Overview

overview

10

Static

static

5

c284670593...18.exe

windows7-x64

10

c284670593...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2024, 07:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c2846705938fb2f595267f5effa3b1c4_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    c2846705938fb2f595267f5effa3b1c4

  • SHA1

    2d7c8740b75dc6ec3cf5a8a4968034e06cd51eee

  • SHA256

    57abcac196c86e0bd3ace3fff8e9aa80d3813ac7fea30d70427a9cb6338c01e0

  • SHA512

    ac21da0c96c224ff6246faae9ecf5bd441b6a339018d077b3c8e641ef573131c208f58adee917a9f87847723392980ed83cdd9a894c250f98f540423e4e5eddf

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5J

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2846705938fb2f595267f5effa3b1c4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c2846705938fb2f595267f5effa3b1c4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\ucekuicmkr.exe
      ucekuicmkr.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\emklsplu.exe
        C:\Windows\system32\emklsplu.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2248
    • C:\Windows\SysWOW64\iwpdlfpnjcfzjgj.exe
      iwpdlfpnjcfzjgj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1692
    • C:\Windows\SysWOW64\emklsplu.exe
      emklsplu.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2332
    • C:\Windows\SysWOW64\sanjnsbinjquf.exe
      sanjnsbinjquf.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:580
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2008

    Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Defense Evasion

          Hide Artifacts

          2
          T1564

          Hidden Files and Directories

          2
          T1564.001

          Impair Defenses

          2
          T1562

          Disable or Modify Tools

          2
          T1562.001

          Modify Registry

          6
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
            Filesize

            512KB

            MD5

            eb6ccb407cecfb230b937471c30229ac

            SHA1

            5f4071e17a92c373e1081c9a60630c6c1d230ab7

            SHA256

            aaf99e61b462d9b912d59397b94282f51142547abb593ff9287f4a1e85cc5757

            SHA512

            3255463ca2aba502041ad50497542b20c5825cada6598007ca25dac2ce18e4dbfc49246dbd64ea3db01c2c3c7c7167a4267732052743f3825e6694ad4ec768fc

            Download Submit

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
            Filesize

            512KB

            MD5

            bdf1128f0e33da67bbbfb4b038794404

            SHA1

            00c9da0049e598024d9ee54b6eabef0b84bf7529

            SHA256

            9e85d71d9d8b77dd02da6cb2f2e973058a1dc035b5e7362ac829d78eeae987f9

            SHA512

            2529fa854ac7ae932e8c2e965a2581c26e69903ee28e8a515e6f9cd3357caf37340dce868588476065a7c61eaea14bb0ceea1058615e88c0abb09db63806e25d

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
            Filesize

            311B

            MD5

            a6b90b6679e411ba6cc219f834dedbfc

            SHA1

            50f898138c574e4a7a61ae14308ceedfdbdeb9a6

            SHA256

            bb28dffcb58081cce8245f47f535455941493fa418e60a92680b0d9461cb89a9

            SHA512

            e8b35e88b3c495c431ce308a15030d067854a791839a1cf731a9537e85fc4560dde5ae6e759951ebb160aad6b5ddc03f8fa8021c7ed1da2946a30a54c32b7e81

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            20KB

            MD5

            dc08e8e470b567b52e1bc6e2f0a5c3e5

            SHA1

            68dc952f4c9a02bf6087e449a1c339f6443ed567

            SHA256

            0bdf42da5cd51c6568656390b837b52e7ca3c9f7344c69ebb304e6ab072ca34d

            SHA512

            e427805265c36b3bd9cceed3abd73507a8b0661a4a313349ab0c3da4eb2ecc9fc6c550ccec895a217a7d463199a5c130a5a82b18e595ed0c56dbdc1eaa6ab510

            Download Submit

          • C:\Users\Admin\Downloads\ConnectSelect.doc.exe
            Filesize

            512KB

            MD5

            a3fee79c890328d0a3b5f79a4c65b1b5

            SHA1

            20a7bd1b953b151de8fb1e901daa120eb0502a7a

            SHA256

            99dfc49b87b43a24d26f55f5be51693f5e2e8cf0954fac325a2d484a778fda0c

            SHA512

            53ec2235b9c8edb7e62e2d857ace5b8629c24006f6ae4315ea8792d3c0faf392fdc7d658c28900e4971fd2d070bd82c15aebd3debc83ed5b166923fd4642ce76

            Download Submit

          • C:\Windows\SysWOW64\iwpdlfpnjcfzjgj.exe
            Filesize

            512KB

            MD5

            be6502a0d2b2549d3ef369b5007bcbbe

            SHA1

            c7dc1c2aae289425858981eb2dd52ed417184692

            SHA256

            e5305f139f6d8fef088726b9ea3f349c36c1948292fe1cc36d40073ebe5f811f

            SHA512

            9869fee597ff02b87d00bb38d2c95e68ad24480872211fd9b6aa071c970b7f862b3279235ff8868fb0c5883e51331c57b7a5fecf9db94cfa722104da31e9a384

            Download Submit

          • C:\Windows\SysWOW64\sanjnsbinjquf.exe
            Filesize

            512KB

            MD5

            e5cd332cc8c81771e413c90572b21b15

            SHA1

            9e0473fdeb50e26618797c07ea0828344418c2ff

            SHA256

            adf950c12af345a8b58710c7ce3d82f4dbb0ff9439b8c67a2d68d503f4891437

            SHA512

            8b42e3fafb9e9dcd98d60a26153133ccfd24a7ad8700cfb144fea412e0545aa5024f5c8ac3c6b08b8d7852ce1d579f3d5846e52d55683930b0b85ff0c82b7817

            Download Submit

          • C:\Windows\mydoc.rtf
            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            Download Submit

          • \Windows\SysWOW64\emklsplu.exe
            Filesize

            512KB

            MD5

            2ba19cd175deac0ed6d6906922efebf6

            SHA1

            b6235e4d408cdde97995a8e82a5636d0863887a8

            SHA256

            debdaa1a85fcba4ed74192d1698ede2a501ca6d7d86908b14ad4135c6a9ac548

            SHA512

            498c0edaa2912ebda7b6814c0dedfd04d25d454f5e50ea26e607e48a20748042c0b3b787d3208aa91e88ca9dc71e24bdcb21d7d5bad8178e66bfc9295de6cc44

            Download Submit

          • \Windows\SysWOW64\ucekuicmkr.exe
            Filesize

            512KB

            MD5

            e0ae47abc8ab6709b14954d13ca720da

            SHA1

            c19d94ed5b0815a25ffe783d57f311824195473e

            SHA256

            8efd30d66cdbdf48102d9c827e772d7e7170657506ace5c0edc2141c0f6cc57b

            SHA512

            080607d227c40163a15b52e6ffbd841450824b3a506c62c2ee319c7f8847c4ce8c3f03396fdecc17504d891ed4b2d9b48e9d1a41e38b3ab8f01e139ae9471a07

            Download Submit

          • memory/1204-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1204-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3068-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

            Download