Overview

overview

10

Static

static

7

3e80d28328...18.exe

windows7-x64

10

3e80d28328...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2024 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e80d28328e3ef6aebdb83964111abec_JaffaCakes118.exe

  • Size

    255KB

  • MD5

    3e80d28328e3ef6aebdb83964111abec

  • SHA1

    3ba7992eec21c31a2289c7381bc3d2f5fc5392bb

  • SHA256

    840acc765da512f781f89bb05880e3173a360cfd48c0117938b5348b9b2ef7dd

  • SHA512

    75ac9c9673aaa61befed276fc0e1c24d12cce205758dce0b641d6b67e32f9477b60e9841f4511f9d2b638592e714582df096eeecfdad6150c868f6d655d19080

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJN:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIC

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 58 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e80d28328e3ef6aebdb83964111abec_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3e80d28328e3ef6aebdb83964111abec_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Windows\SysWOW64\sdlwnxtbvc.exe
      sdlwnxtbvc.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Windows\SysWOW64\uewuxkuw.exe
        C:\Windows\system32\uewuxkuw.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1776
    • C:\Windows\SysWOW64\xkfrqoeyolpyffw.exe
      xkfrqoeyolpyffw.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2828
    • C:\Windows\SysWOW64\uewuxkuw.exe
      uewuxkuw.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2760
    • C:\Windows\SysWOW64\emhgmrinuvmxk.exe
      emhgmrinuvmxk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4836
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    ae98acc75784233579a82f581896f6f3

    SHA1

    3586e2fe2307ebfd1c09bef652f8ab43f9dc06aa

    SHA256

    05d877db51b6036ae1aa6e76b35a162bfb26755ecc708e18247be214f5ffe299

    SHA512

    0faac3511ff884f13b94476fc9f4d0b0a2630503963c443167b97b2590677af44b7ef8e5c36dd59a6ce22428d48a6717c133159543fde5fc000154154b84918e

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    27beeb916af513786f94710cb08362eb

    SHA1

    57b46586c7b2bf84e2a9c0e56c495d2694d15519

    SHA256

    092c8068e96d5facb91e323cb8afc3f1c0301d96ac9c9d6e5956ca274a7784c9

    SHA512

    dd0bb76c2c7c2ac321000a4067e8cde4d96b52c6c47b83135191d809c5e987eeabec80782b2b925d23677ca67027078f455a0f9db3c4b9df6f8099a8689ccc73

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDEE42.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    366B

    MD5

    8d74dfee85a1bd0bbf4e079a5c2f9038

    SHA1

    8f6187676eb0b359138490fd9328f62be177e60f

    SHA256

    f37fbd8f32ade6c3d110c39f64f2213da8aee7066ecf47849f7aab9e429b1cd5

    SHA512

    727c34b669cb4e03744ed6c91eacfa71b637288332bcdb68bf8b3bdd10d1c8d2503f2c07f445e516e3406724fbbd650520c0fbe0e7f063a04c62ea2c93c86631

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    17c7dab34dcffdab933f9528b632f25a

    SHA1

    bc03e3fdcb878b27c7c5a31e7fbbc68360cdbc93

    SHA256

    608a778cb8068fc8973abb84d9f40081b83063ed99628448738fa309937392a3

    SHA512

    d2db428d9866bdeff272cd6acd1e69d31d24dd85d8916c01e513cd9c8b7466f5db3b983e9714a61d91fe3808efd1e93ed88478f7aae546ee432b67b92122d3f0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    3d93532cda696ca26baba951f67f8fde

    SHA1

    74c09ca6270e3627a4c76db55d5cde9a3da19b19

    SHA256

    10ccde015e28f0bc795136360b70d30c8e50fc4d5c023f1131ec79a4541b4951

    SHA512

    d0dc9feb896f06746f43182a6879817533c68ba576888abda1a7b18d3aa9e3f57b0c184258c2cd2f4fbf91e40d24161998294562d7c12e00994f156e946de502

    Download Submit

  • C:\Users\Admin\Documents\PingRegister.doc.exe
    Filesize

    255KB

    MD5

    dbced6858ee340cb23d09839f8db5008

    SHA1

    da2e155f30c761160cbab5545d481918c885c6e3

    SHA256

    795d6940b3f9157572b726abb139218fa65acc9d0de7ea8ee6750ee44e3ee08a

    SHA512

    b46c1eb0cf1244bc7feec0ccf950151bb9a438f62a49a6666b2c1a61b069c9f1cd939592c98838e82f12902a5122cdc75bf1138493fdb5fa4e00d34f21e90964

    Download Submit

  • C:\Windows\SysWOW64\emhgmrinuvmxk.exe
    Filesize

    255KB

    MD5

    164a95f2ca1a286ce2981abcd5660cc7

    SHA1

    b1a8a12c5a020f6156f3f3ccdb38187bf101e428

    SHA256

    e006837d8a2029dcb264175097256b1df64279eea64b1666fff6a1fb4ebf87a9

    SHA512

    84e7bee64e183d81b9ce90bed3970864c23334c7a715135f158bdb5bd5d79b302f67a49c77708a0f70924ff0a79014a496c35779778e76f99d76453eab14cfac

    Download Submit

  • C:\Windows\SysWOW64\sdlwnxtbvc.exe
    Filesize

    255KB

    MD5

    d89aa57ec5e8e60ccadc64b9b6fccb43

    SHA1

    9433c30a7d32eeb074a54620392c37464ca8b897

    SHA256

    fdae3287a779f3dbe6247359bbe5e7d9d72d85c6829455012112b19688a881d3

    SHA512

    e72e32fe4984fa71dede5161a9cda4426cab934267a1bd980549a843ed8d4a81172904a52e98ff2ff5019554d2b27534b820474c8535be07cf1803ea23584634

    Download Submit

  • C:\Windows\SysWOW64\uewuxkuw.exe
    Filesize

    255KB

    MD5

    12bbe3642bc7db80a5da9330255beea5

    SHA1

    e0f307f656f0d7a699aeab67e19dac55aaa76a6a

    SHA256

    f5ebc12c48f16ca40a24dd75432846ed68fe03b7c701ba9c3e216aeea7e50f8d

    SHA512

    d8463d0af56a007a2d05ded4128343edf6c33ee3e99a91ff0a0e2fa857d6fcace189d400e7394eb047aa67177dc166122e6b81a85d5679fca65ad61d23653272

    Download Submit

  • C:\Windows\SysWOW64\xkfrqoeyolpyffw.exe
    Filesize

    255KB

    MD5

    7c21e98a54b71372a4e89e74c76badf5

    SHA1

    1d48ab22ba7c2e8bb090678b57c92b75e3050454

    SHA256

    1fbadf1f98fc70e8b4601c3b4a8413dec4757e7a81c5ae112c0130e9af6b4b67

    SHA512

    d3995b550389d20710b5a398ad96f956bde98f8d464637402762105c25e804fc7876213540dca0a42c75dac8879c22a811110740b730d51975d65c1789500deb

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    255KB

    MD5

    8500a9207cedfa1fcb0c45eb21a0f96c

    SHA1

    1d2046cdb176bfd26abf1031846d9307636cc3c2

    SHA256

    9bea383153dff60c4c46ef3223240523969f8b1ee522acc325bd2eab3b4dd48d

    SHA512

    956e23e059ba9960a663a55137bf3a4b0485d1659249c9be0672cd6bfa42c49701fa90fb7efe95a9618ff41f680a61e6e59c3a1d2e9ee6777e85be30160ac6d6

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    255KB

    MD5

    61c0a0755896f68352db0a8f7610437c

    SHA1

    c46c4c146862a243d194bd8041e2526364dbbabb

    SHA256

    9a6c66607a371b5e66e4555a1208abb7387bf491e9dd8870bec3bb13ee3f38b8

    SHA512

    e6bfcb85f1603dc4c35acf14286cacf182be4eab98f751bb26851284dc88387412a709b6b353a0090afce5605f7be90576e20322893c4aeb283d0675bd5d419d

    Download Submit

  • memory/1776-241-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1776-43-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1776-83-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1776-236-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1776-233-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1776-246-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1776-249-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2760-250-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2760-81-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2760-231-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2760-235-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2760-239-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2760-244-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2760-31-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-238-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-243-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-80-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-303-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-300-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-230-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-297-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-294-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-234-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-291-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-267-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-264-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-261-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-258-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2828-252-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2892-287-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2892-35-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2892-37-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2892-36-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2892-39-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2892-41-0x00007FFBCE060000-0x00007FFBCE070000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2892-38-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2892-288-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2892-289-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2892-286-0x00007FFBD04F0000-0x00007FFBD0500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2892-40-0x00007FFBCE060000-0x00007FFBCE070000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4276-293-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-107-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-302-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-257-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-260-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-237-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-229-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-263-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-299-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-296-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-266-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-79-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-242-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-251-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4276-290-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-253-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-268-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-245-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-292-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-30-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-82-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-295-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-259-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-265-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-232-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-298-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-240-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-301-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4836-262-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4852-34-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4852-0-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download