Overview

overview

10

Static

static

5

e1e2a51f4b...18.exe

windows7-x64

10

e1e2a51f4b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2024, 06:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    e1e2a51f4bed9b584bccb521b199bac8

  • SHA1

    6e78985940248bf47418ea617a406502b7d58be1

  • SHA256

    82a9956c3cdc8007b2d8c4b3ce009501df7f6089b8d8efe7df19bca4d176bfa9

  • SHA512

    decac079fc0743936c244d91126fde8eeed721ef394253e928285274e8b8b03e04df35f1e0669f2e34b86696d87d6afe4eccba662f4a14dde579ebdaa57a8c09

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e1e2a51f4bed9b584bccb521b199bac8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Windows\SysWOW64\qwjhzkqyzg.exe
      qwjhzkqyzg.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\SysWOW64\tbgkhqzx.exe
        C:\Windows\system32\tbgkhqzx.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2148
    • C:\Windows\SysWOW64\nlvrbdhjuqrjzhv.exe
      nlvrbdhjuqrjzhv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3432
    • C:\Windows\SysWOW64\tbgkhqzx.exe
      tbgkhqzx.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4692
    • C:\Windows\SysWOW64\mlljmzrddqcrb.exe
      mlljmzrddqcrb.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1648
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:5040

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Defense Evasion

        Hide Artifacts

        2
        T1564

        Hidden Files and Directories

        2
        T1564.001

        Impair Defenses

        2
        T1562

        Disable or Modify Tools

        2
        T1562.001

        Modify Registry

        6
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        4
        T1012

        System Information Discovery

        5
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
          Filesize

          512KB

          MD5

          d04501e189da768a78efc56139a365fb

          SHA1

          b706471b893f7838d01369d69dfe0438833309a9

          SHA256

          99b5276c1fbb3bba4fd143497b1ff7d254354fa83e30e8e6f49b00d7296acbe1

          SHA512

          469159154fec4e657ea244f770eaa6e493b8a9d8dde90ee2f3efc91c51b286851ec129fe5da9884d5232b2a37744f8fc572075964521ce8b25d1332a7c6bf016

          Download Submit

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
          Filesize

          512KB

          MD5

          d337e6850ad370df06c547f7739b461b

          SHA1

          ad777c21b68362fe91465904d96f750abc50c3f6

          SHA256

          c1c57bddf00d4c6109d234016aef357153f46d86558eb162557c9fa622b87ebd

          SHA512

          1ae959d1c584b20568a0fa0eaf933e0cec69ee016f1e5b7b2fde192547afc74bf62cd190e8300d675999f3f5259bce703d8c052f9810b626d6921309db37762a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TCDAB02.tmp\sist02.xsl
          Filesize

          245KB

          MD5

          f883b260a8d67082ea895c14bf56dd56

          SHA1

          7954565c1f243d46ad3b1e2f1baf3281451fc14b

          SHA256

          ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

          SHA512

          d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
          Filesize

          237B

          MD5

          98f405bdd83704bea522267650c8baca

          SHA1

          35457a08ed810fbd2ee4b7b57cb06e4e2983c6ff

          SHA256

          3e2ec4bd749637305f314f6614ceb4875d36dd088ad2563749e80e5b85eebe9b

          SHA512

          f89a4aa23d959bc7203c0ad51a7b12435d0989c5d0d6e50fa614a72e8ccacfd46d9acc78aa892fff3ec3c207c9ac8b7a6a0e364e6b2ad7bae0ccec7cb893cb9f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
          Filesize

          16B

          MD5

          d29962abc88624befc0135579ae485ec

          SHA1

          e40a6458296ec6a2427bcb280572d023a9862b31

          SHA256

          a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

          SHA512

          4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
          Filesize

          674B

          MD5

          07d17060b3ae173acc7723025a2b4c20

          SHA1

          f9f6adbf4a2c4e3dd7fff645f855349688f4af62

          SHA256

          5afd33a5655308233bfe55803584448ba8ae854800a1e9eff3d9ab037b4f7e34

          SHA512

          170d56823d3fd121a024ac9e7ba3e647ad192def9faedfaf8619bf6c0ecff26e6024a5f89a23f69d3acab13305dac6603b940b744559b9f484115e14ed75a153

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
          Filesize

          1KB

          MD5

          a74d8896925c6c7a432424ff3b0f99fa

          SHA1

          4d21b44ccb7e37a11a98e85295fd6422bacd5a01

          SHA256

          55f059787d93a5e9eeb2fb80dcf81967e420afdbf86248e51b11c3959d6bc38d

          SHA512

          d7a73aaf252bba819de3ad885266dccc652f1f1cfc701ac082940983eba65a2ac852168bd5161a85997b58730b7c7d23d2cd38a1f5bfaa5214f72ecc01fc3c4e

          Download Submit

        • C:\Users\Admin\Desktop\CheckpointPublish.doc.exe
          Filesize

          512KB

          MD5

          a9a2f0199009ba3943d4bbba537e574c

          SHA1

          17870bea50a4cae7aad3e142ab3c259458fa2f14

          SHA256

          f792753c1f0722523fbeb711d0254ca411d1a5a80818508460f8d486f3d15ca7

          SHA512

          b952cae321341a61a89126113cbf67b6ef5c89e9b2f2a22371a77637dd9444c1838b4d5f581c938652e8e26788de9cf2af24df219e26b6edecea7ff8c51d0e17

          Download Submit

        • C:\Windows\SysWOW64\mlljmzrddqcrb.exe
          Filesize

          512KB

          MD5

          ef6cfe3bf3b79667215fd25a2520e5f7

          SHA1

          ebf8ce3720ce80730940414d9afd6d3726f48819

          SHA256

          e4ac2c75131de4d47b12f60c6807d580ca565354ea410128940234fb6b4b2c67

          SHA512

          7cbe083b4654f3df1a421b897bbc2fff718e98ae64c2978df797bdeda1c1ad6e4ed23d56313b5b479ef22cd523676b4f74f4ccc27437a40ef39a938db2df7e13

          Download Submit

        • C:\Windows\SysWOW64\nlvrbdhjuqrjzhv.exe
          Filesize

          512KB

          MD5

          892b18cbcdc009986f531fce849e15ad

          SHA1

          ff8e453802dea129c71fff04acc1ea5140ea64a5

          SHA256

          ab12306ead29893aa5de3fcce8f6ada2aa8490d28963a867db2f2bec5bdcae5e

          SHA512

          c0e497e97e83c5841265da5d8c778d65e663fdc6af63fafeca3680e7bf5d1c184610a2317a6f2511b116104e01b5abb04da8197637ae0f0bc5934a84d2abe73e

          Download Submit

        • C:\Windows\SysWOW64\qwjhzkqyzg.exe
          Filesize

          512KB

          MD5

          42a8f1b3325524b20b5442be02a06df0

          SHA1

          9eed8c6b62e701745d689578a2d9dbf2aafd47c3

          SHA256

          04c4615e98a048051940762281d9c4d2c1a5fe0033bb1c5e4e67623f540b63cc

          SHA512

          ea18282617d09bdf92cb6d54469c4b8d690d521eb6951acaa967151a406d39a87629e61cc6a1ee37c795be7595ff7402b605225567c1b53961e6b40e4868641c

          Download Submit

        • C:\Windows\SysWOW64\tbgkhqzx.exe
          Filesize

          512KB

          MD5

          e51baaa7cd035172f1ae4e3e328212a1

          SHA1

          c92ce75ed89013199b325b270d894149dfad07c8

          SHA256

          e66d12b69c2a304cae79b7aa07e2d4c82c350b7c3fe5ba7f5e8edf2f848ee49e

          SHA512

          0d1591eb6abd8ffe63a7c5aabbd49dd8875fe52b65d8e37c1c330fae7b2887563dc475428c56a594c7bee1deea7059f687a060001aeecab9da0aa6de117a2876

          Download Submit

        • C:\Windows\mydoc.rtf
          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          Download Submit

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
          Filesize

          512KB

          MD5

          ea7957ad34afdcb8804f7068b132783e

          SHA1

          3c723bb02b2bee0488e54688957d25a8632c7156

          SHA256

          996bb53b91a0a874f4f8afe07c6b39176c33072da0c4d1b8268cf630b51e3324

          SHA512

          28b1deb325246c5cb24e9d31dec2697e817aeb6c1ba1fab55c8c5b2b83a962dbfa30b3a74951a93a64e50b660812bd7bb2569198fcd42e15e5990a4db0d72368

          Download Submit

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
          Filesize

          512KB

          MD5

          c58acfd12386943f5e5a48cc47fa5f2e

          SHA1

          68e02a5034e94c6835ce571b02c4993555bd370f

          SHA256

          eb76a7cd5d48d2179ed229453c09ff45ebee6db711a8872380364dc1d931f610

          SHA512

          1421432f7890340bb5de085ebb5a6936335a74e5fffbcaf629a9c5c254d72f58b253df34d7d57e4dc03cc4ab996e5bbf353a2d445466cdc9ca1fb37d082ba199

          Download Submit

        • memory/3892-0-0x0000000000400000-0x0000000000496000-memory.dmp

          Filesize

          600KB

          Download

        • memory/5040-37-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5040-38-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5040-36-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5040-39-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5040-42-0x00007FFD59E10000-0x00007FFD59E20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5040-43-0x00007FFD59E10000-0x00007FFD59E20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5040-35-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5040-609-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5040-612-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5040-610-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5040-611-0x00007FFD5C430000-0x00007FFD5C440000-memory.dmp

          Filesize

          64KB

          Download