Overview

overview

10

Static

static

5

d1b632acb8...18.exe

windows7-x64

10

d1b632acb8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 10:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1b632acb8299cbf118409ac37fbf4e6_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    d1b632acb8299cbf118409ac37fbf4e6

  • SHA1

    1c345f2734f89acfab9dd133eca74098a063287e

  • SHA256

    6d1365bfdacd234e776a85cca76185e107b69565d65be9144b78be44baa0f47f

  • SHA512

    d17bf731cb98686e3a021421460edab03a18b896a51e31ca5ad5637486c354deb6be04e2832c7d34a8a7dd2d5c3ca158a9baf7974734ec6fb093db34caee6d61

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1b632acb8299cbf118409ac37fbf4e6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d1b632acb8299cbf118409ac37fbf4e6_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\SysWOW64\upnetarrei.exe
      upnetarrei.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\SysWOW64\tlebglqo.exe
        C:\Windows\system32\tlebglqo.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2760
    • C:\Windows\SysWOW64\yzikyauwmrijogj.exe
      yzikyauwmrijogj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c oiukviwuexgla.exe
        3⤵
          PID:2796
      • C:\Windows\SysWOW64\tlebglqo.exe
        tlebglqo.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2832
      • C:\Windows\SysWOW64\oiukviwuexgla.exe
        oiukviwuexgla.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3020
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1960

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Defense Evasion

      Hide Artifacts

      2
      T1564

      Hidden Files and Directories

      2
      T1564.001

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Modify Registry

      6
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
        Filesize

        512KB

        MD5

        7f2a5418467cb24a3882239e377546f2

        SHA1

        d4e60f35b1798f9cca911fc38419fc24add1a833

        SHA256

        8f70c62e531faceb3d6c2aeba38373066c0b643142c7d2a72e7b807faac5a08c

        SHA512

        b512f619c517894b9d63e5ee5b1ea88ed804e2098538eaf39108d16025ab4e8d8709201c8856d6880484886bd298405c97e267d051d035215b828e8e1b7bc35a

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
        Filesize

        512KB

        MD5

        6a1fcae75fd7cc66f7a7cc61cccb752b

        SHA1

        d6e800f89aefdd8251cdfb41b42f2fed7acfee12

        SHA256

        983a641dfd4165fe5412e2a82a9ac07dbaf823a45b5b0632947c292bcbb0b934

        SHA512

        1062361acd499bed1aeb0f43025fb74ffcff8e3e3cede4c874cee3be1bdce40596a219fa00e50483dab83ffe4de32c0857c4595f72e604103f2391d8baa8ad0a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        19KB

        MD5

        74cbd03ba735821cc2f80df564b58933

        SHA1

        e8a3e729f94728d334daa4f0d699af741b95cc2d

        SHA256

        9d0385cbbf93c2557b38673b8803a4a6e0e004800b5673d765ba9734783a8a1d

        SHA512

        9057219bb029b4ef6dd8520435f0112ce7356d57c0229d59931840d25a055dfbc9f1d0acac1b3f4f4991821fb91d21790feadcd170602b3dcbe980d6ddbb0683

        Download Submit

      • C:\Users\Admin\Documents\MoveInitialize.doc.exe
        Filesize

        512KB

        MD5

        b41ec04123b39639d5dd89d0806ac3b5

        SHA1

        019312cc33f5acd801b48bfdd6989ad51afa551e

        SHA256

        3b7acb8dd842424a121df2c465699739fb11f427c043082900805530d9f6fd89

        SHA512

        3a0be1c18d5ebfa0b8435b0d051d353f15fd8044fcd55cda149bfd6b70aa50396e91e36b96f6443377133b32d7d4f90eb78826fd8bf4d099b76fe3cc950b8dad

        Download Submit

      • C:\Windows\SysWOW64\yzikyauwmrijogj.exe
        Filesize

        512KB

        MD5

        a702d4409cea52c639a759b41ddff05f

        SHA1

        6f80e10c469157bd3daab9d634769fb8921535ef

        SHA256

        dc195cabdd73d3772137bac16af34de0a211df95123ca28a1b3120aad846b3bc

        SHA512

        09dbc02078722731b5fcdf95c3e854d94908cb365de9d8081615680808e64391bdaeafe211ff577b1b37681cf1c9fab5595d2fbe823bb2c86d0527e427258e4b

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \??\c:\Program Files\SearchUse.doc.exe
        Filesize

        512KB

        MD5

        ab73d50e873ac6d476989634cd5f279d

        SHA1

        c8e266e93475b2365a1ad942316e8ad4dc0f23bf

        SHA256

        80613ddf73230456a0bd47476d56975a6befed65b61efc5a5fa7d75cb3a7968c

        SHA512

        30ff1b59eba3c326aa948d6a414cf6b69cde18b5153ded791feb054a5ef0cc2b5bf71be41493f9bc00a9e259edddaa1eecdbc82c1eab2b2d24c9ff2ff10020e9

        Download Submit

      • \Windows\SysWOW64\oiukviwuexgla.exe
        Filesize

        512KB

        MD5

        1cacedd7f614a9b4a6f59b7c09c613ec

        SHA1

        c26dd57962ca5dd498d6e119308c1151431768c9

        SHA256

        a569ec371d67ade9cfd636672f5aa3a157db3702de06092b7727f599ce62dd47

        SHA512

        522bb705fefc0a8aba74cf7eec05c4b6bb20fba83d2dd692568cc3499806c21f52a67d215a2f94beccf93b166f46ab53f4e74e636c16d410d4a87f517c7b625a

        Download Submit

      • \Windows\SysWOW64\tlebglqo.exe
        Filesize

        512KB

        MD5

        90b9b4d63af83dc9c73faf399e8bdcf7

        SHA1

        56239417a80e9dcc0f9af78fa6e29a26dcb3877c

        SHA256

        475c4b8666418e3f3f8ffdce472993965e344dee573f6645dbdf611dd7d3126b

        SHA512

        6a25f7e26c3e012610274faa483b05f8181817ef894e451e9102be324896c514d18fd79c08c436f9a63e5a8cd5ac85f9029d4173aa64f3a7c64870001be792fa

        Download Submit

      • \Windows\SysWOW64\upnetarrei.exe
        Filesize

        512KB

        MD5

        99a2a16e0009a97ae4208c3bef030843

        SHA1

        cdfa424470d89f15bacd37f13260886a13e16d6d

        SHA256

        15bdbe4bf19e6a84e85a7f50cdb829e74259a4031bbfb0d2b133dc6cf6e9a474

        SHA512

        ca939cc2623c16bd3728657242b32584d3a139b060632e4b5df601348ab9255e74a3fb97d2b56fa9d9924cca2a945813e45117918942f4291bdd2df142077576

        Download Submit

      • memory/1172-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2736-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2736-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download