Overview

overview

10

Static

static

5

85a1eb0b56...18.exe

windows7-x64

10

85a1eb0b56...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2024, 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    85a1eb0b56f463ea0c86962ca6b386e0_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    85a1eb0b56f463ea0c86962ca6b386e0

  • SHA1

    be494d16b5bb7a5ee8fae3a7ef872db80e73483f

  • SHA256

    68b8afd2c08f78c7d13c81ee6293401afb31cf99f19fa57cac6313c17dff9c05

  • SHA512

    924c8b4511ec2b6dfc80efffd11a12799a28bb6729e7a04534f5bca7ba5a7cafaa3e046b3e3986bf648ee983deee13eb29a169c41b432cdd313c4fe7faeaceac

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Y

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85a1eb0b56f463ea0c86962ca6b386e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\85a1eb0b56f463ea0c86962ca6b386e0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3916
    • C:\Windows\SysWOW64\vafvqzfknl.exe
      vafvqzfknl.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2324
      • C:\Windows\SysWOW64\zqpasddl.exe
        C:\Windows\system32\zqpasddl.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1204
    • C:\Windows\SysWOW64\vtsevgslcsmaeyl.exe
      vtsevgslcsmaeyl.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3008
    • C:\Windows\SysWOW64\zqpasddl.exe
      zqpasddl.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3972
    • C:\Windows\SysWOW64\tqrymtlihwgxf.exe
      tqrymtlihwgxf.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3660
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3288
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4152,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
    1⤵
      PID:3012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      5a0246201916b455e80cbe14e3a1314f

      SHA1

      ff0174e66dac8498bb2b82c6029b6bf54a9ac46e

      SHA256

      2f0822c60f640e2b6512b5e1ac584e9a0759487d7a5bb431bbc531720bedbfa9

      SHA512

      98f127fc4c1d6477948a5ca5757a900776735fd1799351ab644ab40e1745b1e78d8a522f2b9c9a45dea09e3e9c2f3aa6ce448d568dc9bedad0ac6bb82144dfc1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TCD3565.tmp\sist02.xsl
      Filesize

      245KB

      MD5

      f883b260a8d67082ea895c14bf56dd56

      SHA1

      7954565c1f243d46ad3b1e2f1baf3281451fc14b

      SHA256

      ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

      SHA512

      d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      239B

      MD5

      12b138a5a40ffb88d1850866bf2959cd

      SHA1

      57001ba2de61329118440de3e9f8a81074cb28a2

      SHA256

      9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

      SHA512

      9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      3KB

      MD5

      5315963f49db9d4019f47d6515ad2cef

      SHA1

      8ac3d19028427ce000d2514c3e09b766b727d4a2

      SHA256

      7ce6453ce0b6a9bc44b7774b14fa9b7cdfcd09db0b3602161f510a334aca82b3

      SHA512

      abefeb4565aa826b860c646a01e7e0349e7c01b4995ae9b015a76bb9d6fffc3e491a0979571cf78e4c33041f49ee5fcab79864397aeb64ab233606b8d8b4e23c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      3KB

      MD5

      5e3b8a91ffd001056ad2f71a1837cc6b

      SHA1

      235bbfab552caed59d89dcc15b4e6d8746dea4f4

      SHA256

      032d9c64c3b9b06127ddf0777216961d265d90a733eef29cfdf6e981272ec78f

      SHA512

      d1169745588ff54d186e919a807b96c20c43ca6a1350f6398facbffbe0ab6c682ea902f34a48ed2baa12f33f08e22ed1c3b595e3029ffe27288972cc56f9f86c

      Download Submit

    • C:\Windows\SysWOW64\tqrymtlihwgxf.exe
      Filesize

      512KB

      MD5

      033669f07d9eaf579bedea2f3d1e1434

      SHA1

      1ffe6422c8f6431b5abe42e8aa8f2ca3448e9016

      SHA256

      b6c77636ad84272abd9fc64d351df2a280d735480c46fa4de6563ac4581c50d3

      SHA512

      bb2f1b9c622cf9942d85ce89d2ca744581bcc67f6b42c1301b0fc74f5a42d48c1299a1fd6140e936b5629b67c6c4b535b6e499b4db99e2644801553613196e50

      Download Submit

    • C:\Windows\SysWOW64\vafvqzfknl.exe
      Filesize

      512KB

      MD5

      306ebd18273f489294fdfc7f73f14c45

      SHA1

      9ce3740e4ded0a9f3b81bd21088727c89af3be3b

      SHA256

      e1735b47802fe488fd31c60b14bf344f7f5e71e009a4c6205478a63848b92bf3

      SHA512

      c0d5d32cf6e16407eba0dd30fd58be22a59b64c70f909f17c0abc63453f01fea774fcf86ea454283a6ac92daea7e4dbaa69ebe435ed4cb6924fa32917a4d0e3e

      Download Submit

    • C:\Windows\SysWOW64\vtsevgslcsmaeyl.exe
      Filesize

      512KB

      MD5

      fab81e25d8daff0dc1bd5bd153c3c156

      SHA1

      19a220b7cdb504433060c19e1f63a19cebd0e5d6

      SHA256

      c6a700324fd90ac4fe2ea7889bbcfba0d54d38eeebbb1fe36f714ba95a586bcb

      SHA512

      2efab68c7ca7074b0dd45addb59b8a8f01052c0dadf9ebbe0f9ef27d86e0d24dce74e679503cb7b136db4170613deba05d0eae5b168995e58ee9a944ecf2cd6e

      Download Submit

    • C:\Windows\SysWOW64\zqpasddl.exe
      Filesize

      512KB

      MD5

      7cdd4793597a459a962840acc1580718

      SHA1

      1baee6cc961b08c899b9bc63784a302170e39359

      SHA256

      fd83e8c9c59d4dfe0b52e14890f08a4106585d2384d1c62cdfab50808133bee6

      SHA512

      17f4b8eec44a3be7cd47de239516755205a51c6ff5db0265fc6417c495ad127d4e682e498b89efb4eebbcced6f87c1af9f62a94171ee36062abebe6e66aec2d4

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      1319b12fe2856e0cb6d7fc5a363e7bc9

      SHA1

      29b8193361a4c026762690b334cfdd15466e4af9

      SHA256

      75dcf740b3767bd0333b570982267deec8867d2cf5841fa08aa09f1e5e2f2536

      SHA512

      9dee3f92522d6a2972cf4be038b2b36bbf9325d17dccbae6326c939cb5e968b6e5adf0dd70eddc6d60ec6b8b5ab54bd12499a419067d7d67b25ae2193440bbca

      Download Submit

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      512KB

      MD5

      cb547598ab0657505edb821d5a03a750

      SHA1

      d68d4273e6ab001eefbd3a243c764a689ff06569

      SHA256

      3662275117de7c3ced2bd2742f555d107749b1d5cd1372107f038da1500508e0

      SHA512

      331ac3d28bef55fbf3edd40e2c86cd4dc4781b9053c455de31f7bb31f078c04cca5ef9844489943ba174e61b10dd8d870f524cb0283c8182c30da563451a1d17

      Download Submit

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      512KB

      MD5

      a9561c5ab4247de20a0e17463fb1fdcc

      SHA1

      98267cc22f5c4a33ea4a60a7a6bc75d075309d6b

      SHA256

      e5af9d12447f4e4d42dbb5820ed3a35f421c5ad28203de4a15dbea67f05410f8

      SHA512

      a72d86bd3225ccd4edcda41ebb243179812c83d7624b5e0cbf962aaab381a0664733db1bdc9ef97feeace84594b5413ee71dac9433a91c529ec7a03292f0adf1

      Download Submit

    • memory/3288-39-0x00007FF7C3950000-0x00007FF7C3960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-42-0x00007FF7C0FF0000-0x00007FF7C1000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-36-0x00007FF7C3950000-0x00007FF7C3960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-38-0x00007FF7C3950000-0x00007FF7C3960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-37-0x00007FF7C3950000-0x00007FF7C3960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-35-0x00007FF7C3950000-0x00007FF7C3960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-43-0x00007FF7C0FF0000-0x00007FF7C1000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-599-0x00007FF7C3950000-0x00007FF7C3960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-602-0x00007FF7C3950000-0x00007FF7C3960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-601-0x00007FF7C3950000-0x00007FF7C3960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3288-600-0x00007FF7C3950000-0x00007FF7C3960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3916-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download