Overview

overview

10

Static

static

7

70dac3709a...18.exe

windows7-x64

10

70dac3709a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25/07/2024, 19:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe

  • Size

    255KB

  • MD5

    70dac3709ac4bcd5d495cf300812cefb

  • SHA1

    661ce55a624c4c6205a78e4060a8bb575bbf60a6

  • SHA256

    674627bc518d403e7fef6c0a6922bd93fcc011f44b54e4d739fe0d98de0af16e

  • SHA512

    86232f60b1feed396e8a5bf1ea00a4baf8d341ef4a9fb5648aba9af82e36686b7bdf1d9927ab45c87ce6e011fbb0c2ec222f2fd63740ad3b1b80918eb72cc23c

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJR:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIq

Score
10/10
discoveryevasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 58 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\70dac3709ac4bcd5d495cf300812cefb_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\SysWOW64\dyaxtnyamw.exe
      dyaxtnyamw.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\wvyojkkn.exe
        C:\Windows\system32\wvyojkkn.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3016
    • C:\Windows\SysWOW64\yjqyqfwkitlxnxm.exe
      yjqyqfwkitlxnxm.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2428
    • C:\Windows\SysWOW64\wvyojkkn.exe
      wvyojkkn.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2584
    • C:\Windows\SysWOW64\utxdaawpfqhnv.exe
      utxdaawpfqhnv.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2744
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:692
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2732

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    6
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      65ba2a64fb2b628426d3b5279d2f823e

      SHA1

      f23e77faa74dfaff7a12d22393f377956b22ed50

      SHA256

      d0e0cddd962589623e8af6f0e8c9fc077c56adfc0e09cd10753272c70e9072b9

      SHA512

      3f82d3aa56d4e3da229e56b6934213bb84ef9f4e1d2e5580f87f5a358e3a65ea4ea6d799818a7d560658ff69ee01394d6196825f917742164feb1979a413d168

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      7dfc2d7bafe53a5df735751192deb795

      SHA1

      3aeda5c1b3502c75332b7aca3561629867a6802a

      SHA256

      ea4230351529457d67a9832a43ebff032b62a42858647265c8e0c1330c6d58bf

      SHA512

      ef5aaf1be0bb438b6993681b814f7281222490d4cfd03b8f5d51e4a3bb9e8b535302968bc46f2973d5c14c13fd14832cd270ecff955a900682ca0cfd947e34d6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      a4243ee687f8a31edcb391cbfacd4ca6

      SHA1

      8d11ffdfedf0041ed53154fa5313e5e4d215e516

      SHA256

      686ca7eaad3d01f77c066cbaf5cd01bada3f97f16262bb977122c70fad7ed2f6

      SHA512

      4fe50c5393ce6f95b2b0f7dabcdcecccf15e99870fa8f3f816ad76803368bf44eb3df557c7a104db81b8607dff7144dd581e990a8c03b6a9eed4410734165b23

      Download Submit

    • C:\Windows\SysWOW64\utxdaawpfqhnv.exe
      Filesize

      255KB

      MD5

      1b8bd882c8a24cc1c7d9a87a13807d64

      SHA1

      83f34828a1f9adbb8e12708b9b44b637877b3fec

      SHA256

      fee1d9395baaff792ef29efebeb16837a16d4cfbbbca7010fa1f591b73caa921

      SHA512

      48ebb42386171c67ae54d40db7302a46a90148ec02df0b4b617e1e58e12d69bd8ee2b42520ca319a70db5a4ffa4559bcd0d88a52198dfdeb5ec14244ca085eb7

      Download Submit

    • C:\Windows\SysWOW64\wvyojkkn.exe
      Filesize

      255KB

      MD5

      a918e3e70327fad690a9349dc21fdf3a

      SHA1

      bfd269f9be71fe4ef3735c47bc364ede06056206

      SHA256

      f792107115b31850e1707d0cd19b693637f65954110ef96a6fd59f57ed4a6bd8

      SHA512

      9847f2b2a815c5a55315ecb688bf04f38fbc0866d5a29e5122023d97e54687c059ff2e8979875afda4c9a6e3b18badcd1337577aaa24f86fa1e5a8d50f200840

      Download Submit

    • C:\Windows\SysWOW64\yjqyqfwkitlxnxm.exe
      Filesize

      255KB

      MD5

      9b4752f030d1f59f22a2c707aac70aae

      SHA1

      99d2878b14c264636ccdfeb70d80bcfdb00d1012

      SHA256

      f87950b3f4114668de51b3d591ad818e6189c9f93aa154fd2a890b47c09f0cf6

      SHA512

      731c5f7cfbb887f2a9d5b0dadd22858f2688031d3a6b8e064ddc71670a558ba9aa81b9e9040614582026ffba4da7efd7372fdd8f301ed86d2e701b15f2f7a3a0

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\dyaxtnyamw.exe
      Filesize

      255KB

      MD5

      a062215f7550c6b2bf4f1f3a685ad23c

      SHA1

      c7ff29e2bf4fac6dd86bcb4dcceaabcda21285c9

      SHA256

      b30401220d6a6dd118c836ea928d853b9b033966283a5e6d80930edda4d4bb96

      SHA512

      3977537d0cc2f4fc4c7ea16cb9db0fcc0f23b7e905f31d87e593fb2237ca3023fe78c7b36cbcfa88ab7a48a72c614e2e59a73b560e73c541190c56303fcd7535

      Download Submit

    • memory/692-135-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/692-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2428-140-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-113-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-38-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-137-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-97-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-143-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-146-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-149-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-116-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-80-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-100-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-103-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-110-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-87-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-85-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2428-107-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2584-84-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2584-88-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2584-37-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2584-81-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2584-94-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-98-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-82-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-150-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-147-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-91-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-144-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-101-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-141-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-138-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-104-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-89-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-40-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-117-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-108-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-114-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2744-111-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-139-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-102-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-109-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-25-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-115-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-86-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-79-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-96-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-148-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-136-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-106-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-112-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-145-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-99-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2800-142-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2824-20-0x0000000003760000-0x0000000003800000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2824-28-0x0000000003760000-0x0000000003800000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2824-30-0x0000000003760000-0x0000000003800000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2824-0-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2824-49-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3016-90-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3016-92-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3016-45-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3016-83-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download