Overview

overview

10

Static

static

5

eac2712819...18.exe

windows7-x64

10

eac2712819...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 06:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe

  • Size

    512KB

  • MD5

    eac2712819daf5338c34a426fbfd5e44

  • SHA1

    0bff35d5cb2441a0a8eb3203e46a5804a187781c

  • SHA256

    46a1fa80fa54b56180d9dc8f4dfc144a0510089fec0d500d609ff1798cbd3287

  • SHA512

    43773a04ad780d297442fe81b3d154baa9aa86c0d06a42e5aea08cd02717b03e59bbe96cc16128b83d00065d96122287f20c9d8c0208b0e8c4cd113f87b03d33

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eac2712819daf5338c34a426fbfd5e44_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\SysWOW64\evptmmyhow.exe
      evptmmyhow.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Windows\SysWOW64\trponssq.exe
        C:\Windows\system32\trponssq.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2392
    • C:\Windows\SysWOW64\oxnkhkjvkfvcfez.exe
      oxnkhkjvkfvcfez.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3052
    • C:\Windows\SysWOW64\trponssq.exe
      trponssq.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5096
    • C:\Windows\SysWOW64\gtdeheizsyxlo.exe
      gtdeheizsyxlo.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2288
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

6
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    e3bda25d32bf676c04e0bdd5a5567a2d

    SHA1

    d9f81b43bad3016f96125d7006a0bb4e7c8f0535

    SHA256

    fec41eb74c1ec9c0ff461ed2ef46729c47268861944d9517cd90b93937c4f7c7

    SHA512

    850b63b8e4fbf2b926965fb42d4b096c89593f7b472b7920586eae09223201eb719b17cdc98477948d636fe2d4100d83f697eed8db80ab4732edae3b867473b8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDE773.tmp\sist02.xsl
    Filesize

    245KB

    MD5

    f883b260a8d67082ea895c14bf56dd56

    SHA1

    7954565c1f243d46ad3b1e2f1baf3281451fc14b

    SHA256

    ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

    SHA512

    d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    396B

    MD5

    c0580e90d3facd63a6c005aa72977300

    SHA1

    42f0161fc2e9b1a089be4369f1537bb67f0466aa

    SHA256

    7b41783d5cdb79d089ab4bdea71f186d10ac2f948f68b450dfbaf0c084950e17

    SHA512

    3c6ffa6204f8cc27e9c69030cc9bffb337ef025bd6db569a99432ef6d0f9906598a27d88045ae1e0aa9beaae67ff67f3ff90e6e28f986a3944b4c71c352b3593

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    1KB

    MD5

    acc3a002796f28f0822d8742fb50c606

    SHA1

    c0a2656191a6befa2f27cf19a6e1ec769d706989

    SHA256

    de71c2e1a45c5e50c71dc66bedbbbfb6463fec3eafa1072db95024d508817360

    SHA512

    110142165206b60ec43e4b5ae70432b5477e20a7c444d6920b66cfb01cdc209211871666e37ac5ae65b7690c534574ffe01e794100142ecac292a90210407e3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    1KB

    MD5

    dab2fb9330fa0c186bfd0104b3bd7877

    SHA1

    17e8ea88151ac2461a0c39c118df0945d462f7d0

    SHA256

    55e92ff2d3e0a1e9fe57b244c1db4b3a204b5796eec7c3a4db4dcc6e452a977a

    SHA512

    c8f7aa044b61b02a35817b3e1c1829468c3df0d28dc97cd3205af557407ae974003b96aceb7fe8b9c46c0dd1c1bffde2c3d49b3fc9cf2f8c087d295fd7f89f1a

    Download Submit

  • C:\Windows\SysWOW64\evptmmyhow.exe
    Filesize

    512KB

    MD5

    e52f90b88c7fc0568c5b266342da4763

    SHA1

    114b95a8cae6ed8db9410d19f703c568f43824c3

    SHA256

    b9593f180ebd67001e66e14e6f8531bdf2ebeb234e8424e9f77d035cd46f7014

    SHA512

    bb04d5365f7f3c19189b367a7447a46d9df4a0794521496cb0e8903c5685b3a2ab92a77a2d748c5e69242cae9653a0d8213fce572e9e295fd08bb1c21294e41b

    Download Submit

  • C:\Windows\SysWOW64\gtdeheizsyxlo.exe
    Filesize

    512KB

    MD5

    a8e227fd4e70d3632a2ebc62b55915e1

    SHA1

    eee65b46c251675eab0fa1a4231e5b58c6c6907f

    SHA256

    84e6e20abf6536b34c0755a4af27c897973b1dcd79ecdcdf029ec293114e91e7

    SHA512

    0ed4d4d29de4c4819bf61c2c9a1e2864caeb82f4c90a8d63e3abca72fe4b98b6d0f6e8fc57973839c2502111cc1c3e36592614b66a3f18117d0bdf62a556074d

    Download Submit

  • C:\Windows\SysWOW64\oxnkhkjvkfvcfez.exe
    Filesize

    512KB

    MD5

    e5d7a8ead29ef0164ace64342fe2e196

    SHA1

    c1603b21afc85e231b261ecfffd76b1297d8b54d

    SHA256

    20d2be81a1565661a07a60e712a75a77593f451e2f2388a8b698b2c7dd4a422b

    SHA512

    4348927fedd4576e206dc8ab535d62b772525630d7a34583b8281335626a0979275d25bbe67e57cac5264d4292cd1b6415cc1d97b649b3ab5aae0319ecc78f62

    Download Submit

  • C:\Windows\SysWOW64\trponssq.exe
    Filesize

    512KB

    MD5

    d5825343799309f1a48e0308a4c5ec3a

    SHA1

    b37c7f379e5a442cb416f3ac709ce71b37e82519

    SHA256

    b5172fc883db7644dceb7bdcc9eaed4b1bb19a49d422f8a29e8ded4e1c84d1ac

    SHA512

    b23103e6e40270b1d2faaba65816cc11346f4f00747daacee6eb6b68e6625d7a3b742688b334171197debf48c739df73defd54e5f9a1efb7063c28acf3ae8a4d

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    b08fce76346ac94b60edb1f5f6c5a02e

    SHA1

    42f1f1e67b04d37cfed4b81434dc37b2178f82e3

    SHA256

    1658008b98edef6dd5b9c066c231b1b9af838fb8ca361a2c478f690b3b98fb82

    SHA512

    f2b130ddf7c052b31ca32a7fef4323e78212c2d25220e37e472a1759d3f2453c79cc1f501e21a5c13bea9aecb4f654bc62baef29296630c4c3702596b797e67b

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    ce4044cf6d97723977b986a8bcd253ca

    SHA1

    c911dd4a6d12349e602c5329bf12784594e7f50a

    SHA256

    e762a5db48e383f8abd14d757122ef93fbf13f35afc7fba1c4adee1a216ebcbb

    SHA512

    10ccb7f6a28b0ad25f4b389cc3a8e8eef1286de1302185910ca88a0ace2643f239da84ebe47824fe634ec0eecd9fbcebc8b56492e5ddd5678f39ff2e4481f203

    Download Submit

  • memory/956-43-0x00007FFF10E50000-0x00007FFF10E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/956-42-0x00007FFF10E50000-0x00007FFF10E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/956-40-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/956-39-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/956-37-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/956-36-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/956-35-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/956-377-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/956-380-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/956-378-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/956-379-0x00007FFF13010000-0x00007FFF13020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1912-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download