Download Submit
  • C:\Windows\SysWOW64\oyaopmiuqhsvhue.exe
    Filesize

    512KB

    MD5

    ee45f8bc8a18286ac698f46349576881

    SHA1

    4af6dd0a680ec1407beb6611bd073af65ef811e9

    SHA256

    4ae6366655878591b79abde6b3cf6df83d09a48bd47ab71b4465b7f1a730a7e3

    SHA512

    358436a31256be5414b619e2c912e5298824a7f75bab479387d6cdee5c2f4a1ecba400a22f6a140c53344b1b3127bde441845bd64c2ef43949a7953240d19689

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    a55a7052c743750e70423ab4ba3992ef

    SHA1

    908a753290825df77eff33001e4c8595dfe7b762

    SHA256

    5e1a9e6a6b88062067ea90541d9504127a6aed208815eb4938cbc1b477418e2a

    SHA512

    d4d1588c66dd7b6109c273264f3a2f96721dc0043c12ede8710d491a5852b03d700797ae073d4e2b9966d52e52cb5cf9c89016ae084bc1b7555a90cad56e4ab9

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    8bb8f21cd7773b0bcc89e0703471365b

    SHA1

    cf187685fbb48dcf93c8dcec3c72adc9a260aa10

    SHA256

    386915b3c5b355bc4e3be1b257f5fa92bc73624fac2b6987a064c5dfe9c4396b

    SHA512

    f9fbc382ecbde06243cc4e487b7116fd7efdb244f7f8bf1548cb31d1c590203f4c05ccb493473ced72c4ed6795878ae26b77bdd3e7b8731545591c882501598b

    Download Submit
  • memory/2204-39-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2204-38-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2204-37-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2204-36-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2204-35-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2204-40-0x00007FF7DCAB0000-0x00007FF7DCAC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2204-41-0x00007FF7DCAB0000-0x00007FF7DCAC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2204-606-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2204-607-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2204-608-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2204-605-0x00007FF7DF150000-0x00007FF7DF160000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3760-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download