Overview

overview

10

Static

static

7

b9a459b1d1...18.exe

windows7-x64

10

b9a459b1d1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 00:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b9a459b1d1c71dd13252744b9cb448ec_JaffaCakes118.exe

  • Size

    255KB

  • MD5

    b9a459b1d1c71dd13252744b9cb448ec

  • SHA1

    4ed91e94c757ed6a38b67e3bec83700b608eda5e

  • SHA256

    a7a0766cb33eb65b38977231999c2fdf27b188269a63ddcdd57b2689fccc41f3

  • SHA512

    d401719a3c3dfce698eac682eac8b4f06f36118f7a04f1130fe44cc87e4d7e4ddacd3913fc1632765c06d52bb0de980e909c03e3a3d6c16eb750bb15dcdc9713

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJM:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI5

Score
10/10
discoveryevasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 56 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 24 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9a459b1d1c71dd13252744b9cb448ec_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b9a459b1d1c71dd13252744b9cb448ec_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\vsqhhdxhjr.exe
      vsqhhdxhjr.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\agplekqi.exe
        C:\Windows\system32\agplekqi.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2608
    • C:\Windows\SysWOW64\kphsbndcssmwfml.exe
      kphsbndcssmwfml.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2740
    • C:\Windows\SysWOW64\agplekqi.exe
      agplekqi.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1932
    • C:\Windows\SysWOW64\nyepvdiegiash.exe
      nyepvdiegiash.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2884
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2108
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2216

    Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          3
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Privilege Escalation

          Boot or Logon Autostart Execution

          3
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Defense Evasion

          Hide Artifacts

          2
          T1564

          Hidden Files and Directories

          2
          T1564.001

          Impair Defenses

          2
          T1562

          Disable or Modify Tools

          2
          T1562.001

          Modify Registry

          7
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          2
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
            Filesize

            255KB

            MD5

            ce86965904ff9a8b5dca5f8650faa0c6

            SHA1

            bc0659d5bde2ba2feeea9ae708b40a746b7fac5e

            SHA256

            5815a8c8a95e66e2ec057075d3943bfce5deefb4f2546a6d7909c128ea292926

            SHA512

            60fcc6863f5c2555c1e6b9c6d4c6945348340d3ed069bc6a358e1943e5d3e9cf8fd0b9d045db4ca4409a07b6ab0eebc5e6c7e77980ec9e4a7ff40860edcee2a6

            Download Submit

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
            Filesize

            255KB

            MD5

            daea61df065c1fa65fb38fa329b61b71

            SHA1

            995ff31050b3bd6aa47c8b1d4786b98cab0e9e9d

            SHA256

            b1e53efab11fc26a4a518f35fb570cb43c15e341a164e18d3191415ee0244f58

            SHA512

            30c86d2e61592539d6d45bdfea2d234ae3e58a42dec9709e822d5055ee63036ff98b2213360d1a7e2550e6fab1957596dc5fc71f86ada0b1cbfa021fc96e3257

            Download Submit

          • C:\Users\Admin\AppData\Roaming\GroupEnable.doc.exe
            Filesize

            255KB

            MD5

            9dcf0d6a2640c396a5d6e9b0332e64c1

            SHA1

            563a930d778005d233230577a915645b667de443

            SHA256

            51d721717e41ed62b6e523189296c4042c5c4e724d3a2dd185741e864f0c5988

            SHA512

            04ce2c2f0216e266e2bfc53c5774f9d66027bc6922d15a11eb2406fd1bcae3da4ed3a290bda2957b70a4466ecc63e6f3b0e1ec76a8cc04b12c98648ca5ff7700

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
            Filesize

            338B

            MD5

            2e983c7a77343e9b877d4e295bc3c9c6

            SHA1

            94e170b3ad26689dcc951fab237e150673c6b9b2

            SHA256

            48c79f03f355de80a3d110a2f7ddad8b9408a10dbede265c857716be76699c9e

            SHA512

            975d9a85af35630d92d9061985551b2ff823d82909a1aec2afe71a13c231a174c76d9c3d06d2eab7ddef8d475a7a018f95c346952f5455ef5478a24930ce6c1c

            Download Submit

          • C:\Users\Admin\Documents\SendPublish.doc.exe
            Filesize

            255KB

            MD5

            2b371beeb0333638f1acb5cda90832b6

            SHA1

            b55ec9b00cbdfe6931e86d093ac9ac91e36ac3cf

            SHA256

            37d9b63082b4cf189384714a419ff86517064a3da764c3c3131b745dea6435f0

            SHA512

            3be207beaecbf6a9821915b8a6905dc42817add49e7862372c094b08cee86a64c3ddfb515bb4f3a4d3f675c4c6242cea3783ff795ffcd2aaa8e7ae81f4a5584e

            Download Submit

          • C:\Windows\SysWOW64\kphsbndcssmwfml.exe
            Filesize

            255KB

            MD5

            91ff0d30e2821306e9627795d70eda6b

            SHA1

            14c4c53b52f6ba90a20cf85a8797db8672b2d06f

            SHA256

            d2b3dc250fdb839b34527067ad55f6db0437d73dd93132fa0793917b7282981e

            SHA512

            d6aa80e160a4a21aa4034a92426054447801a94659361381318b3d7a1072071d23e0fc136b8424f71935d1fa79cb3dced3be3a36be646dca2093e4ad89692162

            Download Submit

          • C:\Windows\SysWOW64\nyepvdiegiash.exe
            Filesize

            255KB

            MD5

            80ce23bd6be1d30f00be6a7849d3f072

            SHA1

            c82b9a944d47e89652f67cf6c4a513865f8e1ab2

            SHA256

            41bcbc5bbe010302a65a927bcacc05895267f5927cefa042d4d9822f06fedf86

            SHA512

            b7de0e19933cd2c3536094453d16946bbb7686561e3092e51514a0f8ca1d13f31823eb32669d09371535eb2a8472d581f0f20ef22754c0844507a76eea2771a0

            Download Submit

          • C:\Windows\mydoc.rtf
            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            Download Submit

          • \Windows\SysWOW64\agplekqi.exe
            Filesize

            255KB

            MD5

            686f86d50a13060a6d176e26d6552c36

            SHA1

            5fc5a6583aef02682823dec476d9bcab53db5fc6

            SHA256

            70db310ebb35d0f9b42bd139e940b062c7acb1aba25feb673c76fd4c2cce691a

            SHA512

            e6b7d8af41c483ca69b01303fe229f19e866720ba5475eedb90dc54a24198ccb8d2cf9e43c4f4dd4a4b023d1dbb484436e21371748adb8ea8a6b7076da0f1900

            Download Submit

          • \Windows\SysWOW64\vsqhhdxhjr.exe
            Filesize

            255KB

            MD5

            380c3b6869fb760b56057bc307cfdffa

            SHA1

            9197c71dea5223dd1f92bd60125c79b56807e176

            SHA256

            8256806d93b9e4a076f6935088d6ad2b07761b4e7dbc7fd7dc0875aced0b6d1e

            SHA512

            8cfae8a80a80d2df56502a28e7af07135273be5429e0ed949bab0b15c22555cfed9068c53501c5828848e25619582b43b8da0b8a0098ccb2e797c4f65aa36a66

            Download Submit

          • memory/1932-91-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1932-87-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1932-36-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1932-97-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1932-102-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1996-46-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1996-0-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1996-27-0x0000000002F20000-0x0000000002FC0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1996-44-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2072-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2216-141-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2608-94-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2608-100-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2608-99-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2608-93-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-136-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-96-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-143-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-130-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-90-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-127-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-30-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-133-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-139-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-86-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-111-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-124-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-105-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-121-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-114-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2740-108-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-104-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-129-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-25-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-113-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-142-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-73-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-120-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-138-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-107-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-89-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-135-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-123-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-132-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-95-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-126-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2820-110-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-131-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-98-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-128-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-92-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-134-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-106-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-137-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-125-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-122-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-140-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-88-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-109-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-115-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-144-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2884-112-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download