Overview

overview

10

Static

static

5

d2495cfe46...18.exe

windows7-x64

10

d2495cfe46...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d2495cfe469d93db08494f27bc2fd2a0_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    d2495cfe469d93db08494f27bc2fd2a0

  • SHA1

    4ef854f4915e710d38fd83cede44db84c8092278

  • SHA256

    d32d1aa25e20f7eb05033b56f67ddc9c5645b287a4a30876e2a4aad1a3bc0ddb

  • SHA512

    c4be5918bd42dcd735bdcd72ad68eb7b8145c683e376def1a19d147704cf408e09dd1cd5715d5035dfd0ea95cb0e59987b388e4913f04c4bf8d9cd7b2415ba7a

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6E:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 24 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2495cfe469d93db08494f27bc2fd2a0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d2495cfe469d93db08494f27bc2fd2a0_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\zmolvforvd.exe
      zmolvforvd.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\kvcsrjmf.exe
        C:\Windows\system32\kvcsrjmf.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2676
    • C:\Windows\SysWOW64\vhjukulljybyqlh.exe
      vhjukulljybyqlh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2492
    • C:\Windows\SysWOW64\kvcsrjmf.exe
      kvcsrjmf.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3004
    • C:\Windows\SysWOW64\axgqmbnqajtio.exe
      axgqmbnqajtio.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2652
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1576
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2468

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    3
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    3
    T1547

    Active Setup

    1
    T1547.014

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Winlogon Helper DLL

    1
    T1547.004

    Defense Evasion

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    7
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\vhjukulljybyqlh.exe
      Filesize

      512KB

      MD5

      e16326ce422ca0be26a2eee6e01324ea

      SHA1

      4572b61c7fe11b9b8be0134d0318a771942b9bee

      SHA256

      c32918e7d42524f92031db4078a2e1072e10621567a33b5bd2ef5919e219c065

      SHA512

      5244f39cd28cc60e9cebceb8d3126b132b34e6b4a4bef4b456c152cc9dfabf16d4968a7203fd3d234258ad37e3e6d66478b6a3e75eebc574853e99668dd49fb0

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      6e73abfe9246f02c6438dc7c371a6360

      SHA1

      4ccb396f03a2d58b55a926843f46321408845d46

      SHA256

      02cfc6f382409717f84f14df8158f4bdba808dfc465c2eca52f83e45b9e3322b

      SHA512

      1d620fedea6b117c423fbada750935e13336074b315427acf47b92b913dc3c1b00b733cd9191e06ea5b658da22770c0b0eb95d8dc124c8604c32c20ecaa88666

      Download Submit

    • \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      11bb3b4588b7e225a632812b62a79927

      SHA1

      fd1193fc93eba7908583e517630cef3906d35e56

      SHA256

      64809681d1f6a0eb3ae86c30f9a0b9b653349d64d8b9a4b2c2f25c82e9ed59cf

      SHA512

      3863cd7fbadb5446ad4c86713388970b7d21c15f2261b0945b898f644999efdaa86a951837611aa0b2cd8c02e053d42ce489562201ee1fea1422c7d0dc27b83d

      Download Submit

    • \Windows\SysWOW64\axgqmbnqajtio.exe
      Filesize

      512KB

      MD5

      17458516e16361b610e1b9f79ea8ca8c

      SHA1

      52dacd80e441aef9999a93645719ebb6faf8c136

      SHA256

      e78816e35c8901bd6fd3470eddb22cb7a0410a5dd5df75ccbd74df0120cc5572

      SHA512

      cea8fb2213e5b5c1b53cb74122876047b0df457b013ed807c45ffc75d51d2cad63c4d4707216f815db2cfb836ccced3ddbf0d5cdc401ff8472ce5dea6e8836c4

      Download Submit

    • \Windows\SysWOW64\kvcsrjmf.exe
      Filesize

      512KB

      MD5

      1564609625d8939bb0ef7e9ed43fb5e3

      SHA1

      1bc886d4f843b3280ab659afd041351554f05c5f

      SHA256

      768874ebe2cad1de60e7559b9545235670eda0ff4f1ad2272f3f0b511073735d

      SHA512

      ffd5559d7e8b4d364215c2728ea3008053801894ca1281bfcf9ca28c3f914533bf9894ce017b7c2e238a6be895c5a5d9f3c19a56ec6a2bacf7d3e1f6bc70a28e

      Download Submit

    • \Windows\SysWOW64\zmolvforvd.exe
      Filesize

      512KB

      MD5

      f29a0a74948786c19c9686d6547593de

      SHA1

      f81ca33b7fb04eccf8fc28dd072212a1db342469

      SHA256

      7f1cd46489d9450065768b6fba1fcb34286f6fc6ebad3c9e54d111e70f6f7ab0

      SHA512

      340e8c83e99a4146cf947b1e375a3b8c5bd5862c1b79da83a129d763bc3a3a1cafe15ae813e1c90a094ce9dd74bc84a7e9ef7265805e6597cc3a3a9088fc9c0b

      Download Submit

    • memory/2092-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2468-80-0x0000000002B90000-0x0000000002BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2764-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download