Overview

overview

10

Static

static

7

b58dbb21df...18.exe

windows7-x64

10

b58dbb21df...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 23:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b58dbb21dfb0088cc3121d4407f9bcf0_JaffaCakes118.exe

  • Size

    255KB

  • MD5

    b58dbb21dfb0088cc3121d4407f9bcf0

  • SHA1

    3a19718474d92352b0b2d5372056b4557489b5ca

  • SHA256

    313344cf29008cd703534c5b8244e31771d3cb53527739c352771b0e4200fb24

  • SHA512

    d894fea47a356b4b9573924ecc43d24df5a81c97f00fec5cd8b0dc819f7855d6940320bf231bdb2e9391b8391c457f1ff7ab352dbf9401464a7376004eff7e25

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJK:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIh

Score
10/10
discoveryevasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 56 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b58dbb21dfb0088cc3121d4407f9bcf0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b58dbb21dfb0088cc3121d4407f9bcf0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\supdgqiyco.exe
      supdgqiyco.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Windows\SysWOW64\akijcfmw.exe
        C:\Windows\system32\akijcfmw.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2924
    • C:\Windows\SysWOW64\oatdavzowrrjlas.exe
      oatdavzowrrjlas.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1976
    • C:\Windows\SysWOW64\akijcfmw.exe
      akijcfmw.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2148
    • C:\Windows\SysWOW64\oewphsxiaxktu.exe
      oewphsxiaxktu.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1996
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2788

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    6
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      fa6243efbb9adc960e679e9808e36b90

      SHA1

      b0fe0f364c5274d08bd419e69f3ff4f5ad89d4a2

      SHA256

      c544f0eb6679707d07d072e4cebcb3a587352d96f770d9df1adb65bc0060d6c9

      SHA512

      4aee5418f09315c32419ad8faad7a6a5dc33bcb836bf56d2280f39b0de31d24e1771d5335cda96f16d892d6a339d8f9562b88fcf852c0fb3f8f874b38ccc2bee

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      aac3b355fd4357f3902c48a3d1ea5608

      SHA1

      f12fbe292c2e1c05895fbb045d88451e0fc099b8

      SHA256

      0585caeb4b16f6e3126337c6707fe164a3a425db70577e91e977e0dbc7b8080a

      SHA512

      76fd94b12ce6a1a0ce004092ef20b7a74f40e034419bad582d1fd4b3a434da5eb41561695d13c117d3f61d2a1887c0c821245d7a346ada57c8e12ec9d96913a6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      19KB

      MD5

      adeddffe7663e973c428ba7299d4d6f1

      SHA1

      d9b3387ea2cc2e5ca75b3a2f4c7c7fa087e12a98

      SHA256

      3cc2354186302f888f77fb02192d840bb95dc1592abba53457920c7e20dc6c3c

      SHA512

      ed34e0228a3ce2e552089639a33888843b65626611ca547300b3e3106872ef5971ee772732db4f3f91c7f247a09148aef0c44c65bf7ad815b799666cefa8e725

      Download Submit

    • C:\Windows\SysWOW64\akijcfmw.exe
      Filesize

      255KB

      MD5

      0ebfa1b0eccd9000eaa57353936022b8

      SHA1

      dff7b9d58231318801f5304b90947a7fec97e891

      SHA256

      c00cf60b4dd36f537e35e36ffc6167d834389545dcdd265c3b5a94fb1bbb2e9f

      SHA512

      aed06ef6d7fbe7dd5b0b3f83e9184a24231d844497d1ce4a622f5d59eaa7342419bf7c586f39e5efbd4250d317a5c262ec4a99e884557d6152f27c4aef6dfa74

      Download Submit

    • C:\Windows\SysWOW64\oatdavzowrrjlas.exe
      Filesize

      255KB

      MD5

      cb4b60ecdfb173e5bb4a36dd5e5c8c15

      SHA1

      eb1cd013f15fad7a9478529c0d7c8e7b131eb795

      SHA256

      46d650ba21cad6fb4b5235f2d3c07c3b1a7c565db55b5a08501bab4c75fc8e67

      SHA512

      b6d1b2c732c6e87945158ba4a10811b69baa36235818b7caf7b41c9fc8f9624864860525a35fd83aafad05111d5195e1f779a22e0e817894970838a9aaf6dbd9

      Download Submit

    • C:\Windows\SysWOW64\oewphsxiaxktu.exe
      Filesize

      255KB

      MD5

      67e398e313bab46d296898858b5c4103

      SHA1

      c85eb99883c49b4285f2d3ee4959670ea845e873

      SHA256

      d2f323f3fc5ea21ebd197b35747494e5ee644b1be4ed4f1da73ec800b7549687

      SHA512

      affa1b4c6d5a7c0f1c3e1d751cf2f489d82240244a597463ceed04688936b4b56e29d34776a9c65257abbeef5bb087b425e680b89a3d620c2ba15d5fe40f58e0

      Download Submit

    • C:\Windows\SysWOW64\supdgqiyco.exe
      Filesize

      255KB

      MD5

      392250e78eec2245b1d30e5d00219f6b

      SHA1

      833e088f6d7eae34e980908fd17da1b121e03794

      SHA256

      32a2c5887899b82ba0622d8e156a50d56d3f1ce92947cec4ada5798d7689e872

      SHA512

      965fd7619c272099c6bf8cea22772f81f963868a0112b094a41bc95efcb1379f584fea8b4b4f1a18563bf9aae3e31b2f7a93f395f23373039a7038bdee68e283

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • memory/1144-142-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-106-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-139-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-93-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-136-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-83-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-78-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-145-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-73-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-133-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-28-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-112-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-109-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-96-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-102-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1144-99-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1952-24-0x0000000002B30000-0x0000000002BD0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1952-0-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1952-33-0x0000000002B30000-0x0000000002BD0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1952-47-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-94-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-103-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-84-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-146-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-143-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-37-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-140-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-137-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-79-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-134-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-97-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-100-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-74-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-113-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-110-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1976-107-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-111-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-141-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-108-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-147-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-38-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-144-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-81-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-86-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-114-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-75-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-104-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-95-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-101-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-135-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-98-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1996-138-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2148-76-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2148-80-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2148-85-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2148-90-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2916-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-132-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2924-87-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2924-45-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2924-91-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2924-77-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2924-82-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download