Overview

overview

10

Static

static

5

a5c0af96bf...18.exe

windows7-x64

10

a5c0af96bf...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    a5c0af96bf86097e088a09f7fe336495

  • SHA1

    80c34112b82277d4e691efe9b8adc90377e5ffa2

  • SHA256

    1ddba0cf6c8343a36b45a7c0bd4ac88c82db6ad8dc80f19cf9321f5f4b9fcfe9

  • SHA512

    474589af262fea247570fdb923be7d2c66480cab91f9d6a49c3544b233934392a88a47067cabe103733b7a620921f8ef991639fbdb3c2658cbbd3a3cf49901e5

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5e

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a5c0af96bf86097e088a09f7fe336495_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\iiskocxncv.exe
      iiskocxncv.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\capviumj.exe
        C:\Windows\system32\capviumj.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2664
    • C:\Windows\SysWOW64\osxsnjzkzrydagy.exe
      osxsnjzkzrydagy.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2716
    • C:\Windows\SysWOW64\capviumj.exe
      capviumj.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1472
    • C:\Windows\SysWOW64\xbkspdqivzzke.exe
      xbkspdqivzzke.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2456
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      b4ab6b0e0246d96af22b5b1550a2d234

      SHA1

      39b1a5691d99a2a0a2b006c58c3769f685abb530

      SHA256

      f83a44055fe47506bafdf145989fcd1beab57eb90becb1e9e5a0acc237ddc560

      SHA512

      3e8ed002cf2a0cced49391b73add7bde33a4516cf105813804556025710ceed40a068452f0b53f0c7383409fbbdd48435896fb67db68e9ad4e4c566bb604cc90

      Download Submit

    • C:\Users\Admin\Desktop\EnterGet.doc.exe
      Filesize

      512KB

      MD5

      53d7f599b90e391bf64487429c5295c3

      SHA1

      3ec08213d187754ead752e0d86444a9003b46bb3

      SHA256

      eba5cb57f817548d84b1237bc76bc86e031deeb947cc3a3feda580a87558ecc2

      SHA512

      c8db04132ee4c9b738bbe62a3e961116a8f7932f5fc6c2e1dc276d8dfee7837fb2f9c6351f37b277ba9c2893ebf6eec5d5f1dcdac3cd8aed8e3d0a5ff63bed82

      Download Submit

    • C:\Windows\SysWOW64\osxsnjzkzrydagy.exe
      Filesize

      512KB

      MD5

      104a2ab2daf98ac8ce3f02782db0062d

      SHA1

      1af70d9c4a3a9dd959a39369781aae4fbca40e78

      SHA256

      033ef1a478805f43c247aa5122b7746de0ea6fe6a31c9e23df8e5989648b24b3

      SHA512

      c0feade18df3caa7c23be3ff5128e54d7261ae51afa0741fe9b5393eb2f4564e40383c2c13220ef91bca4e9a6dfbdee41be3cf4b0b6aea9c44476f9ad1cd40ed

      Download Submit

    • C:\Windows\SysWOW64\xbkspdqivzzke.exe
      Filesize

      512KB

      MD5

      6f792b10c3f7df236db6e81fd2f7f548

      SHA1

      67a96117d7033b40387f0ffb333d4de51f660ac4

      SHA256

      81d46b76799d4a1e35458b4f620dcab8d5e9ab9497941e64e0f7092d81b2ffb0

      SHA512

      f1be7fc2b942f69d578e43f40c7a8f9a2e924f3101db15bc72ca3f80d7f873110cf6623b4e10f8a8e6465065eefb16ba7ba5655dced05ab1ab6b58de7e090255

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\capviumj.exe
      Filesize

      512KB

      MD5

      5a1dae2293252fe6be0705d548eab690

      SHA1

      eda7ab88135ed9d85a6cd4c86210eded36e42a79

      SHA256

      f32a8652b6a21ce68bdc6b3defc418236f5089e822aa883815ba975c6c0d38a8

      SHA512

      5f81aa47e6d31ec22cb4a4e543377c2ca179495605790e21e819eb60d4b0b50528e069699cd6f18478160236f86f8f696a5a27da4715326aa9defdf7c35c93f0

      Download Submit

    • \Windows\SysWOW64\iiskocxncv.exe
      Filesize

      512KB

      MD5

      e119669f5a13b7bd6f710bc2ccba4e1f

      SHA1

      13b8292b4d9bc945bba861cc4ee68e47621860e4

      SHA256

      f065934bf3e29de55474b4d1b83f312cffa93dc76ac9c54caa916817dbcc8817

      SHA512

      ee61e855c741cf8495d79365069e08d9b72ab90e460dd2176fa0bb9079fe89c55b16221478d7cb6454d7e6d6a5e934c6ffe063262a7d73a953e149119dd71503

      Download Submit

    • memory/2324-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2472-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2472-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download