Overview

overview

10

Static

static

7

ae49a2f7ce...18.exe

windows7-x64

10

ae49a2f7ce...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 07:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ae49a2f7ce8873cf5c58b23ac2e0310b_JaffaCakes118.exe

  • Size

    255KB

  • MD5

    ae49a2f7ce8873cf5c58b23ac2e0310b

  • SHA1

    684f8e90196bab6f4e8add725b97d55b33064b1d

  • SHA256

    2d8241aae53734f0fcc2b875d13cbbed3bca3bb96e3cca0610462c5eb52581b2

  • SHA512

    1852ebae2e44414dc9ea9c408f4c9d2c109ba87866b01db3c4055a416930c68a805c25a6f0b67e58c1be06de249282bb0e050edfef4e29fb4480b20f23da4a1c

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJN:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIQ

Score
10/10
discoveryevasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 58 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae49a2f7ce8873cf5c58b23ac2e0310b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ae49a2f7ce8873cf5c58b23ac2e0310b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\SysWOW64\casbjdnskb.exe
      casbjdnskb.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\vieffgbl.exe
        C:\Windows\system32\vieffgbl.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2580
    • C:\Windows\SysWOW64\jzrzfwbkurbezli.exe
      jzrzfwbkurbezli.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2788
    • C:\Windows\SysWOW64\vieffgbl.exe
      vieffgbl.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2680
    • C:\Windows\SysWOW64\gjawdixshjnwx.exe
      gjawdixshjnwx.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2660
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2752

    Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Defense Evasion

          Hide Artifacts

          2
          T1564

          Hidden Files and Directories

          2
          T1564.001

          Impair Defenses

          2
          T1562

          Disable or Modify Tools

          2
          T1562.001

          Modify Registry

          6
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
            Filesize

            255KB

            MD5

            db631c94a3408a6a3bc4dd5c4372f6ca

            SHA1

            06dd16adddf07946a23f93de7cecf195b054d5ae

            SHA256

            002ef66eded321052459f672f9229df9a67ac664da724691159e228308be0032

            SHA512

            c3057521461d48bc44df13909e6ea14ae8fb7d3dd3f871ccd0fc6048951bc57bb96fcbd28fd2710412fb108142456885143125e93c936e82f213128900800575

            Download Submit

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
            Filesize

            255KB

            MD5

            d862d7617f9f7b35709fe14f19e0af6a

            SHA1

            ab9af315d5272067e906a57d8e197a54fc5d8b43

            SHA256

            d876259beae0e815b3798cf339e5a75db6d981f014c18b49f0b77b43e6c1a777

            SHA512

            6c312ad1081f3ec367df6b0fb5aaca9158fdb1d5085c8489dd7c6bbf4f685a389fb89444a3cf8b8859f75684e4185e50ca51d840ca301a90121c2338da492797

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            19KB

            MD5

            1136b976fcde50cf9dcc5cc57a6d9ee6

            SHA1

            7e26b505d3f3d860e897d9716775c61ec9694e39

            SHA256

            0a294f9e5ea108e2d71ed7e1610837813f84ed4d55b8ecfed5c05daec7597ff3

            SHA512

            d034a7a76a876c6b683df93e40c8c067120b7d5f671f73e7678e7e47f4797c92f741e568fbd7855e544b2a4f7913c7957e7bd0ab1925ad47e98c79906d792bc8

            Download Submit

          • C:\Windows\SysWOW64\casbjdnskb.exe
            Filesize

            255KB

            MD5

            088bee0fb5cecc129a366e8aa24c96d5

            SHA1

            7312f49dc0d5f7d93671b0f4da1630a6d7614cd9

            SHA256

            85f21ab54428732d1e329557ddd83d59d2803d794bb8cca0af5f7b55287963f3

            SHA512

            3e42254f9046743840504619794774257ffcea039a7adc888f5ccd7d09157ecd33302ab5ae3bad49578b01049a5927c4ea0775fd19419211f36813833a3368e3

            Download Submit

          • C:\Windows\SysWOW64\gjawdixshjnwx.exe
            Filesize

            255KB

            MD5

            d819d36d139d017d273177ee4cbeb146

            SHA1

            6218567a21cb0b31d1b42d14cc1490fb4daecef6

            SHA256

            09acb5e408db8f42b9b4c91ac65ab1c5569ab988ab81919560bf30e8642d846a

            SHA512

            fa76e89f73d994670412e8ac4b48eb2fcb006e6059ba7d84bac2298ca525da58e96260b6e5dc92710ea7c1ed763388d254e028672ae70d6644f8dc40834bf5ad

            Download Submit

          • C:\Windows\SysWOW64\jzrzfwbkurbezli.exe
            Filesize

            255KB

            MD5

            6b175ce455ee932037c5828e0d5b3f2b

            SHA1

            2b38f880969cd011cb86bade43d3c4a184c137c2

            SHA256

            a87bb49237306743b0d5bfabdacd37847335289a3ec1f502030861d90042137f

            SHA512

            ba6a0e519f02a2450d2355b1be90f340d7643e44cdfe6bb95c3d0ca64bbda7586a856e6019aaf3a7c387d05dd259409b7ea45a35f199b8d2db8e6f55220841de

            Download Submit

          • C:\Windows\SysWOW64\vieffgbl.exe
            Filesize

            255KB

            MD5

            d45140dde47fd58162d6c2909bd719f7

            SHA1

            055d54201b10f88e4bfde849af561978f5af615f

            SHA256

            fb0d4d8586997debb7556420abf7de45b1ac55b2322ccc0a10a6b7010f713271

            SHA512

            86f849a181f5d934860c7fda3625b88c3aad6774566e8569d6870ce6d73d42b12d43db7063c23645675a58c21c6c0d3660c976c2017e15f4b6f18be1a8b54cbb

            Download Submit

          • C:\Windows\mydoc.rtf
            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            Download Submit

          • memory/2580-91-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2580-83-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2580-89-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2580-46-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2580-84-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2588-136-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2588-49-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2608-0-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2608-48-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2608-34-0x0000000002EC0000-0x0000000002F60000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2608-33-0x0000000002EC0000-0x0000000002F60000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-118-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-96-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-148-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-76-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-82-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-105-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-145-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-142-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-88-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-139-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-99-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-109-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-37-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-102-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-115-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2660-112-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2680-93-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2680-39-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2680-87-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2680-78-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2680-81-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-103-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-85-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-100-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-97-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-77-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-146-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-94-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-143-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-107-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-79-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-140-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-110-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-137-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-38-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-113-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2756-116-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-95-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-141-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-35-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-86-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-75-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-138-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-101-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-114-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-117-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-111-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-144-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-80-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-108-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-98-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-147-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2788-104-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download