Overview

overview

10

Static

static

5

7873e7e069...18.exe

windows7-x64

10

7873e7e069...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-05-2024 08:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    7873e7e0692a506e43e36d4bf4da28b7

  • SHA1

    32629a66348b9a5016084c7e320a3a967ef61cc3

  • SHA256

    be0ddeb3e3b7d943e20c4f535891d04c2b3981894dc777dcc17d27d304b1dbf9

  • SHA512

    5f1474dc892a850fd1a94aeaf940b0a89f61698a044bcc6b65479ee892b343da24c218f4a55ff284b2202f7804687f9ef581a7ebc6fd56eb6cbfece3dda9e6e2

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7873e7e0692a506e43e36d4bf4da28b7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\SysWOW64\qtataucwkr.exe
      qtataucwkr.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\SysWOW64\hoyyqncu.exe
        C:\Windows\system32\hoyyqncu.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2008
    • C:\Windows\SysWOW64\ycpaylkwhgulfmj.exe
      ycpaylkwhgulfmj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1116
    • C:\Windows\SysWOW64\hoyyqncu.exe
      hoyyqncu.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1968
    • C:\Windows\SysWOW64\ewspnxceazjay.exe
      ewspnxceazjay.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1260
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:676
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    53220393d595d6e5467b1057bb8881c9

    SHA1

    57d9f2341a62c9be2df7e607a53f0784a51a472d

    SHA256

    ab90abfffb2ca9ad23344986c3f2214ac5ba17392117c94eb494e904affa35f5

    SHA512

    21d4dcac1091d2c88e77c0e3a9c39ec9146228a09deb8608f96347ec92c95f099a4c5a1aec21c87ba90d3cc421d85221daaeec142f91c9f79c126afb430013fb

    Download Submit

  • C:\Program Files\ExitSync.doc.exe
    Filesize

    512KB

    MD5

    1a506ba1e63ffacb7256a8af143744b6

    SHA1

    2bc96f25cfd1a1769fa6c3da475a36b39c607ef7

    SHA256

    9877607891613bfde4e672261ef8e0c80d9d463d6bf6a98386cc235e30a92891

    SHA512

    38f4824546e0c2495b800d947589b55dc3a7b6397d4b6be09a9955c3ef6838cd4429e995dc657225f54ef3bac3f06a422305ed0a5c81669777ad7c848f81ba10

    Download Submit

  • C:\Windows\SysWOW64\ewspnxceazjay.exe
    Filesize

    512KB

    MD5

    3b05d8ad7034e67a501d329ae8eebe91

    SHA1

    a86befaeb019a910a911533c18b58e501dd45476

    SHA256

    2c708bd54fb8ae48360b92b5306fced7563448e9e9d7f561a66ec003a7e76e1b

    SHA512

    a9e783bd585e542eb62f09589d8fda24576342f17d7ebb7c3fb4f9d10d89646bd6ea1537d7014cac4ab54ff718660c4c34108553cb5911202e22ffbb4299608e

    Download Submit

  • C:\Windows\SysWOW64\ycpaylkwhgulfmj.exe
    Filesize

    512KB

    MD5

    553e511e9641e22b0b5ab49e325b29dd

    SHA1

    dc781aa5c1cd67794bc7abcba114e699d95c0466

    SHA256

    85eea1d2dbd6f9ccd0993d324a915763805bef3f219ae9d80631f064e5999d60

    SHA512

    1453645dd876836140869c2de99b5ae75d65bde1fbc987c3bc20f3914fcf5beaa655733c81143c463cf2a910873078b0954af1576d7b16aa2b6d977a50f2d0bc

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \Windows\SysWOW64\hoyyqncu.exe
    Filesize

    512KB

    MD5

    ae185cc9f21e6e472cffda4f144e3718

    SHA1

    2df17fd35a2ba7a2792b97b2c73b59180802b0be

    SHA256

    4ccb382c2f83bd3502345b9f53f41ce0ed48536f79f0760dd5e773225fbcbd3a

    SHA512

    db7cad28d251874d216463ef3e60b81e78fd2ab41d3162f53084e728525b9acb612e2c65106bf0187089ce2d1fce851846d5459083aef1dfcf4766c2405279f9

    Download Submit

  • \Windows\SysWOW64\qtataucwkr.exe
    Filesize

    512KB

    MD5

    1de60009bbacf05e29019dff48811960

    SHA1

    0da6e69a2778673b50ffcb8d7e23e97b0f995f8a

    SHA256

    cf85052de6ed399a4aa2d33b7ed40bb2a6b4d769ecfb9c0bd230c00bbb1a33bf

    SHA512

    ef97000dfde082c76af04f04c35f584994278a1d0fe69ee3b6eb3beaf91edbd691282c1e0b185ebea077372e3a7b86a0114456a245b44a4991c6ce9fc33dde9c

    Download Submit

  • memory/676-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2224-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download