Overview

overview

10

Static

static

5

b04f559d9c...18.exe

windows7-x64

10

b04f559d9c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    15/06/2024, 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    b04f559d9c4c4394fd54c78c1294b180

  • SHA1

    20e59d102e6a1bc1143ec19cde175a8cb9fd31fe

  • SHA256

    1e45e8d4d72a0cf76f0125bc5215160e5728017008ba28394ad0524f28d554cc

  • SHA512

    12d5e6dd8c5d6d77e485318a64393cae584e1ede26969f8f45c8a646c566f81ecae22af29cef1268739e72aac52260c41937edd2758b7e657f71bcd1c80cdcf0

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b04f559d9c4c4394fd54c78c1294b180_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\SysWOW64\elcqjnawir.exe
      elcqjnawir.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\SysWOW64\mkviwinw.exe
        C:\Windows\system32\mkviwinw.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2272
    • C:\Windows\SysWOW64\njeixyaymwozxra.exe
      njeixyaymwozxra.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2732
    • C:\Windows\SysWOW64\mkviwinw.exe
      mkviwinw.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2736
    • C:\Windows\SysWOW64\wulmlakqrknkc.exe
      wulmlakqrknkc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2836
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      6006adc30ef0fbb9b3110a2bc63fbee0

      SHA1

      f7562bdcc720a5041dab46217fba495eaf8710c7

      SHA256

      89f3e619090b6f897adde58aafa01fcdd018494b67db7f88b595bea17039f1ac

      SHA512

      6d6174a2e1e07a3f4b905d7f76710088439bec18d48c6665e7bbf4bd436ac10ef0cb74177142d03391d16496c78af6c84929a0103add3b582887b53f072e8f52

      Download Submit

    • C:\Users\Admin\Desktop\TraceMerge.doc.exe
      Filesize

      512KB

      MD5

      998207c696bef4c8ead55ee4f0d4eab3

      SHA1

      dd01d666fca7282cb5d5491e08f37575e38f7484

      SHA256

      0771524c0f67656205dbda582b3f60f4cee5d018dff56f35807c963e8f0350d4

      SHA512

      655e3162503eea2eb2a53050541cd4d4e448eeeb051a5ea13d975b46e5ee6f87410083a9b5d3b197ba3bbb905477eac7b50cc6c1cae2783d403d676b12c7b28f

      Download Submit

    • C:\Users\Admin\Documents\CompressSend.doc.exe
      Filesize

      512KB

      MD5

      cd939251cf95c792cdcfe54bc94a66bf

      SHA1

      f444c36dc4ae1999a215bac5ca1d3a92c04d210e

      SHA256

      2762a6e8b74b43d966b02bd2fd0090099338f4d3462db3436a2b52800bf4f5f1

      SHA512

      7340d2ebdbf5a35b5dd4b6474ca1f90cc64f2d9e1dca4ba8c3dd88feaabed409f36ae87b2c89bc137476862ce84707aaf8a801ab9a424f1c93df6443b8c60bda

      Download Submit

    • C:\Windows\SysWOW64\njeixyaymwozxra.exe
      Filesize

      512KB

      MD5

      e3f9daf1874e9740f8669c3e44e0bb46

      SHA1

      8a5def689df5dcdcc997a5dfcb12450b93e12a0d

      SHA256

      c989dbcc4f9b72e42ead9102247a110a1e4434a2ae9bf6b89969bf5c312b7fa5

      SHA512

      dda30bcb7ab50ca81dde64cd6a07cd9dbd2ffe074252cfc32c2b55d0bb37dcc8a2a52fb664737a0412ff3f209a0b069b23a42f762f0f37af6c832104b9200580

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\elcqjnawir.exe
      Filesize

      512KB

      MD5

      1670d8631e2d710d89501fbc6aa17234

      SHA1

      0bb8ca84ea1b18d70e96893d24388a1b7701637b

      SHA256

      0512bd79bd82e552efe6f7ebfee30b48f469e987d788ae5760248f1f30016352

      SHA512

      c16cc39c1a0c4d6c6c6071236c8e142e69720069ffecc1fcdb61833f6acfb1273f84befcfa45fc1e5b40d87d71ee4f5c80f0c081ab394443b9708cc9f2d9c4d1

      Download Submit

    • \Windows\SysWOW64\mkviwinw.exe
      Filesize

      512KB

      MD5

      abc80d08d6b69f259c84131a3c411fbe

      SHA1

      a3e55845c1ab0283f7f56b288124bd42e9d44aee

      SHA256

      925003588a9877330e9b41166af5877f9aff1c113914f6cdc67f6a297ee1e097

      SHA512

      2b4f8fe79da7b781dc957d7a0b56b5b1064e4a7fd026059f3e0c5f1c622cd016ad641c37c34312eb769f82dec63cef8e4e66964cf0e04455b613ee36210319e6

      Download Submit

    • \Windows\SysWOW64\wulmlakqrknkc.exe
      Filesize

      512KB

      MD5

      e5628b1aed0330012770ec931c055aa2

      SHA1

      7cf44e47fa0523826571e0d919eba58211a53c2c

      SHA256

      7c7ccd984cea7f44076b88594f821f6fd00590f70049234816eea94d5800cb70

      SHA512

      80ca0ac9bf6cdc3b723ef092c81a5d1ac317132e2046021f8712a0f6318eb42a5c43ed1e124d8e371dd134dad8b6ebbff26b2e259fe423824163a907f47ea00d

      Download Submit

    • memory/2220-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2604-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2604-108-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download